Mitigating Third-Party Risks
Steps That Regulators, Community Banks Need to TakeRecent third-party data breaches, like the one of core processor Fidelity National Information Services, have sparked concerns among regulators and banking institutions.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
Banking regulators and institutions have taken opposing positions. Regulators say community banks need to be more vigilant about reviewing the security practices of third parties, including core processors. And banks say regulators should share more information about the security risks they identify when they examine some of these third parties.
Both sides are making valid points. Regulators clearly need to do a better job of notifying banks promptly when they find severe security flaws at third parties, especially core banking processors. And it's time for community banks to take the extra step of collaborating on their assessments of third parties as an affordable way to improve efforts to identify and mitigate security gaps.
From the Regulators
On Sept. 27, the Federal Deposit Insurance Corp. issued an advisory clarifying the ongoing role community banks are expected to play in overseeing and managing the security practices of third parties (see FDIC Offers Breach Prevention Advice).
"Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity," the advisory notes. "Institutions could be exposed to financial or legal risk should the legality of activities be challenged."
The advisory marks the second time in the last two months the FDIC has directly addressed due diligence concerns surrounding community banks and vendors (see FDIC: Improve Vendor Management).
And the FDIC is not alone. Last month, Comptroller of the Currency Thomas Curry noted during a speech that more oversight of third parties is needed.
"Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system," he said. "Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time" (see OCC on Cybersecurity: More Regs on Way?).
Shared Responsibility
Banks are the ones with the direct relationship with processors and other third parties. So, yes, regulators are right to remind banks of their obligation to ensure the third parties with which they work are taking steps to ensure security. But regulators also have an obligation to ensure banks are secure.
Regulators must more promptly communicate with banking institutions when they uncover security breaches and flaws during examinations of third parties that work with numerous financial institutions.
Take the case of the FIS breach: Banking regulators were aware of it a long before news of it broke.
In June, security blogger Brian Krebs reported that an examination conducted by the FDIC had determined that a 2011 cyber-attack compromised FIS' network and exposed high-risk information.
Banking regulators had been examining the breach for nearly two years. But it was not until May 2013 that the FDIC notified FIS' bank customers that the 2011 breach was much more severe than FIS first publicly reported in May 2011.
Community banks, which often rely on core processors, argue the FDIC should have notified FIS customers sooner. They also argue that the FDIC examiners' findings should have been shared widely, even with banks considering doing business with FIS.
It's good to see that the Community Bankers Advisory Committee is conducting a review to determine what additional steps banking regulators could take to help community banks more readily identify third parties' lax security practices.
Shared Assessments
Meanwhile, some financial fraud experts, such as Aite consultant Shirley Inscoe, suggest that community banks should pool their resources to create shared assessments of third parties, similar to initiatives adopted by some of the nation's leading banks.
"Regulators want FIs [financial institutions] to ensure the third parties they do business with are secure," Inscoe says. "But it is very difficult for each financial institution to be able to afford adequate risk assessments to meet regulator expectations."
In 2008, BITS, the technology policy division of The Financial Services Roundtable, launched a similar type of shared assessment program for its members.
Inscoe also notes that large banks banded together a few years back "to create shared assessments, which documented all their requirements of a third party. This group approach was not easy to reach agreement on, but has proven to be extremely beneficial to both the banks as well as the third parties."
Shared assessments are the only way smaIler institutions can meet regulators' expectations, Inscoe argues.
This shared assessment approach sounds like a good idea. But more open communication between regulators and community banks about known security vulnerabilities also is needed.
Regulators are prohibited from disclosing what they discover during an exam of a vendor unless a severe security flaw that exposed customer data is found. But let's face it; any time there is a network breach, cardholder and other consumer data is at risk. And banking institutions need to be informed sooner rather than later.
Cybersecurity breaches are only going to get more complex as the number of third parties in financial services continues to grow. If banks and regulators fail to enhance their examination processes and information sharing, there's little hope the system will ever be secure.