BID® Daily Newsletter
Jan 23, 2025

BID® Daily Newsletter

Jan 23, 2025

Overseeing Third-Party Vendors’ Cybersecurity

Summary: A recent survey of financial institution executives revealed due diligence and oversight for third-party vendor cybersecurity is inadequate. We highlight key findings and provide strategies to strengthen vendor cybersecurity.
The first computer virus and subsequently, the first anti-virus software came into existence in the 1970s — as experiments. Researcher Bob Thomas created The Creeper, a program that moved across 10 mainframe computers using the ARPANET network, a predecessor of the internet. His coworker, Ray Tomlinson, wrote a new version of The Creeper, which replicated itself as it moved across the network — thus creating the first computer virus. Tomlinson then made another program called The Reaper, which detected and removed the self-replicating Creeper program — thus creating the first anti-virus software.
While most community and mid-size financial institutions rely on third-party vendors to support their cybersecurity programs, consistent due diligence and oversight appear to be lacking — creating a significant risk, according to recent Jones Walker LLP's cybersecurity survey.
The national law firm polled 125 executives at financial institutions with less than $50B in assets to learn about their cybersecurity practices, including monitoring the practices of their third-party vendors. The firm learned that there is considerable variation in the level of due diligence conducted, despite many such activities being recommended by federal banking regulators. They found that 15% of breaches last year involved a third party or a software or hosting supplier.
While the use of outside vendors can create powerful partnerships and allow for vast capabilities, it’s important to remember that your third-party vendors’ security is your security. For that security to be effective, you must still conduct thorough due diligence and remain vigilant in your oversight of the third party’s practices. 
The following are ways that your institution can best reduce third-party cyber risk:
  • Routinely review vendor service policies and controls. Currently, only half of the financial institution executives surveyed investigate their third-party cybersecurity policies and procedures — and only 51% even require that cybersecurity policies exist. Institutions should not only conduct thorough due diligence before they contract with third-party cybersecurity providers, but they should then also regularly monitor and review the provider’s policies, systems, and security controls. Two good places to start are with SOC 2 reports and ISO certifications.
  • Ensure security breach protocols are addressed. For vendors that are engaged in high-risk activities, financial institutions should ensure that their responsibilities and activities are clearly defined and included in their service contracts. Vendors should be required to have information security programs and clear guidelines on security breach protocols, particularly around swiftly notifying financial institutions of data breaches and protections against financial losses from a breach. Right now, only half of banking executives surveyed have their financial institutions mandate a prompt alert when a breach occurs, and 43% investigate a breach’s incident history.  Some vendors consider full documentation of their Information Security Program, including breach response, proprietary. If this is the case, request summary documents or a table of contents for breach response reports and ensure you have the latest update. 
  • Include the ability to audit vendor security controls. When it comes to audits and testing controls, just 42% of financial institutions test their third party’s cybersecurity systems — 58% don’t even require their third-party vendors to adhere to any security protections. Institutions should have the right to regularly audit a vendor’s security practices and to require that any vulnerabilities are improved. Auditors should look for specifically detailed services, security controls to protect both institution data and the systems processing the data, and robust indemnity and liability provisions to mitigate the financial institution’s risk if a breach related to the third-party vendor occurs. If any critical or high gaps in security are identified, be sure to request follow-up documentation after these issues are addressed by the vendor.
  • Require alerts of major policy changes. Third-party vendors might make operational or strategic changes to their cybersecurity policy, and financial institutions should know about it. Only 26% of financial institutions require this type of notification, and 27% mandate notifications for when their third-party vendor uses a subcontractor. Awareness of these changes is paramount to ensuring that a third party’s cybersecurity is performing the way it should.
The silver lining noted in the survey is that there are tools and resources financial institutions can take advantage of at minimal to no cost to assist with creating or improving cybersecurity strategies for third-party contracts.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

The Growing Appeal of Embedded Compliance
Amidst heightened risks of money laundering and fraud, embedded compliance promises an additional layer of risk control that the banking industry has begun to embrace — including central banks.
The CRO’s Critical Role and How It’s Evolving
CFIs continue to face new and emerging risks, making the role of the CRO more important than ever. We outline critical skills for an effective CRO.