Building a Third Party Risk Management Program

By: Jake Olcott, VP of Business Development at BitSight Technologies.

When looking at cyber security threats to your credit union systems, it is no longer sufficient to enlist the best practices for your institution without evaluating the practices of all your vendors and partners. In consideration of some high profile cases of cyber breaches in the past few years— including major corporations such as Target, American Express, and Experian—it is evident how serious third party breaches can be.

These breaches cost a great deal to the companies and customers affected. It is critical that credit unions move forward with plans to evaluate and mitigate the risks posed by vendors and other business partners. In light of this growing need, BitSight Technologies recently hosted a webinar entitled “How to Build a Third Party Risk Management Program” for credit union executives around the nation.

Legal Implications of Ineffective Third Party Risk Management

Third party risk management programs are more than an obligation to your customers; these programs are being brought to the forefront and scrutinized by those conducting oversight. During BitSight’s webinar, credit union executives participated in a poll indicating that 85 percent of them had been asked by regulators about their third party risk management practices. In fact, regulators are starting to pursue actions for failure to properly implement programs to prevent third party cyber risk.

What are the Immediate Steps to Ensure Appropriate Third Party Cyber Security?
There are four key steps to take for a top-notch security program:

  1. Identify and Tier Third Parties: A working group including IT, IT security, procurement, and legal should identify and classify vendors. Vendors handling data that is regulated or confidential should be prioritized as critical.
  2. Assess Security: There are a number of methods credit unions can use to assess security. In BitSight’s webinar poll, the most common tool utilized by credit union executives was audits and requests for documentation, with nearly all respondents already doing these. In addition, about a quarter of executives involved in the webinar said they were conducting onsite visits or desk assessments- 38 percent of managers are currently using vulnerability scans and penetration tests, and 43 percent of the webinar poll respondents were also using questionnaires.
  3. Negotiate Contractual Terms: Existing contracts need to be reviewed to ensure they reflect the level of security you expect. Use “point in time” tools to evaluate third parties.
  4. Ongoing and Continuous Monitoring: This involves constant oversight integrated into the lifecycle of the security assessment process, and leverages the use of automated feeds.

The Vendor Risk Management Maturity Curve

This curve represents each step of the security process as outlined above. When asked which level on the vendor risk management curve their credit unions fall, 16 percent of executives at BitSight’s webinar said they were at level one,  just over half of all executives were at level two, 30 percent were at level three, and two percent were at level four. One of the problems many executives have in reaching levels three and four pertains to small organizations: the process can become costly and require extensive manpower.

The entire webinar slide deck with in-depth graphics, tips, techniques, and tools your credit union can leverage is available for download here.

BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at

How To Build A Third Party Cyber Risk Management Program

By: Jake Olcott, VP of Business Development at BitSight

Modern integrated business processes have dramatically expanded the attack surface of organizations in all industries. Institutions can no longer ignore the risk presented by vendors or other business partners, especially with regulatory bodies pushing for formal risk management of vendors and third parties. Assessing cyber risk adds to this challenge. It is one thing to make sure your organization is ready to deal with evolving threats- it is even more difficult to ensure your third parties are also prepared.

So, how can credit unions start evaluating the cyber risk associated with their vendors? More importantly, how can credit unions make this process efficient and cost-effective?

Using the right tools and techniques, those in charge of security and risk can drastically reduce third party cyber risk even if it’s not their primary responsibility. Below are four tips on how to save time and money in this process:

  1. Tier Your Third Parties

Some of your third parties have access to sensitive data that could compromise your employees and customer base. However, it’s likely that many others only have access to nonsensitive data. Identify your most important third parties and spend the most time assessing their security programs. Most organizations use a three or four-tier system.

  1. Adjust Your Contracts

Making sure that the contracts you’ve signed with your third party vendors reflects the level of security you expect is a critical step to managing and reducing 3rd party cyber risk.

  1. Use a Mix of Information to Assess Vendors

There are many ways organizations currently evaluate third party cyber risk. These typically include: standard security assessments and questionnaires, vulnerability scans, penetration tests, on-site visits, and data obtained through continuous monitoring. Taken together, these methods provide a good snapshot of an organization’s security posture.

  1. Continuously Monitor Your Critical Vendors

Just as your organization seeks to continuously monitor its own environment for security risks, it is critical to continuously monitor your critical third party vendors. Cyber is a dynamic environment, and security postures can change overnight. Monitoring your vendors and setting up alerts when security incidents arise is a more efficient way to assess and reduce security risk.

