Third-party security assurance in banking
By Dale Guise
Canadian banks and financial services providers are routinely lauded as among the best in the world, not only in terms of economic performance but for overall soundness.
By Dale Guise
Unfortunately in 2015, the biggest threat to that enviable reputation has to do less with Canadian banks’ balance sheets than the company they keep: currently, third-party security assurance is a cyber security outlier for banks, but overlooking it could cost a bank more than its good standing.
Traditionally, banks and financial services providers have long-relied on a number of business partners, or third parties, to perform activities on their behalf and support their businesses. Today, those activities usually involve some level of online or digital engagement, whether with a vendor or customer, forming the basis for third-party cyber risk. A notable portion of that risk is tied to vendors.
Third-party security risk is one of the greatest threats to an organization today. Security breach reports continue to reveal security vulnerabilities introduced by third parties as a leading cause of compromise. Organizations exert tremendous resources to protect their core business but don’t apply the same level of information security rigor when it comes to third party suppliers, partners, outsource providers and potentially unrealized third party associations. Any company that engages with third parties introduces considerable risk and potential for a serious security breach.
To gauge the scale and scope of third-party cyber risk for banks, take into account the sheer number and various business models of their partners: check and payment processors, data storage companies, accounting, auditing and law firms, consultants and even caterers, printers or facilities managers — all of which electronically exchange trade secrets and transaction details with banks.
Now, accept the reality that banks’ cyber security is only as good as the cyber security of those third parties, and the potential repercussions touch on everything from compliance to financial risk — for both banks and customers. Last year, according to the Canadian Bankers Association, 77 per cent of Canadians banked online, and while banks have invested heavily in proprietary information security, cyber thieves have adapted by targeting their third parties.
The danger is real, and the costs are high. According to the Verizon 2015 Data Breach Investigations Report, 75 per cent of attacks spread from an initial target to a connected network within one day (24 hours), and over 40 per cent hit the second organization in less than an hour. The stark reality is that all of the money and resources poured into an information security program can be quickly neutralized by a negligent third party.
In the event of a third-party data breach, a bank in combination with a robust security analytics system, a third-party security assurance program can help provide advance warning on when a cyber attack is in motion and outline a clear plan of recourse in the aftermath of the attack. Typically, third-party data breaches are possible because information technology (IT) personnel are hyper-vigilant in reacting to protect networks at the perimeter and less focused with ensuring data storage, data access, remote access, user management and controls are recognized.
Introducing enforcement in concept and practice is also crucial: enforcing stronger security controls internally as well as to all business partners is a must. At its core, third-party security assurance is a combination of assessments, program development and compliance.
For banks and financial services providers, internally rethinking market and regulatory risks is culturally challenging enough. Likewise, third-party cyber risk is constantly evolving, requiring flexible, fluid third-party security assurance and ongoing vigilance, risk assessment and training.
Effective third-party security assurance in banking is a six step process:
1. Identify – Pinpoint business partners and relationships
2. Scope – Delineate organizational, process, system and network boundaries
3. Assess – Determine security gaps and risks to relevant lines of business
4. Mitigate – Eliminate gaps by limiting scope and implementing controls
5. Maintain – Use metrics, re-assessment and validation
6. Validate – Use results and reporting to validate security assurance
For banks and financial institutions, a successful process for third-party assurance will require the assessment of existing programs, the development of new ones, ongoing program monitoring and auditing. This includes a security architecture and risk assessments, security policy and controls development, security compliance reviews and alignment, auditing of third parties’ security and security awareness as well as user training.
Fiscal health and operational efficiencies remain the hallmark of the Canadian banking industry, despite increasingly more frequent reports of cyber attacks on banks in 2015. Embracing third-party security assurance is essential to maintaining the goodwill Canadian banks have built with their customers.
Dale Guise is the vice-president of cyber Services, BAE Systems Applied Intelligence (www.baesystems.com)