Banking industry security protocol falters in third-party vendor contracts
The New York State Department of Financial Services issued an update on cyber security in the banking sector with concern to third-party service providers.
Nearly a third of banking organizations do not require their third-party vendors to notify them in the event of an information security breach, according to a recent study on the banking sector's cybersecurity practices.
The New York State Department of Financial Services issued its “Update on Cyber Security in the Banking Sector: Third-Party Service Providers” earlier this month to analyze the “due diligence processes, policies and procedures governing relationships with third-party vendors, protections for safeguarding sensitive data, and protections against loss incurred due to third party information security failures.”
A survey with 40 banking organizations yielded the report's findings, which indicated that fewer than half of those surveyed conduct any on-site assessments of their third-party vendors. Plus, approximately one in five banks do not require third-party vendors to represent that they have established minimum information security requirements. One-third of banks mandate that those requirements be extended to subcontractors of third-party vendors.
Jamie Wodetzki, founder of Exari, a contract management and document assembly solutions provider, noted the lack of requirements most likely are a result of outdated contracts.
“Five years ago, [a bank] might not have bothered to say that a particular supplier must meet these security levels [in a contract],” he told SCMagazine.com.
Plus, contracts tend to be hefty, making it hard to ensure that all security bases are covered.
Ultimately, Wodetzki said, the report highlights a need for IT security professionals to coordinate with their companies' legal teams to make sure current needs are being met in years-old contract formats.
“Security teams can also maybe go and look at these vendors,” he said. “They can analyze them and write a report.”
This might help point out lacking protocol that should be written into the contract as a necessity. Furthermore, Wodetzki noted the best contracts are explicit, have unqualified promises and clear timelines about when something needs to be done.