Bank security: Coping with third-party risk
- Posted on June 14, 2021
- Estimated reading time 3 minutes
FS-ISAC puts third-party risk (TPR) as one of the top three cybersecurity risks for 2021. It argues that ‘suppliers to financial firms will continue to be lucrative targets for threat actors’, quoting J.R. Manes, Global Head of Cyber Intelligence at HSBC: “Organizations properly practicing defense-in-depth with multi-layered controls are still vulnerable to large-scale and even systemic issues through third party suppliers.”
One of the most well-known attacks on the supply chain took place in December 2020. Russia-linked nation-state attackers compromised SolarWinds’ monitoring software, which is used by thousands of businesses and government agencies. Adversaries hid in companies’ systems for months, stealing valuable business IP.
Cloud service providers, managed service security providers, and other third parties performing critical services for multiple valuable clients, such as API integration for Open Banking initiatives, will continue to be lucrative targets for threat actors. It could be stealing data, money or accessing systems.
Not all banks process in-house: many outsource services such as online banking, investments, mobile applications and websites. Finally, given the evolution of global data privacy regulations now hitting the US on a state-by-state basis, banks will need to be even more diligent with their suppliers than they have before.
Operational resilience is key. When breaches happen (not if), the critical element is to respond effectively as quickly as possible. Post-breach disaster recovery plans should be in place – and rehearsed - to limit damage. However, you can also plan ahead:
- Develop penetration testing scenarios, both external and internal, that will cause serious business impact.
- Get the basics right – for example, ensure all systems are patched 100%.
- Consolidate your security tools: Gartner estimates tier 1 banks have 100+ and tier 2 20-45, which are far too many.
- Keep your lines of defense separate operational first, then risk management, then internal audit. These three areas are separate roles in tier 1 banks, but they tend to overlap in lower tiers.
- To avoid complexity, suppliers should be consolidated around cloud security, ID/access management, security analytics and threat detection
- Focus on data protection and portability: GDPR has had a significant impact on banks and there are still issues around privacy versus security (in areas such as consent management, for example)
- Establish an identity perimeter that provides centralized, effective control over sprawling digital environments
- Provide investment ROI: your risk profile should go down following cyber-investment.
You may wish to undertake specific cloud security assessments. One US credit union wanted to apply AI and Machine Learning to proactively provide their members with offers to their financial needs. We created a set of scalable, repeatable processes to stand up a secure cloud environment to support this, based on Microsoft Azure, for use in subsequent production environments. This not only allowed security to become a business enabler for the client but boosted their confidence that this environment would meet or exceed the security requirements for their financial services industry audit.