With financial institutions increasingly reliant on third-party services to drive revenue, cyber criminals have identified new and creative tactics that successfully penetrate highly interdependent networks and launch damaging, far-reaching attacks. No wonder that 62% of global leaders recently identified cyber security as their company’s top third-party risk.1
We highlight five considerations that will enable FIs to bolster third-party cyber risk management (TPCRM) capabilities in 2024. These draw on common misconceptions that we have witnessed when working with clients who often underestimate the operational, financial, and reputational impacts they could incur following a third-party breach.
1. ENHANCE YOUR VENDOR ONBOARDING PROCESS
Misconception: “Our contracts and SLAs cover all aspects of cybersecurity.”
Contracts alone do not provide business leaders with a holistic view of vendor risk. Nor do they protect from reputational damage following a cyber event. This makes robust vendor onboarding a critical step that provides visibility into third party cybersecurity policies and practices. This approach also delivers critical insights into the data handled by third parties, the security of their systems, and their overall ability to adopt a risk-based approach for ongoing cyber risk management. All these elements are essential when making final contractual decisions.
We recommended that during the selection process, an institution assesses the following in order to fully understand the vendor’s residual risk, and to obtain confidence that appropriate controls are in place:
2. UNDERSTAND REGULATORY REQUIREMENTS
Misconception: “We are not responsible for our third parties’ compliance.”
Organizations should follow regulatory requirements and update their risk mitigation measures in line with these instructions. But end-to-end compliance requires your third parties to be equally compliant. With regulatory scrutiny on the rise, we recommend that organizations include compliance requirements in contractual agreements and undertake regular vendor audits to confirm adherence.
Key regulations and industry standards that impact FIs and their approach to TPCRM in 2024 include:
|
Regulation or standard name |
Overview |
Impacted jurisdictions |
|---|---|---|
|
OFSI B-10 |
OSFI expects FRFIs (federal regulated financial institutions) to manage the risks related to all third-party arrangements and emphasizes that the FRFI retains accountability for ally business activities, functions, and services outsourced to a third party. |
Canada |
|
NIST CSF 2.0 |
The NIST Cybersecurity Framework (CSF) 2.0 provides organizations with guidance on how to develop and implement TPRM programs. The framework recently introduced a ‘Govern’ function, which highlights the criticality of cybersecurity governance when managing cyber risks in the supply chain. |
Global |
|
ISO 27001 |
ISO 27001 provides recommended controls that support adequate cybersecurity practices. The regulation includes guidance on the security controls that apply to third-party risk management. |
Global |
|
Interagency Guidance on Third-Party Relationships: Risk Management |
The Agencies (FRB, FDIC and OCC) issued guidance on managing risks associated with third-party relationships. This includes sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the relationship lifecycle. It replaces each agency’s earlier guidance on this topic and is relevant to all banks supervised by the agencies. |
USA |
|
DORA |
DORA requires FIs to take a risk-based and proactive approach to managing risks associated with their third-party ICT providers, with emphasis on contractual arrangements. |
EU |
|
FCA Handbook |
The FCA states that firms using the services of third-party vendors are responsible for managing risks arising from those arrangements and that greater levels of risk management are required when a firm increases its dependence on third-party providers. The requirements include identifying and managing operational risks throughout the lifespan of a relationship and expect firms to be risk-based and proportionate. |
UK |
Key themes across all these regulations and industry standards include:
3. STAY ON TOP OF EVOLVING CYBER THIRD-PARTY THREATS
Misconception: “Cyber-attacks on our third parties will not affect us.”
In the world of TPCRM, a third party’s crisis is your crisis, especially at a time when first- and third-party business operations are more interconnected than ever. Cyber threats are also evolving at an unprecedented rate. This makes risk identification and threat modelling of third parties a top priority. According to research by Wipro, 35% of organizations claim their third-party vendors reported a security breach in the past year. Some 37% of organizations use formal TPRM software to conduct automatic screenings and risk-area decision tracking. However, 20% of survey respondents still use basic tools like Microsoft Word and Excel to keep track of third-party cyber risks.2
Below we list some of the top cyber risks faced by third parties, and recommend some technology-led controls for risk mitigation.
Artificial Intelligence (AI)
Malicious actors have demonstrated that AI can be weaponized for cyber-attacks. In 2023, we witnessed new techniques for penetrating systems and outsmarting cyber defenses which continue to mature in 2024. Examples of such methods include highly deceptive phishing emails, deep fake recordings, and other fraudulent documents.
Top recommended controls:
Fourth party and supply chain software attacks
In 2023, we saw a significant rise in supply chain and third-party breaches. With the average company sharing data with 583 vendors,3 the average software project consisting of 203 dependencies4 and with much modern software constituting off-the-shelf components, software supply chains are particularly vulnerable.
Although businesses have improved the security of their environments, third parties with weaker defense postures remain softer targets for criminals.4 Common supply chain attacks include upstream server attacks, midstream attacks targeting software development tools, CI/CD infrastructure attacks, dependency confusion attacks, stolen SSL and code-signing certificates, and open-source software attacks.4
Recommended controls:
Exploitation of credentials
Compromised credentials is still one of the leading vectors used to exploit FI vulnerabilities via third parties. Often based on large phishing campaigns or malware that steals login information, most of these breaches occur when businesses offer too much access to third parties. The good news is that even when credentials are compromised, robust access management minimizes the likelihood of attackers gaining entrance to multiple systems.
Recommended controls:
4. BE PREPARED FOR CRISES
Misconception: “We are already covered by our business continuity plans and risk mitigation strategies.”
Crisis preparedness, in its entirety, is often overlooked by business leaders. Although many invest in business continuity and incident response plans, they often assume that having defined procedures alongside risk mitigation strategies is sufficient to respond to a crisis event. This is rarely the case. Organizations should stress test their plans on a regular basis, proving the effectiveness of these procedures. This will ensure that normal business operations can continue, and that highly sensitive information is protected when real life collides with unexpected events.
Recommended controls:
5. ENFORCE EXIT STRATEGIES
Misconception: “Our contracts cover everything.”
While contractual obligations include critical elements such as service level agreements, failure to properly manage third-party access and relationships, including inadequate exit strategies, can increase the likelihood of data breaches. A Ponemon Institute report reveals that data breaches involving third parties resulted in an average total cost of $4.29 million, higher than breaches not involving third parties.3 Inadequate exit strategies can contribute to financial losses by prolonging the time to identify and contain breaches.
Recommended controls:
SOURCING EXPERTISE
Many risk management procedures require expert guidance and TPRM is no exception. When selecting a partner to help mitigate third-party risk and regulatory compliance, organizations should introduce experienced teams with the following skills and services.
______________________________________________________