Third-Party Cybersecurity: How Financial Service Organizations Can Mitigate Business Risk

By Alastair Williams, VP, Solutions Engineering at Skybox

Siloed approaches to risk identification mean that third-party risks are missed across complex financial institutions

Today’s financial organizations are evolving and modernizing, with many large financial organizations relying on wide-ranging third-party environments with thousands of suppliers and vendors. According to Gartner, 71% of organizations report that their third-party network contains more vendors than it did three years ago. Gartner also found that 60% of organizations work with over 1,000 third parties, which will only grow as businesses become more complex.

Regulations are expanding around third-party usage, especially in financial services and government. With this growing oversight from regulators and company boards, cybersecurity leaders must confirm that their third-party risk framework leads to optimal risk outcomes. Therefore, getting risk identification right across these complex environments is critical.

As financial organizations increasingly turn to third parties, maintaining a robust risk management strategy is more important than ever to manage risks more effectively and ensure regulatory compliance. By adopting this approach, financial organizations can understand their true exposure to cyberattacks and focus remediation efforts accordingly, saving valuable resources by accurately identifying the most dangerous vulnerabilities.

The growing risk of third-party connectivity

While third-party relationships help to streamline business-critical functions, the interconnectivity they bring exposes financial institutions to higher levels of cyber risk. This can become incredibly complicated with so many entities and services to secure and monitor, as well as third-party organizations likely being connected to additional entities that could inadvertently introduce additional risk.

A report by the Ponemon Institute found that 51% of businesses have suffered a data breach caused by a third party. For example, in 2021, the Reserve Bank of New Zealand suffered a data breach after attackers illegally accessed data stored at a third-party hosting provider.

To protect critical systems and sensitive information from third-party risks, many financial service organizations invest in assurance processes, which to varying degrees require an independent assessment of third-party cyber compliance through penetration tests or SOC 2 Type 2 certification. Despite the practicality of this approach, these assessments still only represent an approximation of risk at a single point in time while also being a costly strategy that is ultimately paid for by financial organizations.

Taking a new approach to managing third-party risk

A recent report found that 24% of financial service organizations feel they are not well prepared for the rapidly changing threat landscape they face today, especially as these organizations grow their third-party networks. Because of the growing complexity of these networks, gaining visibility into vulnerabilities can be challenging, particularly for larger companies.

Financial organizations need a new approach to cybersecurity in light of these increasing risks, one that can identify, measure, prioritize, and manage all risks. This is especially needed as CISOs of financial service organizations have a growing role in vendor, third-party, and supply chain management. To create an effective risk-focused approach capable of combatting third-party risks, financial organizations should look to implement a few key strategies:

• Risk Scoring: Cyber risk scoring provides an objective framework for evaluating security posture that considers a wide range of risk factors from inside and outside an organization. By converting these evaluations into an easy-to-grasp representation of qualitative cyber risk, organizations can better understand how safe their assets are and where they need to improve.
• Vulnerability Prioritization: This strategy automatically considers threat intelligence, asset context, and attack path analysis. Organizations with complex environments and limited resources can target their effort where it matters by prioritizing and mitigating vulnerabilities that pose the most significant risk.
• Exposure Analysis: Exposure analysis identifies exploitable vulnerabilities and correlates data with an organization’s network configurations and security controls to determine if a system is vulnerable to cyberattacks. This strategy determines which attack vectors or network paths could be used to access vulnerable systems.

Today’s most rigorous third-party compliance processes rely on point-in-time assessments. Effective cybersecurity strategies must provide continuous assurance of third-party risks and vulnerabilities. A modern, risk-based approach to cybersecurity enables attack simulation, compliance, and visibility that allows organizations to see all entry and access points and perform path and exposure analysis. By adopting a risk-based approach to cybersecurity alongside compliance, financial organizations can go beyond checking the box and truly mitigate third-party cybersecurity risk.