Third-party vendors play a significant role with community financial institutions (FIs), enabling banks and credit unions to deliver essential products and services to consumers. Third-party vendors can be indispensable but they can also be a weak link in your cybersecurity strategy.
The events of 2020 have made it imperative for FIs to focus on protecting their employees, consumers, and valuable assets, making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community FIs to engage even more with managed security service providers to strengthen their cybersecurity strategies.
Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.
It’s common to have a dedicated vendor management team or department in community FIs. But it’s important to avoid a silo mentality when dealing with risk. Know your risk appetite and make sure everyone involved in risk management knows it as well.
Evaluate third parties against your risk appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.
Document third-party products and services in your environment. Update your operational, IT, cybersecurity policies, and business continuity plans to include your vendors. Make sure to outline their roles and responsibilities, especially in the event of an outage, incident, or disaster.
Ensure you have a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure your third parties have strong cybersecurity programs.
The Federal Financial Institutions Examination Council (FFIEC) states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”
Establish how your data is handled in order to protect the privacy of your employees, customers, and members. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract?
Make sure you document data ownership and management in your third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.
Having determined the need for third-party services and doing your due diligence to ensure the best fit, it’s equally important to ensure the services continue to perform as expected. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.
Periodically review your third parties to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs). This will help address issues before an incident can occur. If appropriate, engage the services of independent providers to audit, monitor, or alert you to any issues that could impact your vendor’s ability to meet their SLA.
Third-party risk is an important component of your overall cybersecurity strategy and should align with your Enterprise Risk Management and Information Security programs.
Using a common risk framework that includes vendor management will promote collaboration, integration, and visibility across your FI. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers and members.
Who We Serve
What We Offer