Industry Insights with Matt Kunkel

Finance & Banking , Incident & Breach Response , Industry Specific

Don't Let a Third-Party Data Breach Destroy Your Institution's Reputation

Strategies for Safeguarding Data and Reputation at Financial Institutions
Don't Let a Third-Party Data Breach Destroy Your Institution's Reputation
Image: Shutterstock

Trust is important in every industry, but it's especially critical in the financial services sector. In today's increasingly digital world, trust isn't always easy to come by. Businesses no longer have complete control over their technology stack. Instead, they rely heavily on third-party solutions, applications and products to keep operations running smoothly. The rise of cloud computing, software-as-a-service, artificial intelligence and other foundational elements of the modern economic landscape has forced financial institutions to place more trust in external organizations.

See Also: Live Webinar | Compliance and Cyber Resilience: Empowering Teams to Meet Security Standards

While this trend is generally positive, it can pose real problems, particularly when third-party breaches are at an all-time high. Today, financial institutions need to consider not just their own cybersecurity, but that of their vendors as well. Even if a breach is caused by a third-party vendor, the bank remains the consumer-facing entity, and that's where the accountability - and blame - will lie. So how can financial institutions safeguard their reputations and their data from the potential fallout?

A Strong Vetting Process Is Critical

Brand reputation is a top-line consideration for financial institutions, and the impact of a data breach can reach far beyond the initial aftermath. Before granting an outside partner access to sensitive systems or data, banks need to ensure that the partner doesn't have lax security standards that are likely to result in a breach. That means it's important to have a stringent, thorough vetting process in place.

Unfortunately, that's not always simple. There is no standardized model for vetting potential partners, and the approach can vary significantly from one organization to another. While it's common for businesses to issue security questionnaires to potential partners or vendors, it's important to remember that those questionnaires are only as good as the people reading and interpreting them. An overly centralized due diligence process may lead to employees in procurement or accounting reviewing those questionnaires, which isn't particularly effective. Businesses that want to protect themselves need to decentralize the vetting process and involve security analysts, IT experts or even CISOs in the review.

Putting security questionnaires in the right hands can help businesses better understand their potential vendor's security posture, including their practices, potential vulnerabilities and necessary mitigations. That's critical information the company can use, but it won't solve the problem on its own. A questionnaire can't reduce risk, it can only highlight it. Once risks are identified, it's incumbent upon the organization to gauge whether they can be prioritized and mitigated, or whether it's time to walk away.

Establish a Clear Incident Response Plan

Even a perfect vetting process has its limitations. Financial institutions must implement robust security measures to prevent a third-party incident from turning into a catastrophic breach. While working with trusted, thoroughly vetted partners and vendors is part of the solution, banks that want to protect their reputation need to ensure they have their own security measures in place.

Adopting an “assumption of breach” mentality is critical, which means always operating under the premise that attackers are already on the network. Perimeter defenses alone are not enough. It's equally - if not more - important to have advanced detection and response solutions capable of identifying suspicious activity within the network itself. This is essential for defending against third-party breaches since perimeter defenses won't stop an attacker who gains access to your systems through a vendor. Other preventative measures, such as segmenting networks and limiting access privileges, also can make it difficult for attackers to move laterally through the network and escalate their privileges. For instance, there is no legitimate reason for a marketing employee to click a link and access customer checking accounts. Such activity should be quickly identified and flagged to the security team for investigation and remediation.

More than anything, it's critical to have a plan. If a partner is breached and your data is at risk, know who to call and when. Is there a crisis communications team in place? Is there a process in place for signing off on public statements? Is it possible to identify which customers are affected and inform them before they learn about the incident through other uncontrolled channels? Is there a way to easily cascade the messaging to sales and support teams? Has the cyber insurance provider identified pre-approved digital forensics firms? Does the vendor contract include language that allows the relationship to be severed in the event of a blatant security failure? Lastly, how resilient are your operations? If data and systems are compromised, are there processes in place to get them back online quickly? In 2023, the world's largest bank was compromised by a ransomware attack that forced it to transfer data via a courier-driven thumb drive. Is your fallback plan a USB stick, or do you have contingency plans to negate the risk, limit downtime and leverage a sophisticated GRC solution to identify the vulnerability and ensure it doesn't happen again?

It's not enough to just have a plan. It's equally important to test it. Conducting the necessary exercises to run that plan through its paces and identify any gaps or pain points in advance will help avoid any surprises in a crisis. That testing can make a real difference; it's easy to tell when a business is scrambling. But financial institutions that have a strong, well-practiced plan in place to limit damage and establish clear, transparent communication won't just protect their reputation but also enhance it.

Avoiding Unnecessary Reputational Damage

In today's threat environment, incidents happen - it is impossible to prevent 100% of breaches. Instead of solely focusing on prevention, financial institutions should prioritize making their systems as resilient as possible. Even if an incident is caused by a vendor, it's critical for financial institutions to show they are well prepared to manage the fallout and help their partners and customers do the same.

The blame game doesn't work in the financial sector. As a consumer-facing brand, financial institutions are accountable and responsible for maintaining - or losing - customer trust. They must implement necessary measures to protect against breaches within their entire ecosystem, as vulnerabilities arising from third-party vendors still directly reflect on their brand.



About the Author

Matt Kunkel

Matt Kunkel

CEO, LogicGate

Before LogicGate, Kunkel spent over a decade in the management consulting space building custom technology solutions to run regulatory, risk and compliance programs for Fortune 100 companies. He is recognized as a leader in the GRC/IRM space, and regularly speaks and consults on risk compliance, regulatory and security topics.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.