News & Commentary

10:08 AM
Deena Coffman, IDT911 Consulting
Deena Coffman, IDT911 Consulting
Commentary
50%
50%

Do You Trust Your Third-Party Vendors?

Banks need to work to build stronger vendor security now.

Evaluating your bank’s third-party vendors is critical to the security of its business and customer data. The bank could experience a data breach through a contractor or supplier—and never find out unless the contract required the vendor to notify you after a security event (or when your information turns up on Pastebin as happened to Twitter.)

Recent reports that breaches at Target Corp. and Yahoo Inc. stemmed from stolen vendor credentials underscore the importance of third-party security reviews to protect information assets.

Deena Coffman
Deena Coffman

The following vendors all have experienced a data breach in the past two years: Adobe, LexisNexis, Dunn & Bradstreet, Kroll Background America a/k/a HireRight, J.P. Morgan, State Farm, Kaiser Permanente and Epsilon. What if one of them was on your vendor list?

[For More On Vendor Security, Check Out: Banks Must Approach Third Party Contracting Differently in Today’s Highly Regulated Environment]

A bank’s future revenues and profitability are jeopardized when confidential business information is exposed through the disclosure of proprietary information or penalties for non-compliance with data breach and privacy regulations. For this reason, it’s important to make sure suppliers and contractors handle business information assets with the expected level of care. Third-party security reviews are widely adopted approach.

However a security review of every vendor isn’t necessary. So where to start?

1. First, look for your company’s most important information assets.

2. Next, determine which suppliers and contractors have access to those systems and/or data. To do this, build an information asset inventory. Then, map the data flow as sensitive information comes into your organization, is copied, processed or transferred, and then finally disposed.

3. Now that you know what you want to protect and where it is exposed, list all vendors with access to the exposure points. Remember to check systems, mobile devices, email, websites, databases, and access to facilities, such as those given to waste removal companies or maintenance services.

4. Once you understand which vendors have access to your information and which information is the most sensitive, rank as your first priority the vendors that have the greatest access to the most sensitive level of information. Request that those suppliers or contractors have a review of their security program as it pertains to the information they handle for you. For example, suppliers with recurring, persistent access to sensitive data would warrant a more in-depth review than a contractor with limited access to a subset of information. A full review would involve the physical, technical and administrative controls the organization has for information security and privacy.

Security is like a chain: It is only as strong as its weakest link. An exposure from a weak process or policy could render a large security technology investment ineffective. Conversely, for those circumstances where limited data exposure exists, a self-assessment and contractual protections may be more appropriate than a full review.

Suppliers can gain an advantage over the competition by establishing and demonstrating a strong security posture. They can perform assessments as part of their compliance programs to proactively show clients they’re mindful of security. And they can provide a report of the assessment, with confidential information removed, of course. Additionally, a strong security posture reduces the time and effort to move from proposal acceptance to contract; the process would take longer for vendors that still need to be vetted for security.

One word of caution, however, when using PCI compliance reports as security vetting tools. PCI pertains only to a set of standards that apply to payment card processing. It may or may not be relevant to the information and systems for which you need to have assurance. Compliance is not the same as security.

Because security standards generally permit risk management and not risk removal, contractual measures may be substituted. For example, if the security review would be greater than the value of the contract or where access or the amount of data is limited, it may be more advantageous to forego a required security review, and instead, specify some or all of the following in the contract:

• Indemnification against third-party claims, especially IP infringement • Limitations on liability • Responsibility during a breach for notification, legal defense and remediation (first- and third-party) • Insurance minimums • Information security requirements (such as mandatory encryption) • Assignment • Service-level agreements that support incident response needs • Incident response testing participation • Insurance o Data breach o Cyber liability

Risk managers may elect to avoid, transfer or accept information security risks rather than mitigate them through controls. In any event, it should be an informed, deliberate decision. Trust but verify because regardless of whether a data breach occurs at your facility or through a third-party supplier, your reputation and your revenue ultimately is at stake.

Deena Coffman is CEO of IDT911 Consulting.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
2/12/2014 | 5:14:01 PM
re: Do You Trust Your Third-Party Vendors?
I also liked the chain imagery. By mapping their data flow, companies can visualize their 'chain' and more easily identify areas that need stronger security.
The Doctor
50%
50%
The Doctor,
User Rank: Apprentice
2/12/2014 | 2:46:53 PM
re: Do You Trust Your Third-Party Vendors?
Excellent point; compliance is not security. Regarding data security: trust but verify.
The contract with the third party vendor should allow the institution to run unannounced security tests against the vendor's system. Clients must maintain constant vigilance over their third party vendors. Scorecards help create a baseline for the relevant service. The contract is not the end of the process. Continuing communication during the term of the contract is good for both the client and the vendor.
Byurcan
50%
50%
Byurcan,
User Rank: Author
2/10/2014 | 2:30:16 PM
re: Do You Trust Your Third-Party Vendors?
Security as a chain is a good illustration. Since the chain is so long in financial services, it is even more imperative for banks to know exactly what security protocols third parties they work with have in place. It's not enough to just be secure yourself.
KBurger
50%
50%
KBurger,
User Rank: Strategist
2/10/2014 | 1:41:38 AM
re: Do You Trust Your Third-Party Vendors?
Great analysis, Deena, and I think 2 points here are really critical: 1) that suppliers/vendors can gain competitive advantage by demonstrating secure practices etc., and 2) the point that security is not synonymous with compliance. A company can follow a whole checklist of recommendations/standards, that doesn't mean that it is inpenetrable.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio