22 May Managing Third-party Cybersecurity Risk in Financial Services
Financial services companies of all kinds understand financial risk and have tried-and-true strategies to manage that risk. But what about cybersecurity risk? This is a much newer kind of risk—one that we know can have significant financial consequences—and it’s starting to get executive- and board-level scrutiny.
What is third-party cybersecurity risk?
With the emergence of cloud computing, remote and mobile workforces, fintech solutions, and more, a lot of applications and data may live outside the corporate network in the care of third-party vendors and systems. But it gets even more complex. The third parties you work with have their own third parties—sub-contractors, service providers, and other partners—who represent an additional layer in the equation: fourth-party risk. This means many financial services organizations are potentially vulnerable to risks from companies they’re not even aware are part of their technology ecosystem.
It’s no longer just an IT issue
In the early days of computers and networks, when there was a strong perimeter—and it was very clear what was “inside” or “outside” the network—cybersecurity and its associated risk was managed by IT. But a breach can have massive business repercussions, including remediation costs, fines, lost business, and reputational damage. That’s why financial companies are looking to manage third-party cybersecurity risk not only within their technology environments, but as part of a due diligence process, such as with M&As. In fact, a Gartner survey from 2017 indicates that third-party cybersecurity risk data regularly influences the decisions of 78% of organizations’ boards of directors.
Managing third-party cybersecurity risk in your IT infrastructure
The FDIC has issued guidance for managing third-party risk. They note that “The key to the effective use of a third party in any capacity is for the financial institution’s management to appropriately assess, measure, monitor, and control the risks associated with the relationship.” The document also lays out four main elements of an effective third-party risk management process, which includes: risk assessment, due diligence in selecting a third party, contract structuring and review, and oversight.
When it comes to your IT infrastructure, there are a lot of suppliers supporting your organizational connectivity and communications. These relationships are challenging to manage from an operational perspective, let alone as part of a third-party risk management program (TPRM). It can be very time- and resource-consuming to conduct the proper due diligence and ongoing oversight on each individual supplier. Partnering with one vendor can reduce the compliance burden.
BCM One is your trusted partner
When you work with BCM One, you get a trusted partner who only works with vetted providers to deliver a wide range of technology solutions, including cloud, managed connectivity services, unified collaboration, network monitoring and management, managed security, and more. You not only save time, money, and headaches, but you can simplify your third-party risk management.
Contact us to learn how BCM One can help you.