Giving third party cyber risk a second thought
Article in Financial Director
Companies need to comprehend the danger of third party cyber risk.
News headlines stating that cyber attacks against the financial services industry have increased 1,000 percent from 2017 to 2018 would have undoubtedly caused panic among finance professionals across all sectors.
The data, which was obtained by tax and consultancy firm RSM after a freedom of information request from the FCA, actually refers to the number of reports of cyber attacks increasing. This is an important distinction as reports may have increased tenfold, but that does not necessarily mean that attacks are on the rise.
However, what should be making those within finance sit up and think is that research by the Ponemon Institute suggests that around two-thirds of cyber attacks are linked to third parties in the supply chain, such as payroll and other external providers. No business is an island and we all have to work with third parties in one capacity or another. For instance, businesses are likely to share resources online with a number of third parties such as vendors, potential new clients, new partners or acquisitions. Also, as organisations look to expand or improve efficiencies, they are likely to employ outside contractors.
This could be down to wanting to reduce and control costs, free up internal resources, streamline time-consuming tasks, access world-class talent and so on. The types of third parties that financial departments might work with include those supplying services, such as HR, payroll, telecoms, IT support, affiliated organisations, contractors and freelancers to name a few.
Depending on how many other organisations are in a supply chain, there could be a large number of potential entry points into a system and, in the event of a breach, a long trail to follow before the source is found and stopped.
As even the smallest of breaches need to be reported to the relevant supervisory authority within 72-hours under the GDPR, risking so many potential entry points is bad news for businesses whether they result in a loss or not. Organisations can face a potential business-crippling fine if the breach is discovered and reported by someone outside the business. As such, self-reporting is not only the best option, but it should be the only option.
With this in mind, the Information Commissioner’s Office states that businesses should have: “robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.”
Sound advice indeed. Yet this does not just apply to what many people think about when they hear the words data breach – a huge, headline-grabbing event that includes information on millions of people. This is also applicable to smaller breaches that can happen on a daily basis.
Reducing risk from third parties is crucial; failing to do so could result in loss of data, money and reputation to name a few, as well as that previously mentioned fine if not reported. Significantly for financial institutions, the FCA will hold them responsible in the event that a security breach is the result of a threat actor gaining access to their systems via a third party and will issue a significant fine. The FCA is also threatening all finance companies viewed as not having an adequate data protection plan with a full data protection and cyber security audit, which will cause them considerable cost and disruption. But how do organisations know that those external businesses they are taking on, or are already a part of the supply chain, have robust cyber security measures in place?
Being responsible for checking the financial risk of any business initiatives, finance directors need to work with their IT security teams to determine the cyber security implications of a potential partner. Finance directors need to ensure cyber due diligence exercises are carried out before deciding whether or not to take on or continue with an external supplier. These use checks to determine the risk of a third party being a weak point through which threat actors could enter a network. Such checks need to continue on a regular basis once an organisation has been onboarded, as a moment in time analysis becomes outdated almost instantly.
This monitoring should feed into third-party risk management by helping an organisation measure, manage and reduce their exposure to third party and supply chain-related cyber threats. Financial directors are expected to read, consider and act upon huge amounts of information, much of it statistical, on a daily basis. As such, data on third-party risk should not significantly add to this workload, but instead be simple and quick to understand.
Fortunately, there is an industry-recognised rating system, similar to the well-known credit score, that immediately indicates how much of a cyber risk an organisation is – the higher the score the lower the risk. For example, an organisation that has a score of less than 400 presents a five-times greater risk than one that has a score above 700.
Such a monitoring service should also offer clear guidance to enable productive interactions with third parties where risks exist and how they should be mitigated to reduced cyber risk exposure.
It is important to consider what an acceptable risk is and what action to take in the event of a third party failing to correct a security issue. These should be then published and shared with third parties, along with looking at ways to reinforce these contractually. Businesses are built on cooperation and partnerships, and it is only right that organisations work together for their collective good. Such close working should make a business stronger, yet fail to manage the risk and it could end up making it immeasurably weaker.