From social media apps to exercise tracking and online shopping, today consumers are producing data at an unprecedented rate and businesses of every type are under pressure to ensure the safety of that data and maintain customer trust. But there are few
types of data more sensitive than financial information – which means businesses in the financial services sector have a particularly tricky task to navigate.
In recent years, this has been compounded by the requirement for more stringent data regulation, notably initiatives such as GDPR. Add to this the number of high-profile data breaches that have occurred in recent years and the list of cyber security related
needs a business faces grows long indeed.
Alongside customer expectations of appropriate security are financial organisations own desires to remain innovate and competitive. In many cases, this involves bringing in third parties and becoming a part of shared banking systems – exposing them to an
even broader threat perimeter than ever before.
According to research from law firm RPC, the number of data breaches reported in the UK by financial service firms increased by 480% in 2018; suggesting that all too often organisations aren’t equipped to deal with the risks facing them.
Third-party vendors: risks and rewards
Once upon a time, protecting data and maintaining security in financial services was very much a case of handling the direct relationship between the business and its customers – and of course, blocking malicious attacks. Nowadays, in order to deliver the
most cutting-edge services and experiences, financial institutions find themselves working with third-party vendors to extend their capabilities, ranging from the providers of real-time payment APIs to professional services vendors.
At the same time, initiatives like Open Banking are actively opening up the conversation around collaboration, providing the framework and the driver for more integrated services across the board.
Yet there’s no escaping the fact that the risk of breaches – whether accidental or resulting from a malicious attack – increases significantly with every new party introduced to the security ecosystem.
Whose fault is it?
A number of high-profile cases have illustrated the dangers inherent in this new world of collaboration.
In 2017, credit reporting firm, Equifax suffered a major breach which saw 400,000 British accounts and a staggering 143 million U.S. accounts compromised, with details including names, social security numbers, email addresses and more being stolen, alongside
209,000 credit card numbers. Failure to renew a public-key certificate - purchased from a third party - which was needed to manage the data encryption process was one of many errors which led to the incident.
Clearly, dangers from third-party vendors are not to be underestimated. Particularly because even when a breach
is caused by a third-party vendor, this distinction is very rarely made in the minds of customers (or the press).
So, while nobody would dispute that enhanced collaboration can drive product innovation and therefore improve the customer experience, the flipside is greater risk – and more difficulty establishing exactly where the burden of responsibility lies.
Security is for life, not just for Christmas
If they’re going to protect their customers, their systems, and their reputations, financial institutions need to act. But despite the pressing nature of this issue, few are fully equipped to deal with the changing nature of risk.
It’s standard to conduct a threat risk and vulnerability analysis of a vendor upon entering into a new third-party agreement, at which point both sides will agree on the specific security requirements needed. While this approach is commonplace, it’s also
flawed – because it only reflects the vendor’s risk level at that specific moment in time.
As those in charge of cybersecurity know all too well, digital threats can emerge in a moment and wreak havoc in minutes. So, security requirements can often be much more fluid than they may seem at first. Plus, as the Equifax example showed, maintaining
processes is just as important as implementing them. Unfortunately, few banks have the internal resource, skills, or budget to assess this on a regular or even semi-regular basis.
Complicating matters further, it’s difficult to develop a standardised approach to risk analysis. When you consider the full range of third-party vendors that financial institutions work with, the issues at play – and thus the risks they pose are hugely
varied. For example, a professional services vendor presents a very different threat than a piece of integrated software. As a result, it’s historically been difficult to implement a straightforward testing mechanism that can efficiently and regularly account
for the full gamut of potential issues.
Investing in risk-management
If financial institutions are going to successfully manage third-party risk, they have to put more robust processes in place. This could include contractually obligating vendors to security and privacy practices, as well as regular review of policies, procedures
and certifications.
On the bright side, as the risk has grown, a number of technologies have developed to help businesses internally manage their risk on a continual basis. Doing this requires a well-rounded, integrated approach that covers many bases – including firewalls
and ongoing threat intelligence.
While this heightened level of management will likely be time and resource intensive, it’s certainly possible – and should be a priority. Because whether it’s protecting customers’ personal information or their savings, banks and other financial institutions
have to maintain rigorous security standards. If they don’t, it’s not just their customers’ data at risk – it’s their business’ reputation on the line, too.