Global study of financial sector shows deep concern about third party cyber risk

BitSight and the Centre for Financial Professionals (CeFPro) have released a joint study shedding light on how financial institutions are addressing challenges associated with third party cyber risk.

Based on a survey of financial services professionals from around the world, the report entitled ‘Third Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues and Best Practices’ finds that managing third party cyber risk is critical to their businesses, but a lack of continuous monitoring, consistent reporting and other blind spots are creating challenges that could leave organisations vulnerable to data breaches and other consequences.

Most organisations work with hundreds, if not thousands of third parties, creating new risks that must be actively managed. The financial industry, in particular, has a massive business ecosystem made up of legal organisations, accounting and Human Resources firms, management consulting and outsourcing firms and information technology and software providers. Each of these vendors poses a potential weak spot for cyber defences if risk isn’t actively managed to protect the exchange of data and other sensitive information.

“Managing third party cyber risk has rapidly become the foremost concern for businesses,” said Jake Olcott, vice-president of communications and Government affairs at BitSight. “Many in the financial sector are taking action to manage that risk, but as our survey shows there’s vast room for improvement in key areas like continuous monitoring and effective Board reporting.”

Third party cyber risk is driving key business decisions. Nearly 97% of respondents said that cyber risk affecting third parties is a major issue. Meanwhile, nearly 80% of respondents said they’ve terminated or would decline a business relationship due to a vendor’s cyber security performance. One in every ten organisations has a role specifically dedicated to vendor, third party or supplier risk.

Risk measurement and reporting

There’s a lack of consistent third party risk measurement and reporting. Only 44% of respondents are reporting on this risk to their executives and Boards on a regular basis. This lack of regular reporting could be the reason why nearly one-in-five respondents think Boards and executives are not confident or don’t understand their approaches to third party risk management.

A majority of organisations are not using critical tools. Respondents reported that they still rely on tools like annual on-site assessments, questionnaires and facility tours to assess third party security posture, giving them limited visibility into their third party cyber risk. Meanwhile, only 22% of organisations are currently using a security ratings service to continuously monitor the cyber security performance of third parties, though 30% are currently evaluating security ratings providers.

Third party risk management challenges and concerns for the future continue to grow. Companies are concerned with the accuracy and actionability of risk assessment data, as well as an unclear responsibility for this type of risk management within their organisations. Looking toward the future, respondents are focused on making their security programmes more effective while staying up-to-date on new regulations and prioritising continuous monitoring and visibility.

Questions and challenges raised

“This report raises a number of interesting questions and challenges for the industry,” explained Andreas Simou, managing director at CeFPro. “With C-Suite professionals taking responsibility, it’s clear that the vast majority of respondents’ organisations understand the critical importance of third party cyber risk. It’s also apparent that there needs to be clarity going forward, with increased communication up to Board level. Although there has been a significant increase in effectiveness, attention and resources focused toward third party cyber risk over the last few years, there’s still much to be done using more effective tools and techniques to overcome the ever-increasing challenges being faced within the industry. Third and fourth party cyber risk is just one key area to be addressed. The report highlights a number of potential solutions and ways forward.”

New tools and Best Practices are becoming readily available to help organisations address some of the key challenges and concerns uncovered by the survey. In order to effectively manage this growing risk and stay ahead of future challenges, organisations must use Best Practices and trust continuous monitoring solutions like security ratings to help measure and manage their cyber risk with third party risk data that’s accurate and actionable.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts