Can Your Third-party Vendor Fend off Cyber Attacks?
What do the Bangladesh central bank and your third-party vendors have in common? They need to be taking steps to protect themselves and customers from cyber attacks.
The threats are real. Earlier this year hackers stole $81 million from Bangladesh’s Federal Reserve Bank of New York account via the Swift international fund-transfer network—with aims of stealing $1 billion, American Banker reports. Other institutions have fallen victim, including those in Ecuador, Vietnam and the Philippines, Reuters reports. In May the FBI issued a private alert warning American institutions to be aware of a “malicious cyber group,” the news service says.
What does this have to do with your third-party vendors? Everything.
As a result of these attacks, the Federal Financial Institutions Examination Council (FFIEC) released a statement on June 7 highlighting best practices for cyber risk vulnerability management “to remind financial institutions of the need to actively manage the risks associated with interbank messaging and wholesale payment networks.”
One of the statement’s most common refrains: stay on top of third-party vendors. It’s mentioned five times in the five-page document.
FFIEC's BEST PRACTICES FOR VENDOR MANAGEMENT
What should institutions be doing? The statement recommends these five vendor management best practices.
- Adequately monitor vendors’ information security systems, practices and policies.
- Regularly verify that third-party testing of vendors’ information security systems is satisfactory.
- Ensure vendors are contractually obligated to report security incidents to the financial institution.
- Perform adequate initial and ongoing due diligence reviews of third party vendors. This includes reviewing all reports provided by vendors.
- Address business continuity planning and testing with third-party vendors. Vendors must be able to demonstrate their ability to “quickly recover and maintain payment processing operations,” the statement says.
While none of these requirements are new, the statement is an important reminder that proper vendor management is critical to limiting third-party risk and blunting the impact of growing cyber threats. Vendor management is far more than mitigating the risk of an examiner’s negative finding. Appropriate vendor management helps decrease the risk of major cyber security breaches.
Make sure you have a strong system for ensuring your vendors can detect and fend off cyber attacks—their IT practices are just as important as your own.