Security

04:50 PM
Sean Cronin
Sean Cronin
Commentary
50%
50%

Staying Strategic with Third Party Risk

Banks have an opportunity to not only specify and assess controls, but also inspire a strategic and robust approach to risk management.

Over the past year, the OCC, the FRB, and the FDIC have all released updated guidance on managing third-party risk. One focus of this guidance is the identification of “critical” vendors and board-level approval, which highlights the importance of understanding how third parties expose the banks they serve to privacy concerns and operational risk. The question isn’t, “What happens to the third party if there’s an incident?” Rather, it’s, “What happens to the bank(s) served if there’s an incident at the third party?” The importance of this distinction is obvious, but too often overlooked by those tasked with managing third-party risk. 

As an assessor, it’s easy to focus on the third party under review while ignoring the dynamics of the relationship between that third party and the business process they serve within your organization. Outside of an organization’s senior ranks, it’s rare to find individuals who understand key processes from end-to-end, including the roles played by vendors and other third parties. In this light, the recent theme in regulatory guidance is both strategic and timely. In addition to prescribing expectations for vendor due diligence, the new guidance should have the positive effect of influencing banks to put their vendor risk management programs into better context within their own business risk.

Nevertheless, many banks still act tactically when it comes to assessing and monitoring how third parties manage risk. As an example, our organization was recently asked to provide an official response describing how it dealt with the Shellshock vulnerability. Frankly, this isn’t the right question.

[2015 lending outlook]

Heartbleed, Shellshock, and POODLE have gotten more than their fair share of press over recent months. But if an organization only addresses the vulnerabilities that are featured by the mainstream press, it’s doomed. The Common Vulnerability Exposure (CVE) database, operated by MITRE Corporation (a federally funded, nonprofit organization), aggregates and standardizes reporting on vulnerabilities. The CVE database recorded over 7,200 vulnerabilities during 2013, and as of October 15 has recorded over 6,000 new vulnerabilities already for 2014. With a tempo of approximately 20 new vulnerabilities every day to consider and, if applicable, mitigate, IT organizations have to treat vulnerability management as a short cycle control or even a continuous control if they’re going to adequately protect the systems, data, and business processes they support. The question isn’t, “What did you do about Shellshock?” Instead, the correct question is, "How do you manage vulnerability reports by the thousands each quarter – and do so without disrupting business operations?”

The Gramm Leach Bliley Act (GLBA) of 1999, section 501 (b) Safeguards Rule that went into effect during 2003, kicked off the current third-party risk management frenzy by requiring banks to not only implement a security plan for protecting customer information, but also flow that plan down to their third parties by way of contractual obligation and assessment. Since that time, regulatory guidance has continually increased the scope of these programs to include broader topics of risk, in particular drawing attention to operational risks that threaten the resiliency of the banking system itself. 

(Image source: Pexcard)
(Image source: Pexcard)

Perhaps more valuable than the guidance is the example set by the seemingly organic maturation of that guidance over the past decade. The regulatory mission in this case is one of "public health" and its objective is to drive a minimum standard of risk management capabilities across a wide community. Being examined by a regulator can be disruptive and bothersome, but the strategic dialogue driven by these interactions is a positive and important outcome. To the degree that third party risk management programs essentially place banks into the role of "regulator" of their vendors, there’s an opportunity to not only specify and assess controls, but also inspire a strategic and operationally robust approach to risk management.

Sean Cronin is responsible for leading all aspects of ProcessUnity's Risk Suite line of business including strategy, marketing, sales, client services, and strategic partnerships. He brings over 12 years of Governance, Risk and Compliance (GRC) experience to the company. Sean ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Blog Voyage
100%
0%
Blog Voyage,
User Rank: Strategist
7/6/2015 | 2:40:27 AM
Nice stuff
I'm not very familiar with this kinf of stuff (I'm not a manager in a bank or somrthing like that) but you explain things very easily so I can understand it. 

Excuse me for my bad english, I'm french.
annagrey
50%
50%
annagrey,
User Rank: Apprentice
8/16/2017 | 2:56:46 AM
Pending Review
This comment is waiting for review by our moderators.
DorisG987
50%
50%
DorisG987,
User Rank: Apprentice
9/2/2015 | 1:34:10 AM
Interesting comment about Ashley Madison
Ashley Madison has been served with a US $578 million lawsuit following a breach that resulted in data concerning 39 million of its members being leaked online, including usernames, messages and email and home addresses. If that raises your organization's alarms, meet Edgar Perez, author of The Speed Traders and Knightmare on Wall Street, and course director of Cybersecurity Boardroom Workshop 2015 in New York City, London, Dubai, Bangkok, Jakarta, Sydney, Taipei, Seoul and Tokyo.
obatperangsangwanita
50%
50%
obatperangsangwanita,
User Rank: Apprentice
2/27/2017 | 12:22:12 PM
Pending Review
This comment is waiting for review by our moderators.
DorisG987
50%
50%
DorisG987,
User Rank: Apprentice
9/16/2015 | 11:31:55 AM
On today's presidential debate
Could @RealDonaldTrump, @HillaryClinton, @JebBush, @RealBenCarson or @BernieSanders respond better than @BarackObama to the #Russia, #China, #Iran and #NorthKorea #Cybersecurity Challenge? @MrEdgarPerez, a published author and business consultant for private equity and hedge funds, will discuss at #Cybersecurity Boardroom Workshop 2015 what governments around the world need to do to respond to the cybersecurity challenge. More information about these seminars in #NewYorkCity #London, #Dubai, #Bangkok, #Jakarta, #Sydney, #Taipei, #Seoul #Tokyo at our website.
nitins092
50%
50%
nitins092,
User Rank: Apprentice
3/7/2017 | 1:08:31 AM
Pending Review
This comment is waiting for review by our moderators.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.