Cybersecurity information security officers (CISOs), IT directors, compliance managers, legal counsel, and vendor procurement specialists will need to work together to perform due diligence on third-party vendors, negotiate new contracts, revise old contracts and continually monitor third-party relationships. The same principles associated with any outsourced service also apply to third-party cybersecurity risk management.
The reason: The New York State Department of Financial Services (DFS) wants banks and related institutions to do their utmost to ensure that any third-party technology firms or other service providers don’t have a cybersecurity breach that affects critical non-public customer data. The regulatory agency’s new rules, effective March 1, are a bit easier to follow than originally drafted ones. Still, they call for banks and similar entities to establish a cybersecurity risk management program under the jurisdiction of the chief information security officer (CISO). Monitoring third-party vendors must be included in that program.
New York’s provisions shouldn’t come as a surprise for banks and others following similar federal guidelines. The Office of the Comptroller of the Currency (OCC) has already called on all US banks to keep a closer eye on how they monitor outsourced services. New York State has just heightened awareness when it comes to cybersecurity risk.
Nonetheless, bank compliance directors should be concerned about how rigorously the DFS will enforce its new rules. In the past, DFS has imposed steep fines on banks that failed to implement its anti-money laundering rules so it stands to reason it also won’t be lax when it comes to its cybersecurity rules. “The DFS has not provided any clear guidance on how far it will go to penalize banks affected by third-party vendors whose cybersecurity breach affects the bank’s operations and critical non-public data,” says Charles Horn, a partner with the law firm of Morgan, Lewis & Bockius in Washington, D.C. “Banks won’t know the extent of enforcement until they are faced with the actual reprimand or fine.”
That uncertainty will be felt by CISOs, or boards of directors, who have to provide the DFS with annual certifications of compliance with the new rules, starting in February 2018. The DFS rules don’t expressly state that a CISO or board members are personally liable for mistakes. However, a false or inaccurate certification would be a violation of the DFS rules. Such a violation would subject the bank or other financial institution that submitted the deficient certification and even a person who signed or approved it to regulatory criticism or enforcement action. The narrower issue of legal liability aside, a bad certification puts the bank and its officials in the hot seat. No one wants to be the next day’s headline news.
Practical Due Diligence
So what should a bank’s CISO or board be doing to protect themselves and the bank from regulatory action? For starters, a bank needs to review its contracts with third-party relationships and if necessary amend them to incorporate the DFS’ new requirements. That’s a monumental task given that a bank could have dozens if not hundreds of relationships with counterparties, technology providers, consultants, accountants and even public relations agencies that could fall under the broad category of third-party vendors.
How can one CISO or technology department be expected to do initial due diligence, let alone monitor relationships on an ongoing basis? An estimated 20 to 30 percent of the CISO and IT department’s time is already spent on evaluating and monitoring external service providers and counterparties. That doesn’t leave much time to keep track of what’s going on inside the bank’s own walls.
Fortunately, the DFS isn’t expecting banks to use the same level of care for all third parties they do business with. The ones holding critical non-public customer or bank data have highest priority, because they are where a cybersecurity breach can cause the most damage. To ameliorate this risks, banks could limit the customer data or non-public data to as few third-parties as possible.
Asking for third-party certifications and audits should provide some level of comfort. For larger vendors, the use of standard reports such as the AICPA Service Organizations Controls Report would be necessary. Smaller vendors might offer an alternative assessment such the Statement on Standards for Attestation Engagements (SSAE) 16.
Asking tough questions about the vendor’s cybersecurity risk management program is the next step. “Do you have a documented information security policy and program and can you provide evidence of that,” is the first question that should be asked, says Sean Cronin, president of ProcessUnity, a vendor risk management software provider in Concord, Mass. The data security program should include strong passwords, multifactor authentication to prevent logins from new systems and unidentified devices, data encryption and an audit trail to identify who can see which type of data.
Naturally, the bank needs to know where the data is stored, because many vendors have multiple data centers. Data availability is just as important as data security. Therefore, vendors should have plans for backing up up data centers and telecommunications lines to ensure business continuity.
Warren Finkel, managing partner of ACE IT Solutions, a New York-based cybersecurity technology firm, recommends that banks consider adapting their due diligence questions on third-party cybersecurity risk to those developed by the Alternative Investment & Technical Executive Club (AITEC). That’s a close-knit group of chief technology and chief information officers at alternative and traditional fund management firms. “The AITEC’s questions were developed by specialists for the specific purpose of evaluating third-party vendor risk and go even further than the questions asked by large banks,” he explains.
