IT Security Blog | Rivial Security

Third-Party Vendor Risk Management for Banks & Credit Unions

Written by Randy Lindberg | 28 Oct 2020

The two largest industries affected by cybercrimes in the United States are information and finance. Of the two, the financial industry incurs the largest losses in terms of annual costs. In fact, the banking industry suffers losses on average of 18.37 million dollars annually in the U.S. alone. As a result, things like data risk assessments, IT audits, and third-party vendor risk management should be top of mind for banks and credit unions to protect data and sensitive information.

Companies working in the financial industry require vast third-party networks to do business. With that in mind, in this post, we’ll cover the best practices for your third-party vendor risk management program.

 

What is a Third-Party Risk Management Program?

 

A third-party risk management program, also referred to as a TPRM program, is the process of assessing, identifying, and controlling the risks that are presented throughout the relationship or lifecycle of working with third parties. This risk management process typically runs the entire course of the relationship with said third-parties from procurement to the conclusion of the offboarding process.

The reason it’s so important to assess the risks of working with third-parties is that even if a security/data breach occurs on their end, your company could be held liable for any breaches simply because you are working with them. Furthermore, as Info Security Magazine explained, “Cyber-criminals will often target suppliers and partners in order to exploit their connections to larger and more valuable targets.” 

That’s why you have to make sure that the vendors and third-parties you are working with are just as security conscious as you are.

 

Elements of an Effective TPRM Program

 

Ability to monitor third-party risk continuously

 

A data security breach can occur at any time. As a result, random check-ins aren’t going to cut it.

Incorporating risk assessments into continuous monitoring is critical for effective Third-Party Risk Management (TPRM). Risk assessments provide a structured approach to evaluating the security posture of third-party vendors and determining the potential risks they pose. However, a one-time or periodic assessment is not enough. As Info Security Magazine highlights, “Considering how rapidly cyber threats can emerge and evolve, the intelligence from one of these reports can become outdated in a matter of days." The implementation of new software, configuration changes, or the discovery of a zero-day vulnerability can quickly transform a previously secure vendor into a security liability. Therefore, the ability to monitor third-party risk continuously is crucial.

 

Regulatory Compliance is Only the Beginning

 

When regulatory compliance policies are implemented, banks and credit unions aren’t the only ones who are aware, cybercriminals are becoming more sophisticated in that they are keeping their ears to the ground for new regulatory compliance policies as well. 

As a result, they know some of the lazier companies are going to maintain bare minimums security, so they will adapt to the new safety measures, and then work diligently to find new vulnerabilities and gaps in systems and networks to exploit.

The better way is to consistently be proactive about security. Constant testing and looking for weaknesses can help financial institutions mitigate risk more effectively.

After all, as the FDIC explained, “The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties.”
In other words, you can outsource your services to a third-party vendor, but you cannot outsource responsibility.

 

Who’s accountable and governing the TPRM?

 

Governance and accountability are fundamental to the success of any Third-Party Risk Management (TPRM) program. To maintain accountability, organizations should assign specific roles and responsibilities for managing vendor risks, ensuring that individuals or teams are clearly designated to oversee vendor relationships and risk controls. 

These responsibilities typically extend across departments such as procurement, IT security, legal, and compliance. Regular communication between these teams is recommended in maintaining a coordinated approach, additionally, it is crucial to provide senior leadership, including executives and the board of directors, with regular reports on vendor performance and risk exposures. This enables informed decision-making and helps to align third-party risk management efforts with the organization's overall risk appetite and strategic objectives. 

 

All Vendors Should be As Security Conscious as You

 

It’s not enough to rely on automated vulnerability scanning or random security audits from the IT department of a third-party vendor. When a financial institution is initially seeking vendors, they should be certain that those vendors care about security just as much if not more than you do.

The best approach is to include them in your vendor risk lifecycle. Your process may be different from others but start by asking them about their security protocols. Find out if they are training their employees in cybersecurity and data management. If their culture doesn’t appear to be focused on locking down all aspects of their sensitive information, what makes you think they will go out of their way to protect that of your financial institution?

As Info Security Magazine reported, “Establishing a formal onboarding process helps teams to decide whether the organization should be doing business with a third party, based on how they expose the organization to risk.”

If during the onboarding process, it becomes clear that they do not have security top of mind, then it’s time to find an alternative vendor.

A formal onboarding process can also help an institution have a plan for bringing additional vendors on board. For example, if you have a vetting questionnaire at the ready, you can assess whether or not working with new vendors is a good idea that much faster.

 

Don’t Risk Your Financial Institution’s Reputation or Income by Relying on Third-Party Vendor Security Practices 

 

The Rivial Platform provides a streamlined workflow to assess the cybersecurity risk of your vendors. To conduct an evaluation, the Rivial Platform will walk you through your predetermined list of controls where you will mark what is in place and audited or not. 

Alternatively, you can do this yourself by evaluating your vendors at the control category level and assess to what degree they are in place. You can then view the control overview, set your risk ratings, and run a report on those vendors.

To see the Rivial Platform live in action, watch our video demo today.