NAFCU Services Blog

By: Jake Olcott, VP of Business Development at BitSight Technologies.

When looking at cyber security threats to your credit union systems, it is no longer sufficient to enlist the best practices for your institution without evaluating the practices of all your vendors and partners. In consideration of some high profile cases of cyber breaches in the past few years— including major corporations such as Target, American Express, and Experian—it is evident how serious third party breaches can be.

These breaches cost a great deal to the companies and customers affected. It is critical that credit unions move forward with plans to evaluate and mitigate the risks posed by vendors and other business partners. In light of this growing need, BitSight Technologies recently hosted a webinar entitled “How to Build a Third Party Risk Management Program” for credit union executives around the nation.

Legal Implications of Ineffective Third Party Risk Management

Third party risk management programs are more than an obligation to your customers; these programs are being brought to the forefront and scrutinized by those conducting oversight. During BitSight’s webinar, credit union executives participated in a poll indicating that 85 percent of them had been asked by regulators about their third party risk management practices. In fact, regulators are starting to pursue actions for failure to properly implement programs to prevent third party cyber risk.

What are the Immediate Steps to Ensure Appropriate Third Party Cyber Security?
There are four key steps to take for a top-notch security program:

1. Identify and Tier Third Parties: A working group including IT, IT security, procurement, and legal should identify and classify vendors. Vendors handling data that is regulated or confidential should be prioritized as critical.
2. Assess Security: There are a number of methods credit unions can use to assess security. In BitSight’s webinar poll, the most common tool utilized by credit union executives was audits and requests for documentation, with nearly all respondents already doing these. In addition, about a quarter of executives involved in the webinar said they were conducting onsite visits or desk assessments- 38 percent of managers are currently using vulnerability scans and penetration tests, and 43 percent of the webinar poll respondents were also using questionnaires.
3. Negotiate Contractual Terms: Existing contracts need to be reviewed to ensure they reflect the level of security you expect. Use “point in time” tools to evaluate third parties.
4. Ongoing and Continuous Monitoring: This involves constant oversight integrated into the lifecycle of the security assessment process, and leverages the use of automated feeds.

The Vendor Risk Management Maturity Curve

This curve represents each step of the security process as outlined above. When asked which level on the vendor risk management curve their credit unions fall, 16 percent of executives at BitSight’s webinar said they were at level one,  just over half of all executives were at level two, 30 percent were at level three, and two percent were at level four. One of the problems many executives have in reaching levels three and four pertains to small organizations: the process can become costly and require extensive manpower.

The entire webinar slide deck with in-depth graphics, tips, techniques, and tools your credit union can leverage is available for download here.

BitSight Technologies is the NAFCU Services Preferred Partner for Cybersecurity Ratings for Vendor Risk Management and Benchmarking. More educational resources and partner contact information are available at www.nafcu.org/bitsight.