By: Jacob Olcott, VP of Business Development, BitSight Technologies
How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.
The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.
Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.
Five Key Steps to Develop a Third Party Risk Management Program
Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.
- Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
- Identify and Prioritize Key Parties. It is important for credit unions to consider any third party that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
- Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
- Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
- Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.