Dynamic Risk Assessment Is Critical for Combatting Modern Third-Party Threats
Authored by: Matt Kunkel, CEO & Co-Founder,
When a business is impacted by a third-party breach, it's tempting to shift the blame to the partner or vendor where it originated. This is a mistake. Ultimately, your customers don't care where a breach started—it still affects you, and (more importantly) it still affects them. Pointing fingers and placing blame doesn't give your partners and customers confidence—it only makes you look like you're trying to escape responsibility. While identifying the origin of a breach is important, stakeholders care more about what you are doing to fix it and how prepared you are to do so.
Third-party risk isn't a new concept, and today's banks, credit unions and other financial entities shouldn't be caught by surprise—on the contrary, they should have measures in place to defend against potential attack vectors from partners, vendors, applications, and other third parties. With the rise of cloud services, software-as-a-service (SaaS) applications, and countless other modern conveniences, organizations are granting access to their networks and systems to more third parties than ever. That access carries risk—and organizations in critical industries like banking and finance need to identify ways to mitigate that risk and keep their systems and data secure.
The Dynamic Nature of Third-Party Risk
As technology supporting the banking and finance industry evolves, so too does the risk. Banking-as-a-service (BaaS) applications like online banking platforms, crypto exchanges, payment processing services, and others have rapidly expanded the number of third-party entities banks regularly work with—and the potential attack surface has grown alongside it. Anything with access to an organization's network or systems represents a potential foothold for attackers, which means locking down these third parties should be an immediate priority. It should come as little surprise that governments also recognize the current regulatory shortfall and are beginning to
Most financial institutions should have—at the very least—a baseline third-party risk management (TPRM) process in place. Unfortunately, that process is often static, rather than dynamic. That means periodic "point-in-time" reviews and solutions that provide a snapshot of security capabilities, compliance status, and other relevant information. Don't get me wrong—that's important information to have. The problem is that in a field evolving as quickly as banking and finance technology, those snapshots are obsolete almost the moment they are taken. It's great that your security solutions performed well against third-party attack vectors in December—but what about now?
To face today's threats, financial institutions need to be more agile. That means having the ability to assess how your own systems, solutions, and employees will respond to a crisis—but it also means understanding how your partners and vendors can respond to a potential breach. Yes, most organizations will have potential vendors fill out a security questionnaire to gauge their capabilities, but, once again, this represents a point-in-time snapshot. How can businesses move away from these static assessments and toward a more dynamic assessment of their potential security and compliance risks? Specifically, one that prioritizes real-time information amid today's evolving threat landscape.
Strong Relationships and Reliable Technology
Building stronger relationships is an essential starting point. While a security questionnaire can provide some level of insight into the security posture of a potential partner or vendor, its real value comes as a starting point. Even the most direct and pointed questions probably won't get a satisfactory answer if the respondent is a sales representative making their best guess. Rather than relying on questionnaires to provide the necessary insight, financial organizations should use them as a foot in the door to get actual subject matter experts (SMEs) talking. After all, no business is likely to provide information that casts them in a negative light, so the ability to read between the lines is critical – and, ultimately, people are generally willing to be more open and honest when talking to a peer.
A CISO or other security professional can speak to the things that aren't on a questionnaire, and those conversations should focus on a few key areas. First, what is the long-term security roadmap for the vendor? This helps identify where they see room for improvement and how they are going about it. It's also important to understand what they view as the key challenges in their industry and how they are addressing them. Discuss user control considerations. What elements of security and compliance are covered on the vendor side vs. the customer side? What do they consider to be their "perimeter" and where does it end? How does the vendor train its own internal users to ensure they are up-to-date with today's threats? These are questions that can provide invaluable insight into the security posture of a potential vendor, allowing the institution to make more informed decisions. Establishing a strong relationship also helps empower customers to call out their vendors when they aren't meeting expectations.
It's important to have a dynamic system that provides for ongoing touchpoints with the most mission-critical vendors and partners. Financial institutions have dozens (if not hundreds) of security and compliance frameworks to adhere to, which requires up-to-date information. Today's banks likely have a centralized platform to measure compliance in real time, but automating the necessary data collection from partners and vendors in that platform can streamline the process of establishing a solid security and compliance baseline. It's also critical to ensure your GRC platform is modern and agile to keep pace with the heavily regulated and constantly changing financial sector. The combination of reliable, comprehensive, and data-backed compliance technology with strong relationships and regular communication can help financial institutions improve their ability to both assess and mitigate third-party risk.
Security Questionnaires Aren't Enough
In today's increasingly interconnected world, some level of third-party risk is a fact of life. But by leveraging the power of both people and technology, financial institutions can ensure they have the information they need to approach external partnerships with confidence. It's critical to understand where risk exists, where it is being accounted for, and where it is being passed on—and then making informed decisions about whether that is acceptable to you and your organization. If a third-party breach happens, your partners and customers won't care how many security questionnaires you reviewed—they'll only care about how prepared you were to deal with the situation at hand.
