Five tips for checking vendor cybersecurity
Third-party vendors are a key part of the cybersecurity equation, but all too often these firms are not doing enough.
Banks rely on third-party vendors for everything from legal services to companies contracted to run their HVAC systems. These vendors can access the financial institution’s information technology systems, which may offer a potential point of entry for hackers.
A report earlier this year from the New York Department of Financial Services (NYDFS) found just one in three of 40 banks surveyed do not require their vendors to notify them of cybersecurity breaches.
Benjamin Lawsky, the chief regulator, said: "A bank's cyber security is often only as good as the cyber security of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data. We will move forward quickly, together with the banks we regulate, to address this urgent matter."
The NYDFS also found that fewer than half conduct any on-site assessments of their third-party vendors.
Meanwhile, one in five of the banks surveyed do not require third-party vendors to demonstrate they have established minimum information security requirements. Just one in three of the banks require their information security requirements to be applied to subcontractors of the third-party vendors.
Under half the banks in the survey require a warranty of the integrity of the third-party vendor’s data or products.
Based on this, banks and other financial institutions should follow these five basic pointers for cybersecurity.
- Ensure third-party vendors are required to notify the institution of any cybersecurity breach.
- Conduct on-site assessments of third-party vendors.
- Require those vendors to comply with minimum security standards.
- Ask for vendors to extend these requirements to subcontractors.
- Get a warranty of the integrity of the vendor’s data or products. The NYFDS said it is planning a rule that will require banks to get warranties from vendors.