New Year, New Vendors! Assessing How Vendors Protect Your Money and Data
2018, a year in which an estimated $1.5 trillion were stolen by cybercriminals as illicit profit, is finally behind us! Yes, you read that correct – $1.5 trillion. If there were a comic line that existed with the ability to soften that number, we would place it here. But, alas, we’re left with just this gut-wrenching stat.
With cybercrime securing top headlines all over the globe, industries including the financial realm are now approaching their information security with an unprecedented level of care and interest. And this is a good thing – despite the fact that it took a figure like $1.5 trillion to spur this kind of action (okay, that’s the last mention of that number, I promise).
As we’ve discussed before, mid-sized credit unions are particularly appetizing targets for cybercriminals. Sure, the payout for an all-out breach at an organization with an asset size between $500 million and $2 billion may pale in comparison to the breach of a massive organization like Chase or Bank of America, but the approach is far easier. Relatively smaller organizations in the stage of growth and development where they are expanding members and opening new branches are often playing catch-up with their cybersecurity.
How can your organization in this stage better promote a stronger security environment in 2019?
Let’s take a look at what many financial institutions are and will be doing over this quarter: contracting new vendors to manage components of their business.
Vendor Selection Criteria Focused on Cybersecurity
Vendors do great things for small to mid-sized credit unions every day, all over the country. If it weren’t for the interconnected economy allowing third-party service providers to host servers, perform penetration tests, and audit business, many financial organizations wouldn’t be able to even get off the ground.
But, it’s often these third party vendors that are targeted by cybercriminals to obtain information sensitive to your organization.
Let’s protect this critical data by mitigating your risk!
It starts with a focus on managing third-party service providers and understanding the potential risk those relationships pose to your business. Ensure they are aware that their information security controls and policies (or lack thereof) directly correlate with your own risk levels. Take action to assess your vendors’ security environment before an attacker does.
Looking for a trusted partner to provide a thorough assessment of your vendors to ensure your most critical data is in safe hands? Take a look at how Rivial has been providing this service since the inception of our company over a decade ago.
From a compliance perspective, many regulatory authorities understand the tremendous risk associated with third-party vendor security. As a result, they’ve updated their regulations to include vendor security requirements. We’ve laid them out for you here.
The FDIC and NCUA both require banks and credit unions to:
- Evaluate the overall effectiveness of the third-party relationship and the consistency of the relationship with the financial institution’s strategic goals.
- Review any licensing or registrations to ensure the third party can legally perform its services.
- Evaluate the third party’s financial condition at a minimum annually. Financial review should be as comprehensive as the credit risk analysis performed on the institution’s borrowing relationships.
Audited financial statements should be required for significant third-party relationships.
- Review the adequacy of the third party’s insurance coverage.
- Ensure that the third party’s financial obligations to others are being met.
- Review audit reports or other reports of the third party, and follow up on any needed corrective actions.
- Review the adequacy and adherence to the third party’s policies relating to internal controls and security issues.
- Monitor for compliance with applicable laws, rules, and regulations.
- Review the third party’s business resumption contingency planning and testing.
Don’t Fall Asleep On Your Security
Do your due diligence and understand the cyber maturity of your vendor partners and identify where there are vendor accountability gaps. Remember, some vendors need to have access to your critical data in order to effectively perform their services. Others definitely don’t.
Consult with security professionals to gain insight into which vendors have access to which data, and take action to make sure that only the ones who truly need it have it.
We know you don’t sleep on your organization’s cybersecurity. So please don’t sleep on your vendors’ security this year either.