Does the bank you provide 3rd party services to perform on-site assessments?
Does the bank require you to prove that you have minimum cyber security processes in place?
1 in 5 don’t.
Does the bank require that information security requirements to be extended to your subcontractors?
1 in 3 don’t.
Unfortunately, if you said no to the any of the above questions, then you are at risk to become an unknowing Trojan Horse—that is—accidentally opening the digital back door to hackers that could steal bank customers’ information.
Third Party Vendor Risk
The liability for cyber security breaches from third party vendors is shifting to banks and, yes, it is their job to “up their game” and start using risk management solutions.
I used the word “risk” before in a different sense of the word than some would interpret it. For most, the risky factor kicks in once you stop using best practices such as implementing minimum cyber security standards.
But it starts earlier than that. The risk factor actually comes into play when there is no accountability.
It’s human nature. When you don’t have a workout buddy, statistics have shown that you are much less likely to faithfully work out on a schedule. There’s something about being accountable—whether that be to a person or organization—that makes us more dependable and trustworthy in the long run.
If your bank doesn’t perform best practice when it comes to you as a third party service provider, you’re at risk to become a risk to them. Kaspersky Lab released a survey report on IT Security Risks in 2014, which stated that $720,000 was the average economic impact for one data breach. If the breach was a targeted attack, the damage costs climbed to 2.54 million.
Regulators are cracking down on banks for this very reason. Financial institutions now have to categorize their third party vendors into their different risk levels. As a result, many banks might decide to cut ties with certain vendors simply because their risk level is too high.
If you want to stay a low risk vendor or lower your “risk status” to the bank you provide services to, it is vital that your business has all the correct processes, procedures and measures in place. It is vital to keep yourself accountable.
Have a Cyber Security Report Available Upon Request
Just because your bank may not require a report from you as a third party, doesn’t mean they might not change their policy in the future, especially considering recent regulatory enforcement. Having one ready in case this happens will make your business less of a risk to financial institutions.
Do Quarterly Assessments (At Least!)
Performing quarterly assessments on your cyber security risk plan would be the bare minimum that you should be doing. Best practice would be to perform them monthly. Though this might seem time-consuming, consider this old adage: “A teaspoon of prevention is worth a pound of cure.” If there is any possibility that your risk plan needs to be updated, then you don’t want to go three months before you realize that you need to do. At that point it could be too late, and the ramifications dire for your company.
If you like our blogs, sign up for our newsletter to get monthly updates delivered to your inbox!