Seven Valuable Lessons on Third-party Risk Management

Recently, a leading bank made headlines for suffering a massive third-party data breach that compromised tens of thousands of its customers’ personal data. Third-party associations help banking and financial institutions deliver innovative solutions and products to cater to customer demands. Often, third-party alliances are risky and, therefore, require a highly responsive and resilient third-party risk management framework.    

This blog will dive into the lessons a high-profile third-party attack can teach about third-party risk assessments to reduce compliance, operations, and brand disruptions. 

What is Third-party Risk in the Banking & Finance Industry? 

Third-party risk is a potential risk that banking and financial institutions can encounter from external parties like software and technology partners for customer communication, invoicing, and CRM, and vendors like auditing, brokerage, and insurance firms. Third-party businesses also provide services or perform functions on behalf of banking companies and have access to their ecosystems, confidential data, or customers’ personally identifiable information (PII).  

Even though banks have high-end cybersecurity protocols and impenetrable systems, vulnerabilities in third-party environments and systems make them susceptible to breaches and cybersecurity attacks. The common risks from third-party associations include operational, reputation, credit, transaction, and compliance risks.  

Many reputed brands have been impacted by third-party breaches that allow unauthorized access to employees’ and customers’ personal data, such as social security numbers, names, medical histories, driver’s licenses, marriage certificates, and more. The information is sold on the dark web or held for ransom, leaving employees and customers vulnerable to identity threats and online extortion.   

iTech GRC utilizing IBM OpenPages’ third-party risk management solution (TPRM) reduces probable third-party risks for enterprises across industries, including banking and non-banking companies. It safeguards the confidential data shared with vendors from misuse and unauthorized access over the network.  

What We Know about the Recent Third-party Data Breach? 

A renowned bank in the U.S. informed its customers of a third-party data breach that compromised customers’ private data, such as names, addresses, social security numbers, dates of birth, and banking information. The incident occurred sometime in November last year after the bank’s third-party vendor portal was hacked by the LockBit ransomware gang.    

According to the vendor’s breach notification information, hackers accessed the systems, which led to the non-availability of certain applications. The ransomware attack encrypted over 2,000 vendor systems. The data breach incident occurred just months after another third-party service provider connected to the bank announced customer data exploitation from ransomware.    

To date, LockBit remains one of the most notorious ransomware gangs known to have executed at least 600 attacks in the second half of 2023. Previous attacks of LockBit targeted critical infrastructure and leading healthcare companies in the U.S. According to sources; the ransomware gang has reportedly collaborated with another gang called the ALPHV/BlackCat.    

7 Learnings About Managing Third-party Risk in 2024 

Nearly 62% of data breaches happen because of third parties. Moreover, 54% of businesses do not verify their third-party vendors thoroughly. The latest technological innovations also strengthen cybersecurity assaults, which makes partnering with third-party vendors somewhat risky for companies in any industry vertical.     

Third-party risk assessment exposes potential cybersecurity and non-compliance risks from third parties. Organizations can automate third-party risk assessments using tools like IBM OpenPages to unlock benefits like automated reporting, risk scoring, data collection, workflow automation, and seamless integration into third-party systems.  

The recent security breach of a well-known bank is a blatant reminder for banking and fintech companies’ CISOs, CROs, and cybersecurity and data privacy teams to mediate on these crucial learnings: 

1. Regulations Evolve: 

Third-party vendor associations and contracts are highly regulated under laws, including the EU’s GDPR, Payment Services Directive 2(PSD2), and others. In June 2023, the U.S. Federal Board (FRB, FDIC, and OCC) jointly issued third-party risk management guidelines. The new guidance replaces the agencies’ previous guidelines on third-party risk management. It also emphasizes strong risk management practices commensurate with the banking organization’s size, complexity, risk profile, and the nature of the individual third-party relationship.   

Changes and new legislation by regulatory agencies create room for compliance risks. Given these regulatory shifts, banks need third-party risk management solutions to better understand the evolving risk and regulatory landscape and have end-to-end visibility of their vulnerabilities and compliance gaps.    

