Third-Party and Cybersecurity Risk Management

Digital image of a blue locked padlock
By Stephanie Schwenn Sebring

2018 will be the year of improving governance, risk and compliance efforts in relation to cybersecurity, including the impact of third-party providers.

Kevin Malicki lives and breathes risk management for his clients. Director of product management, GRC at CUES Supplier member Harland Clarke, San Antonio, Texas, Malicki thinks effective risk management for 2018 is going to have everything to do with an expanded view of cybersecurity threats and how using third-party providers plays into that broadened view.

“Consider the Equifax disaster. It brought to light that risk to client data can leave any organization vulnerable,” Malicki says. “The breach also broadened the risk profile for many—including credit unions­—and changed what regulators now expect in terms of cyber risk management.” He notes that cyber threats have not only become more pervasive but also more potent, affecting companies in nearly every sector and posing a significant risk to financial institutions.

As the Equifax mess also illustrates, third-party risk is a higher priority than ever before. With credit unions’ increasing reliance on third parties, including for cloud storage solutions, and with the sharing of personal identifiable information (such as Social Security numbers) with third-party providers, downstream risks become a larger issue.

“Not only does an institution need to vet its vendors, but the companies those third-party providers partner with should also come under scrutiny,” explains Malicki. For example, payroll processors may rely on a cloud service to transmit data. Service businesses often use hosted email platforms. And, it’s becoming more common for third parties to outsource certain functions to fourth parties, such as a lending relationship that subcontracts customer care, billing or collections.

It can be difficult to go far enough along the vendor trail to ensure proper security measures are in place throughout the chain, but it is imperative. “Improving oversight of third-party risks is more than keeping an inventory of vendors and storing policies via Word or Excel,” adds Malicki. “Eliminating multiple sources of tracking can help make the process more efficient.”   

What should credit unions do?

  • Monitor third-party relationships, which inherently have more risk. Scrutinize these relationships just as you would at your own financial institution.
  • Ensure third (and even fourth) parties match their security efforts to yours­­—and that they are doing everything you are
  • to secure and protect client information.
  • Be diligent when assessing risk. Prepare for worst-case scenarios. Conduct third-party risk audits regularly—at least annually.
  • Use a “SMART” (specific, measurable, achievable, realistic, timely) checklist for third-party audits.
  • Understand that risk impacts more than just return on investment.
  • Build controls throughout the risk management line, including firewalls, technology stacks and password controls.  

Improving Governance, Risk and Compliance Efforts

Harland Clarke’s compliance software solution, GRC Spotlight™, offers a single software solution and holistic approach to risk management. With a cloud-based platform, financial institutions can automate business processes, reduce enterprise risk and facilitate regulatory compliance across the enterprise, says Malicki. Users of the software can also customize modules based on need—including for third-party, incident and policy oversight, as well as workflow automation.

“As third-party cyber risk is increasing, the complexity of regulatory requirements is expanding accordingly,” concludes Malicki. “Financial institutions integrating new technologies must take care to balance and manage their regulatory risks.”  

Stephanie Schwenn Sebring established and managed the marketing departments for three CUs before launching her business. As owner of Fab Prose & Professional Writing, she assists credit unions, industry suppliers and any company wanting great content and a clear brand voice. Follow her on Twitter@fabprose.

CUES Learning Portal