Recent cyberattacks on financial institutions have put third-party vendor vulnerabilities in the spotlight. Curb this risk with the following best practices.

In an increasingly competitive financial services landscape, financial firms are offering more digital services than ever. This digital shift was already well underway in the Asia Pacific region, and accelerated by the pandemic.

In the race to get new digital services to market fast, most financial firms use third-party suppliers to provide software, services, infrastructure, and products to optimize their time to market and operational efficiency.

With more digital services comes an expansion of the cyberattack surface and an increase in potential vulnerabilities. While financial institutions have to comply with regulatory and customer demands, their third-party suppliers, many of them relatively young technology companies, may not always have the same legacy of strong security controls or regulatory requirements.

Further, many firms use the same suppliers, layering an additional challenge of concentration risk, where an attack on one major vendor has the potential to impact a significant number of participants in the financial system, either regionally or globally.

Reducing third-party risk

The following security principles should be part of a robust and systematic protocol for managing third-party risk.

  1. Adopt a zero-trust mindset. Your overall strategy should seek to maximize cybersecurity on your side of all interactions with third parties, minimizing the chances that external vulnerabilities can impact your systems and data. This model must also extend to internal systems, to reduce the chance of lateral migration of malware and bad actors.
  2. Implement a ‘third-party risk management program’. Systematically review documentation, processes, security protocols, and personnel related to or used by a third party.This is the most common and widely used mechanism to evaluate risk from a third party. However, it can be both time- and labor-intensive, and thus may not scale well or be performed frequently enough to keep risk assessments current.
  3. Employ risk monitoring services. Employing independent sources of risk data can help with scalability, addressing the practical limitations of manual assessments. However, many services do not monitor risks in real-time and are not always transparent about their assessment methodologies. Understanding the methodologies and processes behind third-party risk management assessments will help security teams devise a more holistic, actionable, and proactive risk mitigation strategy, instead of simply reacting to threats when they arise.
  4. Become a member of a global intelligence sharing organization. No matter how many threat intelligence feeds a firm subscribes to, no one firm can anticipate all cyber threats—especially to third parties—all the time. Suppliers to the financial sector often serve firms around the world. Therefore, it is critical to share intelligence on a trusted platform that has global reach. Such platforms can be used to reach the entire financial sector quickly in an incident, to provide the right information and mitigation advisory. Global intelligence sharing also enables financial institutions to interact, with all participants contributing to a common and powerful knowledge base. This can help the industry as a whole to act quickly to limit any widespread damage.

Communication between firms and their suppliers should not be limited to formal assessments and reporting. Greater collaboration and intelligence sharing between firms and their third-party vendors will greatly enhance the effectiveness of any third-party risk management program.

For the foreseeable future it is likely that third-party and even fourth-party risk will remain in the spotlight.

With only a handful of firms offering business-critical infrastructure such as cloud services, and with the pandemic accelerating digitalization and increasing reliance on those services, concentration risk continues to grow.

Financial institutions must double down on fortifying supply chain risk management, sharing cross-border industry-specific threat intelligence, and investing in operational resiliency to protect their customers and trust in the global financial system.