As financial service institutions (FSIs) increasingly rely on outside service providers, their circle of trust widens — and so, too, does their circle of potential cyber-risk, one which needs to be viewed and monitored as carefully as FSIs’ own internal operations.
Speaking at the second day of the SC Finance eConference, Betty Elliott, chief information security officer for Freddie Mac, and Sean Cronin, CEO of ProcessUnity, a Concord, Massachusetts-based purveyor of vendor risk management software, offered their view on how FSIs can best protect themselves, their data and their customers through the careful oversight of third-party suppliers.
“We continue to look at the trust we put into third parties, that [expectations] are met and adhered to,” said Elliott, who noted that much of the risk mitigation comes down to clearly delineating the roles of the third-party providers in contracts, including service level agreements (SLAs) and on-going risk monitoring.
Cronin, who worked at a number of financial and technology companies, including Thomson-Reuters and Oracle, before ProcessUnity, agreed that establishing procedures for “trust... and transparency of dialog with your third parties, understanding who you’re doing business and sharing information with” is essential to a successful and secure partnership.
In recent years, competition with non-bank entrants to banking and payments, as well as the rise of innovative financial technology players has forced many FSIs, big and small, to utilize a wider array of outside providers in order to gain economies of scale, and to allow the institution itself to focus on its core business and operations. In doing so, FSIs have opened the door to a wider swath of not only third parties, but fourth and fifth parties (those vendors that work for a third party), and hence, the opportunities and outlets through which a bad actor could slip in and insert malware, steal data or hijack systems has also potentially opened up.
“Fourth parties are an interesting dynamic,” Elliott said. “In some cases, there may be some information shared with fourth and fifth parties, and we’re managing data that goes out.”
For example, Freddie Mac often does business with banks that offer business-to-business services, where information is shared downstream with business customers with whom Freddie Mac has no direct contractual obligation. The recent Log4j event has been the latest to raise the issue of potential vulnerabilities that companies just do not see coming.
Elliott said her team is focused on remediation, and will often reach out to its own third-party providers when a major security threat takes place.
“We want to get confirmation... that they’re taking at as seriously as we are,” she said, adding that it is critical to confirm that these providers also have mechanisms in place to insure the security stance of their own outside providers (those fourth and fifth party vendors).
Cronin, in his role, said he pays particular attention to the data center providers and how the “downstream actors might be impacted. We have to think about the ripple effect.”
“The face of this remote code execution [as with Log4j] scares the hell out of me,” Cronin said. “Malicious code could lay dormant and hackers could come in on that vector.”
Freddie Mac, like many large FSIs, has roughly 50 so-called “critical vendors” which are monitored more closely because of their access to sensitive data or crucial operations. Elliott said that Freddie Mac places “additional rigor” around monitoring these particular partners.
For FSIs seeking to improve their controls on outside vendors, Cronin recommended “getting controls and processes in place pre-contract. First and foremost, deal with those threats upfront.” And he and Elliott both agreed that while self-assessments are helpful, FSIs cannot rely on those alone to guaranty that their outside service providers are doing the “right” things.
“You cannot take everything at face value. It has to be a continuing back and forth... reinforced with data,” said Cronin. “It’s about that transparency. It’s a partnership. You don’t want to hear crickets when something happens.”
For her part, Elliott recommends having SLAs that not only outline uptime requirements but enforce penalties and hold outside providers responsible if they do not meet their agreed-upon obligations for IT security. FSIs should have the right to audit and ask for evidence in the case of breaches that might affect them. Each agreement, of course, depends on the data or systems that are shared and the type of relationship each vendor has with the FSI.
“You really have to customize to the particular vendor... it is important to understand the relationship,” she added. “Having on-going conversations and putting more rigor around it going forward is a constantly maturing function... especially with our heavier reliance on vendors.”