Monitoring cybersecurity risks. (Source: Shutterstock)

The financial services industry’s heavy reliance on third-parties poses a potential cyberdefense vulnerability if the risks are not actively managed to protect personally identifiable information and other sensitive data.

Those are among the findings of a joint survey “Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices” by Boston-based BitSight, and the Center for Financial Professionals.

Based on a survey of financial services professionals from around the world, the report found managing third-party cyberrisk is not only critical to businesses, but a lack of continuous monitoring, consistent reporting, and other blind spots are creating challenges that could leave organizations susceptible to data breaches and other consequences.

The study observed, the financial industry, in particular, has an enormous ecosystem of legal, accounting and human resources, management consultants, outsourcing firms, and information technology and software providers. Each presents a potential weak spot for cyberdefenses. “Managing third-party cyber risk has rapidly become the No. 1 concern for businesses,” said Jake Olcott, vice president of communications and government affairs, at BitSight, which produces security ratings. “Many in the financial sector are taking action to manage that risk, but as our survey shows, there is vast room for improvement in key areas like continuous monitoring and effective board reporting.”

Some key findings:

  • Third-party cyber risk is driving key business decisions. Nearly 97% of respondents said cyberrisk affecting third parties is a major issue. Meanwhile, nearly 80% of respondents said they have terminated or would decline a business relationship due to a vendor’s cybersecurity performance. One in ten organizations has a role specifically dedicated to vendor, third-party or supplier risk.
  • There is a lack of consistent third-party risk measurement and reporting. Only 44% of respondents reported on this risk to their executives and boards on a regular basis. This lack of regular reporting suggested why nearly 20% of respondents think boards and executives are not confident or do not understand their approaches to third-party risk management.
  • A majority of organizations aren’t using critical tools. Respondents reported they still rely on tools like annual on-site assessments, questionnaires and facility tours to assess third-party security posture, giving them limited visibility into their third-party cyber risk. Twenty- percent of organizations currently use a security ratings service to continuously monitor the cybersecurity performance of third parties, though 30% are currently evaluating security ratings providers.

Andreas Simou, managing director at CeFPro said. “Although there has been a significant increase in effectiveness, attention, and resources focused toward third-party cyberrisk over the last few years, there is still much to be done; utilizing more effective tools and techniques to overcome the ever-increasing challenges faced within the industry.”

Olcott pointed out credit unions, like every organization in the financial sector, do business with dozens or hundreds of different third-party vendors, business associates, service providers, and emerging fintech companies. “It is great to outsource some of these things, but they realized they cannot outsource the risk. What credit unions are facing is a challenge in understanding what risks are posed by these third-party providers.”

Olcott noted the approach of credit unions assessing the hazards through traditional methods such as a questionnaire or onsite assessment is not cutting it. “They want to get more objective, quantitative, real time data in order to better manage their risk.”

Part of the cyberrisk problem draws from speed-to-market issues. “Not only are the fintechs trying to go to market quickly, but financial institutions are trying to develop new products and services quickly too,” Olcott offered. This opens up some challenges to integrating security into the fintech development process. He added, one of the significant things a security rating brings to the table is the ability to do rapid assessment of a third party’s security performance.

The survey polled 126 financial services professionals from various industry sectors, including banking (49%), insurance (16%) and professional services (13%), among others. Respondents are located around the world, with the majority coming from the United States (35%), Europe (28%, not including the UK), and the United Kingdom (16%).