The shift to hybrid work forced the financial services industry…
Organizations are becoming more reliant on complex or specialized technology solutions to meet their business needs. At some point, creating proprietary solutions won’t be cost-effective or practical for organizations. Fortunately, firms can turn to a third-party vendor for a technology solution for practically any need.
However, organizations need a process or strategy to protect their data even as the data is being accessed or used by their vendors. This is called third-party risk management.
Why is third-party risk management important?
Third-party security breaches are not uncommon and can have disastrous results for organizations and their customers.
A major concern during the COVID-19 pandemic was the massive increase of cyberattacks. Every industry was affected, including technology firms that serve financial organizations. In one major breach, hackers secretly added malicious code into an IT firm’s system, which then spread onto its’ customers’ systems. According to SEC documents, about 33,000 customers use the affected system.
Third-party risk management is a part of a larger cybersecurity strategy
In the wake of increasing attacks, the SEC has proposed new regulations for cybersecurity risk management. The Commission has proposed rules for government security platforms, issuers, regulatory advisors, broker-dealers, and wealth management firms. The SEC believes these rules, which are currently within a period of public review and comment, will improve cybersecurity, increase the resiliency of financial service providers, protect investors, and help maintain orderly markets.
Cybersecurity is not new for the financial services industry. Most firms already have written supervisory procedures (WSPs) in place for protecting data. But with the changing regulatory environment, cybersecurity has gone from being a nice-to-have to a must-have requirement.
Firms should compare their present cybersecurity infrastructure and regulations with the tenets proposed by the SEC. It will help identify current gaps in security so that companies are better protected against attacks and breaches in the future.
The 2022 Report on FINRA’s Examination and Risk Monitoring Program also provides organizations with crucial information that will help in keeping their compliance programs updated. The priority letter and enforcement actions proposed are beneficial for finding and addressing gaps in vendor controls, risk assessments, and information protection.
How can organizations manage third-party cybersecurity risks?
Organizations need to be proactive and knowledgeable of possible security breaches at the vendors’ end. It requires a shift in the mindset of businesses, as they need to treat third-party risk management as an ongoing program and not a one-time project.
Another critical factor is to consider the vendors as partners and not purely as a business relationship. At the end of the day, both the organizations as well as the vendors are a part of the same cybersecurity program.
Forward-thinking organizations do not assess their vendors on a case-by-case basis. Instead, they have standards and systems in place to manage third-party security risks. Many businesses employ vendor risk assessment questionnaires to learn the risk-management processes in place at the vendor’s end. After all, it is essential to understand how their vendors approach data security and whether they can be trusted to handle customers’ data safely.
Presently, many organizations deploy vendor risk assessment questionnaires to understand their vendors’:
Existing risk management processes
Approach to data security
Trustworthiness in handling consumer data
However, a vendor risk assessment questionnaire shouldn’t be the only part of your third-party risk assessment. Cybersecurity is an ongoing program, and these questionnaires provide the status of the vendor’s security measures at a particular point in time.
New risks are always emerging, so it’s important to regularly assess vendors to ensure they’re evolving their controls over time. Moreover, businesses can periodically conduct audits on key vendors to increase due diligence.
Organizations can reduce their chances of a security breach by ensuring areas of identified cybersecurity risk are incorporated into Written Supervisory Procedures (WSPs) and actively enforced.
Work with a trusted vendor
Overall, the key to streamlining your third-party risk management workflow is to have a good resource, a cooperative team, and a reliable risk-based model. It is important for organizations to collaborate with vendors since they are partners in their growth.
Prioritizing security and regularly updating security policies and practices will help organizations deal with the constant challenges of the regulatory environment.
Learn more about third-party risk management here.