Other parts of this series:
In 2018, cyberattacks occurred across industries, from telecommunications to hospitality and transportation, affecting billions of people. In the months of April, May and June alone, 765 million people were affected.1 These are just a few examples of the many breaches that have occurred over the last years, with another notable one being the Panama Papers in 20162. A recently completed global survey revealed that almost 60% of respondents acknowledged to having experienced a data breach over the last 12 months due to one of their third-parties.3 Even more alarming, 1 in 7 security breach attempts against banks or capital market firms succeed.4 Welcome to the cyber risk era.
These cybercrime statistics are especially concerning for financial institutions given the current data protection-focused regulatory climate. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are 2 examples of how regulators are becoming more stringent on employee and customer data security. With fines starting at 20M Euros for GDPR5 and $100 to $750 per customer per incident in addition to regulatory fines of up to $7,500 per violation under CCPA,6 data breaches are financially and reputationally punitive. Additionally, the Securities and Exchange Commission (SEC) published in 2018 guidance on cyber security effective practice policies and procedures7 and many states proposed similar cyber measures to New York States Department of Financial Services’ (NYDFS) 500 regulation.8
These new cyber rules layer onto regulatory expectations that place the management of third-party risk on the financial institution and are reinforced by standards such as the National Institute of Financial Standards and Technology (NIST).
As a result, financial institutions are more conscientious about the use of effective cyber controls across their organizations and their third-parties (e.g., vendors, contractors, suppliers, etc.). In this blog, we explore three controls Accenture has helped financial services firms use in their third-party program to support cyber resilience.
- Develop a comprehensive third-party inventory
Accenture’s Achieving Data-Centric Security stated, “…that with all the focus on securing data—encrypting it, keeping it in the safest of systems—if the same controls are not applied to people who have access to the data, you have simply moved the point of failure.”9 Therefore, the first step to data security in financial institutions’ third-party operations is understanding who has access to their data. Unfortunately, the same aforementioned global survey showed that 66% of respondents lacked a complete inventory of their third-parties.10 By leveraging network scanning, digital asset management and data lineage tools, firms can create third-party inventories that allow them to understand potential risk sources. Once this is completed, we work with our clients to segment their third-party inventories using an inherent risk methodology that assigns to each third party a risk rating based on factors such as data type and quantity, information security, business continuity, disaster recovery, and physical security controls. Altogether, these comprehensive, segmented third-party inventories allow financial institutions to understand their third-party populations: who do they contract with, which third parties pose high or critical risks to the organization, and what type of data and data elements do those third parties have access to. With this information, institutions are equipped to better understand risk concentration across their third parties and allocate third-party management resources more effectively.
- Evaluate the security and privacy practices of third parties
Because many third parties are not as licensed and regulated as financial institutions, they often lack advanced security architectures. However, in an era where cyber-crime is increasing, it is critical that appropriate security systems and processes are leveraged. If third parties lack such tools, it becomes even more important for financial institutions to have strong oversight controls to protect sensitive information. For instance, clients’ third-party risk assessments often include a cyber component to understand third-party data privacy capabilities (i.e. how are third parties consuming, processing and safeguarding data) and security tools and processes, including management of subcontractors (i.e. fourth parties). Furthermore, research shows that incident response teams can significantly increase the chances of a cyberattack being identified early and contained. According to one study, a breach that is contained within 30 days can translate into a savings of $1 million USD (when compared to organizations that do not).11 Consequently, clients embed incident simulation into their cyber assessments and ongoing monitoring activities to understand how effectively their third parties can protect data. As pressure from federal and state regulators heightens and the costs of cyber-crime further increase, we expect financial institutions to continue to collaborate with third parties to manage risk exposure and enhance their cyber resilience.
- Leverage technology and strong governance to drive decision-making
Many financial institutions still rely on manually intensive processes throughout the third-party management lifecycle. However, manual processes are time-intensive and prone to human error; therefore, Accenture has been working with its clients to enhance their technology toolset. For instance, desktop automation can prepopulate certain risk assessment questions based on predetermined criteria; Robotic Process Automation (RPA) can compile information on third parties from different sources; and artificial intelligence (AI) can help identify trends in the data being shared to enhance data classification and corresponding data controls. By leveraging these technologies, financial institutions can strengthen their third-party program personnel to focus on risk mitigation decision-making and strong governance. With this technology and clean data, financial institutions are better-equipped to understand their cyber resiliency posture and address risks more effectively and efficiently.
With a comprehensive third-party inventory, a strong understanding of third parties’ security practices and a governance framework founded on robust reporting, financial institutions should be better prepared and more capable in protecting themselves against cyberattacks. As financial institutions enhance their third-party program, they should continue to collaborate with their third parties to improve cyber controls, thereby promoting cyber resilience, safeguarding customer data, and shielding both the firm’s and the third parties’ reputation. In doing so, both financial institutions and their third parties can continue to stay compliant with existing and expected cyber regulation requirements.
1 “Your data was probably stolen in cyberattacks in 2018- and you should care,” USA Today, December 28, 2018. Access at: https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/
2 “New Panama Papers Leak Reveals Firm’s Chaotic Scramble to Identify Clients, Save Business Amid Global Fallout.” International Consortium of Investigative Journalists, June 20, 2018. Access at: https://www.icij.org/investigations/panama-papers/new-panama-papers-leak-reveals-mossack-fonsecas-chaotic-scramble/
3 “Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study: 59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks,” Business Wire, November 15, 2018. Access at: https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party
4 “2018 State of Cyber Resilience for Banking & Capital Markets,” Accenture. Access at: https://www.accenture.com/us-en/insights/financial-services/2018-state-of-cyber-resilience#banking-and-capital-markets-2018-state-of-cyber-resilience
5 “GDPR Key Changes,” EU GDPR portal. Access at: https://eugdpr.org/the-regulation/
6 “The California Consumer Privacy Act of 2018,” Willis Towers Watson, February 1, 2019. Access at: https://www.willistowerswatson.com/en/insights/2018/11/the-california-consumer-privacy-act-of-2018
7”SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures,” Securities and Exchange Commission, Press Release, February 21, 2018. Access at: https://www.sec.gov/news/press-release/2018-22
8 “More State Cybersecurity Regulation Ahead for Financial Services Industry?,” LexisNexis, State Net Capitol Journal. Access at: https://www.lexisnexis.com/communities/state-net/b/capitol-journal/archive/2018/03/08/more-state-cybersecurity-regulation-ahead-for-financial-services-industry.aspx
9 “Achieving Data-Centric Security.” Accenture 2017. Access at: https://www.accenture.com/t20171109T023424Z__w__/us-en/_acnmedia/PDF-65/Accenture-Achieving-Data-Centric-Security-USWeb.pdf#zoom=50
10 “Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study: 59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks,” Business Wire, November 15, 2018. Access at: https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party
11 “Average cost of a data breach exceeds $3.8 million, claims report.” Tripwire. July 12, 2018. https://www.tripwire.com/state-of-security/featured/average-cost-data-breach-exceeds-3-8-million-claims-report/