Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.
The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.
1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.
Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.
Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.
2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”
Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.
3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.
Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.
Banks should consider supporting their vendor management strategy with technology solutions that can:
- Track vendors, subsidiaries, relationship owners, documentation and contacts.
- Perform vendor due diligence and analyze criticality, usage and spend.
- Deliver surveys and risk assessments to external third-party contacts.
- Manage contract review and renewals.
- Coordinate with legal, procurement, compliance and other functions.
- Monitor key vendor metrics via personalized dashboards and dynamic reports.
Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.