Because data breaches are now considered inevitable, all organizations should have documented plans for dealing with them. Contracts should include provisions for detecting security breaches and prompt responses by the third-party vendor. Of course, explaining whether a breach has actually taken place or was averted can become problematic. Just like the bank, the third-party vendor could easily be deterring multiple data breaches on a daily basis.
Does that bank need to be informed of every near miss? Not really. “Banks should only be informed of attempted targeted breaches that were averted rather than automated or untargeted attacks where the hacker was trying to find a network to break into,” recommends Cronin.
Whatever the situation or explanation given, at the very least the bank should document the response. “Banks need to create a paper trail of what occurred and what was done to either prevent the breach or mitigate the potential financial harm if one has happened,” says Horn.
One not-so obvious question is how the third-party will defend itself against ransomware. That’s the potential for critical stolen data to be held for ransom. The reason: a successful ransomware attack depends on the serial failure of about a dozen security measures. Those include firewall blacklisting, anti-spam, endpoint security software, as well as security training and procedural defenses.
“The response should yield a very good sense of how well-prepared the vendor is regarding technical, procedural and personal defenses,” says Eldon Sprickerhoff, chief security strategist for eSentire, a global cybersecurity services company headquartered in Cambridge, Canada. “The same defenses that can help defend against a ransomware attack are well-suited to a number of other cyberattacks, including insider threats.”
Of course, the stricter the provisions the bank requires, the higher the potential costs. That is where vendor procurement specialists come into the picture. They might not know everything about cybersecurity risks, but because they are in the front-lines of knowing how the vendor works vendor procurement managers are in the best position to negotiate contract terms. A little give and take is to be expected, but there may come a time where a bank needs to walk away from a potential relationship or to terminate an existing one. Ultimately, the bank needs to feel confident that the cybersecurity program at its vendor is as solid as its own.
By far the most difficult part of handling third-party relationships is managing the extended family — often called the fourth-party vendors. Software providers typically outsource hosting functions to data center providers such as Amazon Web services and Microsoft Azure. Therefore, banks need to obtain security assurances from their primary and secondary vendors.
“Can you provide a list of third parties or facilities that store, process or contain your customer data and the controls that are in place to protect that data is one of the critical questions that CISOs should ask of their third-party vendors,” says Cronin. Ideally, each third-party vendor should have an inventory of the firms they do business with and assurances that the other parties have controls and policies in place that are as stringent as the bank’s.
One question which should never be overlooked involves the financial soundness of the third-party vendor. Vendors in poor financial condition are more likely to take shortcuts that compromise data security. They might even go out of business and cut off services altogether. Financial information is easier to find on large public vendors than smaller privately-held ones. Regardless, the bank should still ask about the number of years the vendor has been in business and whether any of its clients would be willing to serve as a reference.
Once the due diligence process is completed and the contract is signed comes the even harder part. How does a bank keep track of how well the vendor is protecting critical data on an ongoing basis? The answer depends on the importance of the data, the amount of data and the number of data centers involved. Annual visits and quarterly vulnerability testing should be the minimum standard, followed by a quick remediation of any potential shortcomings.
“Threat checks and services that provide external risk exposure should be based on the full spectrum of the Internet,” recommends Finkel, whose firm monitors the dark web, peer-to-peer social media and other nefarious websites for data breaches. “We typically find compromised credentials, leaked documents, cyber exploitation threats and technology risks,” he says. Regardless of whether the data is stolen by an insider or external vendor, the security breach needs to be immediately addressed.
Ultimately, a bank’s decision on whether to start a third-party relationship, how it will be monitored or ended is a judgement call. Even the most meticulous analysis and documentation doesn’t offer certainty. It just mitigates the potential for a data breach costing millions of dollars down the road. At the very least it could also help keep the DFS at bay.
“The fact that New York State rushed to declare itself first in the nation to adopt a detailed set of rules suggests that its local government is only too eager to place onerous requirements on the financial sector and as a consequence expand opportunities to collect fines,” writes Steven Lofchie, a partner with the law firm of Cadawalder, Wickersham & Taft, in a recent blog. “That said, firms must abide by the new compliance obligations and do their best not to give New York State an opportunity to collect.”
Copyright: troyzen / 123RF Stock Photo