Vendor cybersecurity monitoring provides real-time data on vendors’ cybersecurity by collecting and assessing publicly available information. It detects threats and vulnerabilities before they are exploited so that action can be taken to prevent breaches.
Cybersecurity ratings can:
Our recent webinar, Not One & Done: Making the Case for Continuing Cyber Monitoring for Third-Party Cyber Risk, revealed that many financial institutions have questions about cyber monitoring.
Here are the most common ones:
Cyber monitoring and cybersecurity overlap with many other areas. Many financial institutions already conduct risk assessments that touch on them, including GLBA risk assessments, IT risk assessments, and vendor management risk assessments.
To create efficiencies, don’t have a separate risk assessment just for cyber monitoring data, because it is already a part of other assessments. The best practice is to pick an area where you’ll cover this issue and then cross reference it as needed so that the same risk assessment work isn’t duplicated in different areas, which wastes time and could yield conflicting results.
Vendors don’t want to provide the details of these results because they have a legitimate concern that a leak of this information could threaten the security of their systems. Fortunately, this information should be covered by a third-party audit and accompanying SSAE 18. Not sharing security testing results is only concerning if the vendor doesn’t have an SSAE 18 audit to demonstrate its security because it creates a real lack of visibility. Also, vendors should be able to release redacted versions of the vulnerability scans and/or penetration testing to demonstrate their security practices.
No. It’s just like checking a vendor’s credit score. The vendor has no say in it, and the cyber vendor monitoring poses no danger to the vendor. Cyber monitoring is just reviewing public information. Discovering dark web chatter about a vendor won’t increase the risk a vendor faces. In fact, you can actually help improve your vendor’s security posture by informing the vendor of the vulnerabilities.
Every vendor will have issues at some point and most will be minor. It’s up to your institution to define its risk appetite and set thresholds. If an alert is high-risk based on your definition, then make sure that alert will get to the right person to take the appropriate action. The best systems provide you with details you can share with your vendor. Communicating with your vendor is key to getting cyber issues resolved.
It’s included as an innovative question. If you engage in cyber monitoring, you can answer yes and attach a report showing results, scores, or alerts. There is no clear guidance for what constitutes evidence, but it’s certainly helpful to show through an attachment that you have a control in place and it’s working. The auditor can always ask for more information if needed.