A survey report from a national law firm specializing in cybersecurity found that small and midsize banks, by and large, fail to practice certain key oversight functions on their third-party vendors, even as regulators have insisted they hold third parties accountable for the banking system's security.
The findings from Jones Walker, which has attorneys in eight states and the District of Columbia, was based on a survey conducted in July.
While large majorities of respondents said they relied on third parties for critical IT functions, such as cybersecurity, open banking and banking as a service, many of those same respondents said they did not hold their vendors liable for data breaches or require a right to audit their cybersecurity practices.
Third-party vendors are critical to community banks, which like many small businesses seldom have their own, independent cybersecurity teams. Even for those that do, third-party vendors often provide threat intelligence and other services that only a large bank would be able to match on its own.
So, unsurprisingly, 99% of respondents said they rely in part or fully on third parties to perform cybersecurity functions. Similarly, 90% said they rely on third parties to perform business functions like open banking or banking as a service.
These dependencies pose some cybersecurity risks, but the greatest risks come from the lack of due diligence that banks exercise on these third parties, according to Tom Walker, a partner at Jones Walker. Walker spent six years as legal counsel and chief financial officer for Bank of Forest in Mississippi.
"As our survey clearly points out, community and midsize banks can do more to mitigate the risks posed by third-party vendors to their information systems, reputations, and customers' data by following industry and regulatory standards for planning, due diligence, selection, contract negotiation, and monitoring," Walker said.
One example of the lack of due diligence is that only 58% of respondents said they require their cybersecurity vendor to grant them some kind of auditing rights, which ensures the bank can directly observe the vendor's cybersecurity practices.
Similarly, only 23% of banks have contractual indemnification requirements for data breaches with their vendors. Such requirements hold the vendor responsible in the case that a breach of bank data occurs at the vendor.
Perhaps most to the point, only 50% of respondents said they require vendors to maintain a security program compliant with federal guidance. Such guidance would come from the National Institute of Technology and Standards, which this year
While these practices can reduce the cybersecurity risk that banks face, regulators have also
This need for oversight is, in part, a product of the regulatory divide between banks and their vendors.
"Banks are highly regulated, but many third-party vendors are not," said Rob Carothers, a partner at Jones Walker. "It is critical that banks conduct thorough due diligence on their vendors and ensure robust contractual protections are in place."
In one important respect, this regulatory divide between banks and their vendors is closing. IT infrastructure (like many companies considered part of the nation's critical infrastructure) will gain
Banks must already
Even so, incident reporting is only one part of the regulatory and compliance puzzle. Before incidents happen, banks also have to show federal and certain state regulators their cybersecurity risk management plans, and third-party risks must be part of that puzzle. IT companies do not face these same requirements.
As regulations and cybersecurity threats evolve, banks need to invest in preventive strategies and vendor management, according to Granville Tate, Jr., executive vice president and chief administrative officer of Trustmark National Bank in Jackson, Mississippi.
The report from Jones Walker "serves as a reminder and a resource to help strengthen our defenses, protect our customers' data, and ensure we remain resilient against increasingly sophisticated cyber threats," Tate said.
