Vendor cybersecurity monitoring provides real-time data on vendors’ cybersecurity by collecting and assessing publicly available information. It detects threats and vulnerabilities before they are exploited so that action can be taken to prevent breaches.
Cybersecurity ratings can:
- Uncover and address cybersecurity issues that need to be resolved before they are exploited.
- Identify third-party vendors that are real-time risks, allowing a financial institution to take proactive steps to mitigate the threat.
- Determine which vendors are most susceptible to a cybersecurity breach.
- Identify vendors that are not aligned with your institution’s cyber risk appetite.
Our recent webinar, Not One & Done: Making the Case for Continuing Cyber Monitoring for Third-Party Cyber Risk, revealed that many financial institutions have questions about cyber monitoring.
Here are the most common ones:
Do we need a specific risk assessment for vendor cyber monitoring, or does it fall under vendor management?
Cyber monitoring and cybersecurity overlap with many other areas. Many financial institutions already conduct risk assessments that touch on them, including GLBA risk assessments, IT risk assessments, and vendor management risk assessments.
To create efficiencies, don’t have a separate risk assessment just for cyber monitoring data, because it is already a part of other assessments. The best practice is to pick an area where you’ll cover this issue and then cross reference it as needed so that the same risk assessment work isn’t duplicated in different areas, which wastes time and could yield conflicting results.
My vendor’s policy is that it won’t release the results of vulnerability scans or penetration testing. Is this a red flag?
Vendors don’t want to provide the details of these results because they have a legitimate concern that a leak of this information could threaten the security of their systems. Fortunately, this information should be covered by a third-party audit and accompanying SSAE 18. Not sharing security testing results is only concerning if the vendor doesn’t have an SSAE 18 audit to demonstrate its security because it creates a real lack of visibility. Also, vendors should be able to release redacted versions of the vulnerability scans and/or penetration testing to demonstrate their security practices.
Do vendors need to know you’re engaging in cyber monitoring?
No. It’s just like checking a vendor’s credit score. The vendor has no say in it, and the cyber vendor monitoring poses no danger to the vendor. Cyber monitoring is just reviewing public information. Discovering dark web chatter about a vendor won’t increase the risk a vendor faces. In fact, you can actually help improve your vendor’s security posture by informing the vendor of the vulnerabilities.
When do you know when a cyber monitoring issue is important?
Every vendor will have issues at some point and most will be minor. It’s up to your institution to define its risk appetite and set thresholds. If an alert is high-risk based on your definition, then make sure that alert will get to the right person to take the appropriate action. The best systems provide you with details you can share with your vendor. Communicating with your vendor is key to getting cyber issues resolved.
How is cyber monitoring integrated into the FFIEC’s CAT?
It’s included as an innovative question. If you engage in cyber monitoring, you can answer yes and attach a report showing results, scores, or alerts. There is no clear guidance for what constitutes evidence, but it’s certainly helpful to show through an attachment that you have a control in place and it’s working. The auditor can always ask for more information if needed.