Join Jake for his webinar, “How To Build A Third Party Cyber Risk Management Program,” on August 24 from 2-3pm ET where he will offer tips, techniques, and tools you can leverage to make it an efficient and cost-effective process for your credit union. Click here to register today.

BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at

Top 3 Cybersecurity Metrics To Begin Tracking

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Creating a vendor risk management program is of utmost importance in today’s threat landscape. So if you don’t have a program in place already, you may be wondering where—and how—you should get started. One of the building blocks for any security program is the creation of actionable cybersecurity metrics. These will help you go beyond “yes” and “no” answers in your own organization (and your vendors’) and see exactly how well-prepared your company is to protect against cyberthreats.

Below, BitSight has outlined three of the most important metrics your credit union should start monitoring right away.

1) Number of botnet infections per device over a period of time.

This is, without a doubt, the number one cybersecurity metric that every credit union must monitor. By examining how many botnet infections have taken place on your network—and what types of botnets you’ve dealt with—you can better prepare for (and protect yourself against) these types of attacks.

For example, if your organization is able to successfully track this metric, you may be able to shorten the detection deficit. Let me explain. The quicker you can identify a security breach or incident and fix it, the less likely you are to have something catastrophic happen to your organization. In other words, the greater the speed at which you can identify that something is happening on your corporate network and appropriately respond to it, the greater the likelihood of preventing the hacker from getting a foothold in your organization. If you’re able to keep that amount of time as close to zero as possible, you’ll be in far greater shape.

The problem is, many organizations don’t just have a gap of minutes between the intrusion and the solution—sometimes it takes them hours, days, weeks, or even months to identify and fix a security breach (this is where the term “detection deficit” comes in). By closely monitoring the number of botnet infections that take place on your corporate network—and the time it takes you to remediate those infections—you’ll be taking important steps toward reducing this deficit.

2) Percentage of employees with super-user access who are monitored.

Whether through an insider that has decided to go rogue or an external attacker who is trying to take advantage of someone’s super-user privileges, gaining control to “the key to the kingdom” gives a hacker everything they need to take control of a corporate infrastructure and wreak significant material damage. Knowing who has super-user access and monitoring those individuals closely for internal or external issues is a very important metric for this reason. Also, this will provide you with enough insight to determine whether you’re providing too many individuals with unlimited network access, so you can reduce privileges to those individuals who actually need it.

3) Percentage of critical vendors whose cybersecurity effectiveness is continuously monitored.

Traditional vendor risk management practices only offer you a snapshot in time. Even if you perform audits, penetration tests, and vulnerability scans, you still won’t know what’s going on with your vendors’ security on a day-to-day basis. But continuous risk monitoring changes this. It allows you to look at the third parties you’ve deemed as critical—usually those who have access to sensitive data or direct corporate network connections—and determine in real-time how they’re performing in regard to cybersecurity. This will allow you to make data-driven decisions about those vendors that are best for your organization.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at

Cybersecurity Vs. Information Security: Is There a Difference?

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Is there a difference between cybersecurity and information security?

Not only is this a great question, but it’s something we’ve heard many times before. Cybersecurity and information security are so closely linked that they’re often thought of as synonymous. But, there are some important distinctions between the two. Below, we’ll explain those distinctions, review a couple important areas of overlap, and discuss why this differentiation—and the evolution of these definitions—matters in the security sector.

Information Security

Information security (or “InfoSec”) is another way of saying “data security.” So if you are an information security specialist, your concern is for the confidentiality, integrity, and availability of your data. (This is often referred to as the “CIA.”) Most modern business data resides electronically on servers, desktops, laptops, or somewhere on the internet—but a decade ago, before all confidential information migrated online, it was sitting in a filing cabinet. And some confidential information still is! InfoSec is concerned with making sure data in any form is kept secure and is a bit broader than cybersecurity. So, someone could likely be an information security expert without being a cybersecurity expert.


Cybersecurity is all about protecting data that is found in electronic form. Part of that is identifying what the critical data is, where it resides, and the technology you have to implement in order to protect it.

Overlap Between Information Security & Cybersecurity

There is a physical security component to both cybersecurity and information security.

If you have a warehouse full of confidential paper documents, you clearly need some physical security in place to prevent anyone from rummaging through the information. And as more data becomes digital, the process to protect that data requires more advanced IT security tools. So, while you can’t put a physical padlock on a desktop computer, you can put a padlock on your server room door. In other words, if your data is stored physically or digitally, you need to be sure you have all the right physical access controls in place to prevent unauthorized individuals from gaining access.

