“A company may have the most sophisticated cybersecurity protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective.” – New York State Department of Financial Services
Last month, J.P. Morgan Chase and Wells Fargo came under fire for restricting the data they pass along to personal finance app Mint. Though perhaps in part a smokescreen for a strategic move against emerging competition, the move illustrates a growing trend among financial services firms. Increasing pressures from expected regulations are driving large banks to require their vendors to raise their cyber standards. Third-party vendors are common targets for cyber criminals, and recent data demonstrates that their security standards are often lax and come with little oversight.
An April 2015 New York State Department of Financial Services (DFS) survey found that “ninety percent of banking organizations have information security requirements for their third-party vendors…,” though less than half of the banks require on-site assessments. A mere 35 percent of banking organizations require periodic on-site cybersecurity assessments of their high risk third-party vendors. Such findings have prompted regulators like the DFS to tighten legal requirements governing cybersecurity standards for the financial services industry.
The DFS published an update to their 2014 “Report on Cyber Security in the Banking Sector” this past April focused exclusively on third-party vendors. Building from that, last month the DFS issued a letter proposing new regulations to establish cybersecurity standards for financial institutions. The subsequent prospect of increased DFS regulation, coming as early as 2016, has incentivized financial services firms to preemptively elevate their cybersecurity protocols, and those changes have had, and will continue to have, trickle-down effects on the wide range of third party vendors these major firms employ.
Specifically, impending DFS regulations would mandate that financial institutions contractually require third-party vendors to:
- Use multi-factor authentication limiting access to sensitive data and systems
- Encrypt sensitive data in transit and at rest
- Provide notice following a cybersecurity incident
- Compensate victims for losses resulting from cybersecurity incidents
- Allow the contracting entity to audit their cybersecurity
- Provide warranties regarding information security
As high-level cybersecurity protocols become contractual prerequisites, smaller financial services firms (and those in business with them) will be challenged to raise security standards at cost. Banks or vendors, which do not preemptively elevate their standards, are likely to be left out in the cold.
So, what can smaller or less prepared companies do to stay ahead of the curve?
- Employ industry-blind, pre-contractual cybersecurity vetting of third-party vendors
- Require partner organizations to use encryption protocols for data in transit or at rest
- Build out and regularly review multiple cybersecurity breach recovery plans
- Designate a chief information security officer (CISO), and mandate that he or she annually or semi-annually update the board of directors
- Establish annual penetration testing and quarterly vulnerability assessments.
- Create and/or maintain an audit trail system
Embarrassing hacks like the exposure of CIA Director John Brennan’s personal email account, and the attack on the website of law firm Fried Frank, were enabled by the poor security measures of customer service and web maintenance third-party vendors. These cases, and countless others, demonstrate that the ultimate reputational damage from a breach falls principally on the organization whose name is on the letterhead. For 21st-century businesses, any weak leak endangers the integrity of the entire chain.