Amid cyberthreat to your business data, trust but verify third-party processing.

Author:Goldstein, Daniel J.

AS DIGITAL DATA CONTINUES TO PROLIFERATE at exponential rates, its allure to cybercriminals is matching the pace. Financial services institutions are just off the starting blocks when it comes to dealing with emerging and rapidly evolving cyberthreats. And while addressing the threats within their own institutions is the appropriate first priority, focus then must shift quickly to mitigating risks to their data assets that have been entrusted to third parties for processing.

An April 2015 report from the New York State Department of Financial Services (DFS) details the vulnerabilities in relationships that many financial institutions have with their third-party vendors. One out of three banks surveyed do not require third-party vendors to notify the bank of cybersecurity breaches, according to the DFS report, while less than half conduct any on-site assessment of vendors.

DFS Superintendent Benjamin Lawsky, who maintains a sharp focus on cybersecurity issues, has pointed directly to vulnerabilities that may exist when financial services institutions rely on third-party vendors' back-office and other services. Many of those vendors, he has noted, "have access to a financial institution's information technology systems, which can provide a back-door entrance for hackers."

Lawsky's comments and the report should provide officers and directors of financial institutions with a clear indication that vendor relationships will receive increased regulatory scrutiny in 2015 and beyond.

Managing widely dispersed data risk

It is a common practice in 2015 to outsource back-office functions to third parties that can accomplish required work at a fraction of the cost of U.S. banks and financial services entities. Activities such as standard mortgage application processing and functions such as customer service call centers and human resources can be accomplished offshore at tremendous savings. But as Lawsky has correctly observed, "a bank's cybersecurity is often only as good as the cybersecurity of its vendors."

Managing risk across an often widely dispersed network of third parties can be a daunting task--particularly if starting from scratch. Among the first steps for a bank's chief information security officer or other responsible party is to gain buy-in from top executives and the board of directors for a strategy to mitigate the risk of unauthorized access to data being held or processed by third parties. That support will be crucial in rolling out...

To continue reading