Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Understanding the growing risk of third-party threats

By Scott Cutler

Managing cybersecurity is an ongoing challenge, no matter what industry you work in. But there are few areas more sensitive than personal financial data – which means businesses in this sector have a particularly tricky task to navigate.

In recent years, this has been compounded by the requirement for more stringent data regulation. Meanwhile, high-profile breaches and malicious malware attacks have brought the issue of data protection to the forefront of public awareness – meaning customer expectation around security is high.

Scott Cutler
Scott Cutler

But there’s also an additional risk – and it’s one that can be incredibly hard to manage. As financial ecosystems open up, the prevalence of shared banking systems and third-party networks are exposing the financial services industry to a broader threat perimeter than ever before. And all too often, businesses aren’t equipped to deal with the attendant risks.

Third-party vendors: an opportunity and a threat

Once upon a time, protecting data and maintaining security in financial services was very much a case of handling the direct relationship between the business and its customers – and of course, blocking malicious attacks. Nowadays, financial institutions like banks are working with more and more third-party vendors to support their services, ranging from the providers of real-time payment APIs to professional services vendors.

At the same time, initiatives like Open Banking are actively opening up the conversation around collaboration, providing the framework and the driver for more integrated services across the board. In an age where businesses are striving to deliver ever-more innovative products to their customers, the benefits of this are clear, with financial institutions able to access technologies and services they would never have the scope to develop internally.

Yet there’s no escaping the fact that the opportunity for breaches – whether accidental or resulting from a malicious attack – increases significantly with every new party introduced to the security ecosystem.

Playing the blame game

A number of high-profile cases have illustrated the dangers inherent in this. Scottrade Bank suffered reputational damage when a serious accidental breach exposed the personal data of 20,000 customers in 2017. Although Scottrade attributed this breach to a third-party professional services vendor, which failed to take adequate safeguards, the reality is that it was Scottrade’s name hitting the headlines.

Other breaches of this type have had a significant financial impact. In 2016, hackers stole a staggering $81 million from the Bangladesh central bank – and it’s widely believed that they gained access through third-party software. Clearly, dangers from third-party vendors can’t be dismissed. And even when a breach is caused by a third-party vendor, this distinction is very rarely made in the minds of customers (or the press).

So, while nobody would dispute that enhanced collaboration can drive product innovation and therefore improve the customer experience, the flipside is greater risk – and more difficulty establishing exactly where the burden of responsibility lies.

Assessing a changing landscape

If they’re going to protect their customers, their systems, and their reputations, financial institutions need to act. But despite the pressing nature of this issue, few are fully equipped to deal with the changing nature of risk.

It’s standard to conduct a threat risk and vulnerability analysis of a vendor upon entering into a new third-party agreement, at which point the organisation will also provide the third party with assurance of the right level of security. While this approach is commonplace, it’s also flawed – because it only reflects the vendor’s risk level at a specific moment in time.

As those in charge of cybersecurity know all too well, digital threats can emerge in a moment and wreak havoc in minutes. So financial institutions need to have a clear, ongoing view of potential threats from third-party vendors, not simply at the point of entering into a new agreement. Unfortunately, few banks have the internal resource, skills, or budget to assess this on a regular or even semi-regular basis.

Complicating matters further, it’s difficult to develop a standardised approach to risk analysis. When you consider the full range of third-party vendors that financial institutions work with, the issues at play are hugely varied; a professional services vendor presents a very different threat to a piece of integrated software. As a result, it’s historically been difficult to implement a straightforward testing mechanism that can regularly account for the full gamut of potential issues.

An integrated approach to wide-ranging risk

If financial institutions are going to successfully manage third-party risk, this has to change. On the bright side, as the risk has grown, a number of technologies have developed to help businesses manage their risk on a continual basis. Doing this requires a well-rounded, integrated approach that covers many bases – including firewalls and ongoing threat intelligence.

It’s not easy, but it’s certainly possible – and it should be a priority. Because whether it’s protecting customers’ personal information or their savings, banks and other financial institutions have to maintain rigorous security standards. If they don’t, it’s not just their customers’ data at risk – it’s their business’ reputation on the line, too.