NAFCU Services Blog

So, you have identified your top partners.  You have thoroughly evaluated their cybersecurity services in order to keep your members’ financial data safe and secure. But before you sit back and relax, you have to ask yourself “what about tomorrow?”

The Pitfalls of Traditional Evaluation Methods for Cybersecurity

Traditional methods of evaluating your partners may include detailed questionnaires and conversations, audits, and maybe you have even conducted some vulnerability scans. These are all sound methods for establishing whether your partners are on the right track, but they are only a start.

• One-time snapshot. The problem with this type of evaluation method is it only gives you a snapshot of the organization at one small point in time. It would be the equivalent of checking the locks on your doors once and then not doing it again in the future.
• Expensive. Numerous questionnaires and audits can become very costly very quickly. If you are a small credit union, it may not seem practical to spend the cash or the manpower on these efforts.
• Regulation struggle. In addition to an ethical obligation to your members, regulators are creating new legal obligations aimed at third party risk management plans. The sooner you can get in front of this issue, the easier it will be.

Vendors, especially high priority ones that have direct access to your network or your most sensitive data, really need to be monitored for their security practices all the time. This may seem daunting or even impossible, but it doesn’t have to be. The key to locking up holes in your partners’ security is through security rating and monitoring solutions.

How Cybersecurity Ratings Work

Cybersecurity ratings work essentially like a credit rating company issuing a FICO score, but instead it issues a security rating. For example, companies can be rated on a scale from 250 to 900. A high number indicates a strong security performance and a lower security risk.

A security rating platform gathers and analyzes publicly available information and noted incidents to create its security rating. It considers things like spam propagation, malware propagation, botnet infections, and then calculates a rating. You will also be able to see where the infections and incidents relating to a company’s security are occurring.

Utilizing Ratings as a Resource

Cybersecurity ratings can be a very useful tool in prioritizing which vendors require the most attention from your credit union. A company with a consistently high score probably doesn’t need a tremendous amount of your effort, so you can allocate your time and budget to the vendors that are creating greater risks for you and your members.

In addition, this rating can be a valuable resource when having a more sophisticated conversation with your vendors about cybersecurity. If you are grappling with what questions to ask or what risk vectors you should be focused on, the security rating information can give you a road map to do that.

NAFCU Services and BitSight Technologies have partnered to provide an independent security monitoring service that provides continuous data on outside vendors’ security practices. If you would like to learn more about BitSight’s solutions for credit unions, or formulating a third party risk management plan, you can check out our webinar here.