Today, data and sensitive information are shared constantly, opening up the door for instant connectivity between client and vendor. And while this has streamlined the process of sharing information, third-party (vendor) risk management has become a major challenge for most businesses, especially in the banking industry.
Regulatory guidelines have been implemented and become stricter as federal and state regulators look for ways to mitigate risk and encourage better cybersecurity standards. In fact, the Defense Department is working on a new policy that will make it a requirement that contactors’ own systems have stronger cybersecurity measures to protect sensitive data.
For banks, there is a faster move to the cloud for the different financial services for customers and major clients. But while this may be a more efficient option for banks to save time and money, it could be opening them up to greater risks and liabilities while working with third-party vendors, calling on a more robust approach to cybersecurity controls.
Risk ratings help to create a systematic approach to rate a prospective vendor based on the risk they pose to a bank. This is essential for establishing the level of oversight needed to operate without a rise in risk. Measures that help determine that risk include the type of data that’s being shared with the vendor, the ability to replace that vendor quickly if need be, the reputation of the vendor, and the amount of investment that is being made with the vendor in question.
It’s important to acquire the necessary assurance that the third party a bank is working with is planning to operate for years to come. This is especially important when it comes to cloud-based offerings, as these have control of the software being used. If a vendor goes out of business, then a bank will not have the ability to run the solution on its own.
Understanding the Size of Parties Involved
A bank may be enlisting the help of a third party vendor, but that vendor may be connected to additional parties that are involved in the process. A number of solution providers build out their cloud environment with providers and assume that cybersecurity is being managed and monitored. However, companies like Amazon Web Services aren’t responsible for the security of the data. The vendor a bank is working directly with is the one who oversees the security of the information. Banks should ensure that the vendors they work with are operating with the appropriate levels of controls within their cloud solution.
Banks should make sure they are keeping their vendors to the same regulatory guidance level they hold for themselves. This means they need to be looking at the different ingredients that affect the security of data, including policy documentation, vulnerability detection and management, business continuity planning, and proof of insurance.
Banks need to be on the offensive with their own insurance as well with items like cyber liability insurance. This kind of insurance can be specified as third party coverage and include legal defense, settlements, damages, and judgments, liability to banks for re-issuing credit cards, and cost of responding to regulatory inquiries, which all might occur following a breach.
Assessing Your Contract
Banks should ensure that their contracts with third-party vendors include the right level of cyber protections and terms. The vendor should highlight their cyber controls and commitment to abide by regulations and laws within a written contract. Banks need to also make sure their vendors are willing to take on a reasonable amount of liability and provide the right amount of notification and incident management procedures.
About Financial Guaranty Insurance Brokers
Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for entities of all types. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (626) 793-3330 to speak with one of our professionals.