They both take the value of the data into consideration.

If you’re in information security, your main concern is protecting your company’s data from unauthorized access of any sort—and if you’re in cybersecurity, your main concern is protecting your company’s data from unauthorized electronic access. But in both scenarios, the value of the data is of utmost importance. Both individuals need to know what data is most critical to the organization so they can focus on placing the right controls on that data. In some scenarios, an information security professional would help a cybersecurity professional prioritize data protection—and then the cybersecurity professional would determine the best course of action for the data protection. But with the changing security landscape over the past decade, things aren’t always this black and white.

The Evolution Of Information Security & Cybersecurity

Over the last decade, we’ve seen a fusion between cybersecurity and information security, as these previously siloed positions have come together. The challenge is, most teams don’t have an information security professional on staff—so the responsibilities of a cybersecurity professional have expanded dramatically. Cybersecurity professionals traditionally understand the technology, firewalls, and intrusion protection systems needed, but weren’t necessarily brought up in the data evaluation business.

But today, that is changing. As this subject becomes increasingly important for businesses, the role of cybersecurity experts is evolving so they can properly protect data. Business partners and investors are increasingly aware of the importance of this topic, and companies are asked regularly about their effectiveness in securing data and managing risk in both cyber and physical forms.

In Summary

Because of the evolution of this position, it’s easy to understand why many people discuss cybersecurity and information security in the same breath. And, you can see how the questions that information security and cybersecurity try to answer are, in essence, the same:

  1. How do we define what data is critical to us?
  2. How do we protect that data?

Where do you see the industry moving in the next 10 years? Tweet @BitSight with your thoughts.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at

5 Pillars of Cybersecurity in Financial Services

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Financial services are one of the best-performing sectors in terms of cybersecurity. BitSight analyzed the data to pinpoint a handful of basic facts, ideas, and principles that make the financial sector so successful at cybersecurity, and outlined those “pillars” below.

Pillar #1: You Have To Meet The Expectations Of Regulations (And Beyond).

Financial services is a regulated sector—and regardless of your feelings on regulation, it does get some interesting results. When you know that someone is holding you accountable and that this party has the authority to fine or potentially shut you down, you know you have to take action. Thus, financial service organizations typically have implemented proper protections and risk management solutions, invested in the right technologies, and hired the best talent.

And while regulations are mostly about compliance, it’s pretty well understood that compliance does not equal security. To properly manage risk (and go above and beyond your fiduciary duty), you need to identify the greatest threats to your organization and focus your time and attention there.

Pillar #2: You Must Have Vigilance In Your Cybersecurity Execution.

Any company could do the bare minimum when regulators come knocking and let things slide when they leave—but that would be a big mistake. Therefore, you need to continue to be vigilant every day, not only when you’re being monitored.

Executing consistently takes both training and resources. Part of the reason financial service organizations excel at cybersecurity is because of the amount of high-level executive buy-in. The top people in the organization typically demand and expect a strong cybersecurity posture and provide the resources needed to support world-class information security risk management programs.

Pillar #3: You Must Excel At Detection And Recovery.

High-performing financial service organizations recognize that you’re never going to stop every cyberattack. There are too many gaps and too many ways that someone can access and exploit a system. So while you need to excel at protecting your high-value assets and data, you also must excel at detecting security issues and recovering any data loss quickly and efficiently.

Pillar #4: You Need To Manage Risk In The Third-Party Ecosystem.

Many breaches that happen to financial service organizations originate on vendor networks. Financial organizations are keenly aware of risks in the supply chain and the need to properly manage those risks. This is a challenge of scale—how should an organization focus on areas that are of medium criticality and high criticality? This requires an investment of both time and resources; but when you consider the consequences to your data (or your members’ data) if a third- or fourth-party system goes down, it seems the investment is certainly worth it.

Pillar #5: You Should Consider Information Sharing.

Another thing the financial services industry does well is sharing information. The Financial Services Information and Sharing Center (FS-ISAC) is a mature industry forum created specifically for the financial services industry to share regarding cybersecurity in their sector. In it, you’ll find a tremendous amount of collaboration around threat actors and the capabilities of those actors. Members feel that acting in collaboration is better than acting in isolation—which makes membership in the FS-ISAC extremely advantageous.

A Final Note On Cybersecurity In Financial Services:

Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.

But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your members lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at