At face value, it may not seem right that your organization should have to worry about your vendors’ cyber security programs. However, even for firms with state-of-the-art security systems, a vendor’s compromised connection is often an Achilles heel that hackers are quick to exploit. It’s a lesson that Target — among others — has learned the hard way, as the company’s remote access system became the entry point for a catastrophic data breach in 2014.
In a recent survey of 40 banks and financial institutions, the New York Department of Financial Services discovered that firms within the finance industry may not be fully grasping the threat that third-party connections can pose. Nearly one-third of respondents claimed they do not require vendors to report data breaches and other intrusions. Less than 50 percent claimed to conduct on-site assessments of third-party vendors. And added to those concerning statistics, about one in five do not require their vendors to enforce their cyber security protocols for their subcontractors.
Following from these results, the department is planning several actions. First, it will conduct a similar survey among insurance firms to determine whether the same problem exists across these sectors. Then, it will decide on further actions, including whether new cyber security rules are needed to ensure security between these firms and their vendors.
With compromised remote connection and vendor security issues being behind some of the most visible cyber security incidents in recent months, it’s to be expected that agencies and industry consultants will continue in the vein of the New York Department of Financial Services, investigating this security concern and taking follow-up actions. As such, it’s important that both financial firms and their vendors take action to ensure the security of data sharing and networking between them.
For financial firms, a good place to start is with an audit of third-party vendors to ensure they understand potential vulnerabilities and can take the appropriate safeguards. A complete strategy will then take further action: instituting a plan for regular auditing, documenting security standards based on best practices, and ensuring that vendors’ subcontractors are also following protocol.
Lunarline provides expert consulting and security solutions to public and private organizations that require state-of the-art auditing for their systems, as well as their third-party vendors’.
For more information on how we can help your company with auditing or other cyber security initiatives, please visit lunarline.com or contact us today!