2. Common Breach Vectors Exist:  

Ransomware is the most common third-party attack. A Black Kite-sponsored 2021 report finds that 53% of CISOs said their organization was affected by at least one ransomware attack in the previous year!   

Attackers can infiltrate the network, followed by a ransomware attack, contributing to 15% of breaches. Unsecured databases and servers are also common entry points, which make up 12% of breaches. Malware, software vulnerability, human errors, and phishing are a few other third-party attack methods.   

Understanding common vectors provides better insights for improving defenses to protect resources and assets attached to third-party vendor environments.  

3. Never Rule Out External Risks: 

There are risks beyond the third party’s internal locus of control. Those can include physical risks such as natural disasters, damage from accidents, and acts of terrorism. A third-party vendor may fail to update their annual business continuity and disaster recovery (BC/DR) plan. They can also have unsecured server configurations or weak policies regarding password management and virtual private networks (VPNs) for remote access. Lawsuits, non-compliance fines, and bankruptcy are other external factors that cannot be ruled out.   

Third-party vendor audits help assess vendors’ cybersecurity and vulnerability management stances using appropriate performance metrics and reporting. It is mandatory to look for the latest proof of third parties’ internal risk assessments, penetration testing, and compliance reports.  

4. Make Room for Fourth-party Risks: 

Fourth-party entities include vendors, suppliers, and partnership associations that a third party is connected to. They pose significant risks to banking companies because keeping track of who they are, their role, and their impact on their operations is challenging. Fourth-party risks are a huge blind spot in risk assessment practices, and monitoring them as a separate process is complex.   

Fourth-party vendors are equally vulnerable to cybersecurity attacks, which can have ripple effects on the organizations they are connected to. Therefore, banking firms need a holistic third-party risk assessment program that identifies fourth-party relations and associated risks and includes clauses to define the scope of risks, responsibilities, right-to-audit, due diligence, and continuous monitoring.   

5. Banking Interconnectivity is a Risk Factor: 

Third-party associations in the banking and fintech space have increased since the COVID-19 pandemic to support the transition to digital platforms and cloud-based as-a-service offerings. Network interconnections and centralized architecture are necessary to improve network latency, data exchange, and speed of operations to impact customer experience.    

Moreover, the entire ecosystem’s interconnectivity amplifies third-party risks as it loops banking firms with other entities, their network, IT infrastructure, platforms, material risks, and other vulnerabilities. This calls for a frequent review of network security processes of third-party connections. In addition, banks must implement robust measures like patch management protocols and vulnerability detection and remediation to safeguard their environment against network hacking and data losses.   

6. Strong Data Defense is a Necessity: 

Third-party risk incidents are common in the banking and fintech industry because they are a treasure trove of customer data for cybercriminals. Third-party contracts involve inordinate data exchange. In the absence of adequate data storage, transfer, and protection policies, the risk of data breaches, regulatory non-compliance, and forced access into systems is common.   

Comprehensive guidelines on data storage, transfer, and processing activities and implementing least-privilege access management help mitigate damage. Enterprises must also incorporate periodic employee training and add more authentication layers to vendor credential management to prevent hackers from stealing credentials or infiltrating systems 

7. Costs & Time are Valuable Currencies: 

A study by IBM and the Ponemon Institute found that the global average cost of a data breach in 2023 was $4.45 million. The finding also revealed a 42% increase in breach detection and escalation costs, suggesting a level of complexity in breach investigations. Also, identifying and containing a breach can take nearly nine months on average.   

In a hyper-digital age, cost and time are essential currencies for managing an organization’s cybersecurity. Banking companies must consider security AI and automation enabled by tools like IBM OpenPages for third-party risk management. IBM’s study also confirms that organizations can incur average savings worth $1.76 million from using security AI and automation. 

Explore iTech GRC’s Third-party Risk Management  

iTech GRC and IBM partnership is ideal for managing third-party vendor risks. You can also explore the AI enhancements in IBM OpenPages with Watson to manage your end-to-end GRC needs.   

Contact our GRC expert team to augment your enterprise third-party risk assessments using OpenPages Third-party Risk Management Solution (TPRM).