“Managing third-party cyber risks has rapidly become the number one concern for businesses”

A new global study has been conducted by BitSight and the Centre for Financial Professionals (CeFPro), looking into the financial sector and their views on third-party cyber risks in the industry. The report was officially released early this month.

“The financial industry, in particular, has a massive business ecosystem made up of legal organisations, accounting and human resources firms, management consulting and outsourcing firms, and information technology and software providers.”

“The report highlights a number of potential solutions and ways forward,” said Andreas Simou, managing director at CeFPro.

The study also considered how these financial institutions are addressed the challenges associated with third-party cyber risks.

The report stated that, predominantly, businesses view the management of third-party cyber risks as “critical.” However, “a lack of continuous monitoring, consistent reporting, and other blind spots are creating challenges that could leave organisations vulnerable to data breaches and other consequences.”

This lack of continuous monitoring may be concerning, but it is hardly surprising when a single organisation can be working with hundreds – even thousands – of third parties at a time. New potential risks are constantly cropping up, adding another third-party to the list of those that should be actively managed by the organisation.

In their report, BitSight and CeFPro further stated: “The financial industry, in particular, has a massive business ecosystem made up of legal organisations, accounting and human resources firms, management consulting and outsourcing firms, and information technology and software providers.”

One or all of these areas could present an organisation with a potential weak spot in their cyber defence plan. Therefore, it is vital that this area of security is constantly monitored by the business—particularly when it comes to protecting the exchange of data or sensitive information.

“Managing third-party cyber risk has rapidly become the number one concern for businesses,” said Jake Olcott, vice president of communications and government affairs at BitSight.

“Many in the financial sector are taking action to manage that risk, but, as our survey shows, there is vast room for improvement in key areas like continuous monitoring and effective board reporting.”

With C-Suite professionals taking responsibility, it is clear that the vast majority of respondents’ organisations understand the critical importance of third-party cyber risks. It is also apparent that there needs to be clarity going forward, with increased communication up to the board level.”

Cyber risks coming from these third-parties that interact with financial institutions are one of the key drivers behind business decisions, with 97% of respondents to the survey admitting that they view this to be a major issue.

80% of respondents reported that they had terminated, or would consider declining, business relationships according to the vendor’s cyber security performance.

Despite these high statistics, only 1 in 10 organisations currently have roles specifically dedicated to vendor/third-party/supplier cyber risks.

Beyond this, one of the major issues the study revealed was that of the lack of consistency in third-party risk measurements and reporting.

Simou said: “This report raises a number of interesting questions and challenges for the industry. With C-Suite professionals taking responsibility, it is clear that the vast majority of respondents’ organisations understand the critical importance of third-party cyber risks. It is also apparent that there needs to be clarity going forward, with increased communication up to the board level.”

44% of respondents said that they were reporting on risks in this area to their executives or board on a regular basis. Conversely, 1 in 5 of these respondents highlighted the fact that their board or executive is not confident in this area and does not understand the approaches taken by third-party risk management (TPRM).

“Looking toward the future, respondents are focused on making their security programmes more effective while staying up to date on new regulations and prioritising continuous monitoring and visibility.”

Although C-Suite professionals are looking to take responsibility in this area – and proving to be effective in many ways – it is clear that those at board level need to be more involved in the communication, as well as helped to fully understand what these threats entail.

A further way in which to improve the management of cyber risks through third-parties could be the development of the tools used, as the majority are reportedly “not using critical tools”.

The respondents to the survey revealed that they rely on the likes of questionnaires, facility tours, and onsite assessments. Although these do provide them with information, this only allows for “limited visibility” into third-party cyber risks.

22% of financial organisations are currently using the security ratings for the continuous monitoring of the cyber security performance of those third-parties. A further 30% are evaluating security ratings providers. Although this is a promising start, all financial organisations need to follow suit.

“Although these has been a significant increase in effectiveness, attention, and resources focused toward third-party cyber risk over the last few years, there is still much to be done—utilising more effective tools and techniques to overcome the ever-increasing challenges being faced within the industry, with third and fourth-party cyber risk as just one key area to be addressed.”

The report stated: “Looking toward the future, respondents are focused on making their security programmes more effective while staying up to date on new regulations and prioritising continuous monitoring and visibility.”

As technological advances continue, cyber security will become more of an issue in future. It is unsurprising then, that TPRM challenges and concerns for the future are growing.

“Although these has been a significant increase in effectiveness, attention, and resources focused toward third-party cyber risk over the last few years, there is still much to be done—utilising more effective tools and techniques to overcome the ever-increasing challenges being faced within the industry, with third and fourth-party cyber risk as just one key area to be addressed,” said Simou.

Nonetheless, new tools for best practice in this area are becoming more readily available, and these will help organisations to more easily address some of the key challenges that have been uncovered in this survey.

The summary of the report concluded: “[To] effectively manage this growing risk and stay ahead of future challenges, organisations must utilise best practices and trust continuous monitoring solutions like security ratings to help measure and manage their cyber risk with third-party risk data that is accurate and actionable.”

The full report can be found here.