11:05 AM
Connect Directly

Risk In The Supply Chain A Growing Concern for Banks and Regulators

A new white paper by Information Services Group argues that banks are falling short of regulatory standards in managing supply chain risk and governance.

Regulators are taking an increasingly acute interest in the potential for risk in banks’ vendor supply chains and have found in audits that most banks are lacking in risk monitoring and management with their providers, a recently released white paper by Information Services Group (ISG), a research and advisory firm, claimed.

Financial institutions are becoming increasingly reliant on outsourcing services to third-party providers, with 35% of outsourcing contracts coming from the financial services sector, according to ISG’s research. Dodd-Frank and other regulations in recent years have aimed to set standards for those service providers in security practices and protocols for interacting with end-consumers, says Chuck Walker, the director of ISG.

Walker expects that regulators will continue to investigate suppliers’ compliance and security risk as more banks use suppliers for services that lead them to have direct contact with consumers, such as working in the call center. Last summer Capital One bank was fined by regulators after it was found that third-party suppliers working the phones at the bank’s call centers had been using fraudulent means to sell services to customers, showing the potential consequences for not monitoring such interactions between vendors and customers.

[See Related: Banks Beware: Operational Risk Increasing]

As regulators have begun to scrutinize vendor supply chains through audits they have found that most banks are not doing enough to monitor risk in those chains, according to to the white paper. “They [regulators] are looking at - from a risk perspective - how they’re monitoring their suppliers,” Walker says. “In many cases they’re finding there isn’t strict oversight in performance aspects of the contract… Regulators want to make sure the [vendors’] internal processes are compliant.”

As the white paper points out, auditors are increasingly looking for specifics from banks on how vendors are being monitored (often in real-time), and what kind of performance reporting is occurring over time. But many banks don’t have answers for the auditors as most of the analysis that they have done of their vendor partners was done upfront to qualify them for the contract. “Clients often don’t look at governance [with their vendors], especially performance governance, until it is time for contract renewal,” Walker adds. That analysis is often outdated after a few months as technology, market and regulatory changes force those vendors to make changes to their processes and protocols, the white paper says.

Most banks, therefore, don’t have the ongoing monitoring of their supply chains that regulators are looking for. Those banks open themselves up to potential risk and non-compliance that can lead to fines like Capital One’s episode last year.

Auditors have been mostly targeting larger institutions so far, Walker relates, but the attention being paid to the issue is starting to trickle down. “There’s been a lag because the bigger banks get the attention first, but regional banks are starting to get wind of it,” he says. Several of those larger banks have had to reform their monitoring processes after failing audits, Walker adds, in some cases even having to take immediate action or bring in outside help to get compliant.

The white paper lays out a step-by-step process for banks to analyze their supply chain for risks and come up with monitoring processes that will keep them in good stead with regulators. That process begins with a risk assessment that should prioritize the most critical areas of risk and how to correct them. Walker says that assessment can take anywhere from two to six weeks depending on the size of the banks and the complexity of its supply chain.

Banks should then seek to facilitate discussion with their vendors to point out areas of weakness and create monitoring processes to address those weaknesses. This exercise should help banks and vendors gain a more holistic view of the service chain and the risks in that chain, the white paper says. This in turn makes it possible to define standards for responsibilities in addressing specific risks and making any contractual adjustments that may be required. Over time, the white paper says, banks need to define a standard set of roles, process owners and sources of real-time data for their first-tier suppliers, as well as their second-, third-, and fourth-tier suppliers.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.