Mitigating Risk in Your Vendor Network
9 November 2015
A group of hackers were recently charged with stealing not-yet-public corporate news releases that covered earnings reports, personnel changes and other material information, then traded on it to the tune of $100 million dollars in illegal proceeds. The largest crime of its kind ever prosecuted was orchestrated by a team of cybercriminals from the U.S., Ukraine and Europe.
This story is a prime example of the expansion and increased sophistication of financial cybercrime, a true network effect. The hackers were opportunistic – they didn’t directly attack the affected companies, but exploited the vulnerability of the firms’ newswire partners. It is a cautionary tale for banks and financial institutions that share sensitive information with a network of vendors that includes professional service firms, regulators, and business partners. As the risk of security breaches continues to grow, and the regulatory environment becomes more stringent, it is imperative for financial firms of all stripes to take steps to mitigate risk in their vendor networks.
It is standard operating procedure for employees of banks, insurance companies and securities firms to share sensitive – often regulated - information outside their organizations. In the course of their work, they share market-moving data beyond their firewall: think about the information sent to colleagues and outside parties while working on regulatory exams, filings, compliance programs, financial crimes and other highly sensitive material. Add to that protected customer information and you have a perfect storm for an impactful data breach. Matthew L. Schwartz, a former federal prosecutor in New York, was quoted in the Associated Press coverage of the $100 million hack, saying, “The lesson in this is your information is only as secure as the people you share it with. If you share that information with a news service, a PR firm or even a law firm, then you need to make sure that it's secure."
Vendor Risk Management is a two-sided coin – security and compliance – either of which can lead to costly consequences if not addressed and monitored regularly. The security side, of course, involves the vulnerabilities and exposure that comes from sharing documents outside your own firewall and security system with vendors and other third parties. Risks include vulnerable third-party portals, unsecure FTP sites, thumb drives, unprotected documents and email that can be intercepted or may contain malware.
The compliance side requires the ability to prove adherence to all applicable regulations, which includes attesting to the fact that your business partners are fully compliant as well. Compliance no longer ends at the door of your office - it is no longer enough to have an impermeable firewall or strong security within your company intranet and the workflows to insure compliance. As a financial institution governed by myriad state and federal regulations, you must have vendors in your ecosystem can demonstrate the same level of compliance with all of the same laws.
Advancements in technology and increasingly networked infrastructure has enabled more and more business functions to become outsourced to vendors that specialize in handling different elements of financial operations. This is especially true in the realm of electronic payments, consumer lending, financial services marketing, reporting and fulfillment. These vendors essentially become an extension of your organization. Whether they're payments, news releases, legal issues, fulfillment services, or marketing campaigns, you rely on other companies to do business. All these companies make up your vendor network and can potentially become a source of a data breach that can violate regulations governing data privacy and security. Such breaches negatively impact brand equity, stock price, reputation and consumer trust.
To successfully mitigate risk in your organization, there must be a top-down policy of awareness and adherence. Risk management needs to start at the executive level and permeate throughout the entire organization and vendor network, supported by a culture of compliance and technology that enables enforcement. Given the stakes, vendor risk management can no longer simply be a line item in the IT department budget. It must be viewed as a strategic initiative.
Ten Ways to Manage and Mitigate Vendor Risk
- Institute a strong data protection policy and make sure everyone in the client-side and vendor organization gets educated, not just when they are hired, but hold periodic refreshers to remind even long time employees how they can remain diligent and conscientious.
- Use technology to support compliance. Secure collaboration software that provides an audit trail for each document and offers information rights management (IRM) allows you to control files well beyond your firewall. Suggest that your vendors adopt this technology as well.
- Consider who else your partners do business with that may be a target for a cyber attack. Do they share cloud services with a company that is in a high target industry? While you may not be doing business directly with other companies in your vendors’ networks, those companies become a fourth party to you, and a potential source of risk.
- Take a good look at your vendors’ security policies. How are they protecting their business, and your data?
- Educate your vendors on the regulations that govern your business. Make sure that their workflows and technology demonstrate compliance with all the applicable regulations. Make it a habit to regularly update your vendors on changes to regulations.
- Include criteria for information security technology and workflow compliance in RFPs, RFIs, and contracts when you seek new vendors.
- Audit your vendor network. Identify areas of your business that may be at risk based on your external business relationships and create ways to mitigate that risk – using technology or adapting workflow.
- Add specific language to your service level agreements (SLAs) to reflect the standards to which you will hold your vendors.
- Work closely with vendors to implement steps to identify and resolve issues before they become critical. Work together to contain and control risks.
- And finally, have an established process that vendors can refer to whenever a breach happens or a process or technology is called into question. Create a clear set of guidelines including an escalation procedure and communication protocols that vendors can follow should the need arise.
Effectively managing vendor risk will protect your organization and your customers. Your vendors provide valuable services and are vital partners to your success. Make it your policy to pro-actively work with them to protect your organization’s interests and ultimately, your customers’ interests and privacy.
Mark Kalen is worldwide director of product strategy and marketing for financial services at Intralinks. Mark received his MBA from Boston University and has worked over 15 years in financial services as executive and consultant specializing serving in a variety of roles including Sr. Director Risk and Compliance, VP Operations, and VP Product. His experience includes tenure at JP Morgan, Deloitte & Touche, State Street Bank, Wolters Kluwer, and Fidelity Investments.