Five Ways to Strengthen Third-Party Cyber Risk Management – and Get Past Common Misperceptions

With financial institutions (FIs) increasingly reliant on third-party services to drive revenue, cyber criminals have identified new and creative tactics that successfully penetrate highly interdependent networks and launch damaging, far-reaching attacks. No wonder that 62% of global leaders recently identified cybersecurity as their company’s top third-party risk.

We highlight five considerations that will enable FIs to bolster third-party cyber risk management (TPCRM) capabilities in 2024. These draw on common misconceptions that we have witnessed when working with clients who often underestimate the operational, financial and reputational impacts they could incur following a third-party breach.

1. Enhance Your Vendor Onboarding Process

Misconception: “Our contracts and service-level agreements (SLAs) cover all aspects of cybersecurity.”

Contracts alone do not provide business leaders with a holistic view of vendor risk. Nor do they protect from reputational damage following a cyber event. This makes robust vendor onboarding a critical step that provides visibility into third party cybersecurity policies and practices.

Gabie Lang

This approach also delivers critical insights into the data handled by third parties, the security of their systems, and their overall ability to adopt a risk-based approach for ongoing cyber risk management. All these elements are essential when making final contractual decisions.

We recommended that during the selection process, an institution assesses the following in order to fully understand the vendor’s residual risk, and to obtain confidence that appropriate controls are in place:

• Information security
• Business continuity
• Technology business development (financial risk)
• Cloud governance
• Consumer compliance
• Anti-corruption
• Global fraud

2. Understand Regulatory Requirements

Misconception: “We are not responsible for our third parties’ compliance.”

Organizations should follow regulatory requirements and update their risk mitigation measures in line with these instructions. But end-to-end compliance requires your third parties to be equally compliant. With regulatory scrutiny on the rise, we recommend that organizations include compliance requirements in contractual agreements and undertake regular vendor audits to confirm adherence.

Key regulations and industry standards that impact FIs and their approach to TPCRM in 2024 include:

Key themes across all these regulations and industry standards include:

• Contract negotiation and vendor due diligence concerning third-party risks.
• Governance, including clearly defined roles and responsibilities, as well as competencies.
• Ongoing monitoring and risk management.
• Clear contingency planning and exit strategies.
• Documentation and reporting.

3. Stay on Top of Evolving Third-Party Threats

Misconception: “Cyberattacks on our third parties will not affect us.”

In the world of TPCRM, a third party’s crisis is your crisis, especially at a time when first- and third-party business operations are more interconnected than ever.

Elena Khoroshun

Cyber threats are also evolving at an unprecedented rate. This makes risk identification and threat modeling of third parties a top priority. According to research by Wipro, 35% of organizations claim their third-party vendors reported a security breach in the past year. Some 37% of organizations use formal TPRM software to conduct automatic screenings and risk-area decision tracking. However, 20% of survey respondents still use basic tools like Microsoft Word and Excel to keep track of third-party cyber risks.

Below we list some of the top cyber risks faced by third parties and recommend some technology-led controls for risk mitigation.

Artificial Intelligence

Malicious actors have demonstrated that AI can be weaponized for cyberattacks. In 2023, we witnessed new techniques for penetrating systems and outsmarting cyber defenses which continue to mature in 2024. Examples of such methods include highly deceptive phishing emails, deepfake recordings, and other fraudulent documents.

Top recommended controls:

• AI technology and machine learning to recognize anomalies and threats.
• Automated monitoring and alerting.
• Automated penetration testing.

Fourth-Party and Supply-Chain Software Attacks

In 2023, we saw a significant rise in supply chain and third-party breaches. With the average company sharing data with 583 vendors, the average software project consisting of 203 dependencies, and with much modern software constituting off-the-shelf components, software supply chains are particularly vulnerable.

Although businesses have improved the security of their environments, third parties with weaker defense postures remain softer targets for criminals. Common supply chain attacks include upstream server attacks, midstream attacks targeting software development tools, CI/CD (continuous integration/continuous delivery) infrastructure attacks, dependency confusion attacks, stolen SSL and code-signing certificates, and open-source software attacks.

Recommended controls:

• Regular supply-chain assessments.
• Automated risk management tools. For example, real-time monitoring and alerting.
• Diversifying suppliers.
• Real-time notifications when data is shared with Nth parties.
• Centralized inventory of all third and Nth parties.
• Harmonizing controls across vendors and regular assessment of these controls and their effectiveness across SaaS providers.

Exploitation of Credentials

Compromised credentials are still one of the leading vectors used to exploit FI vulnerabilities via third parties. Often based on large phishing campaigns or malware that steals login information, most of these breaches occur when businesses offer too much access to third parties. The good news is that even when credentials are compromised, robust access management minimizes the likelihood of attackers gaining entrance to multiple systems.

Recommended controls:

• Data encryption at rest and in transit.
• Multi-factor authentication.
• Identity and Access Management (IDAM) and Customer Identity and Access Management (CIAM).
• Outsourcing cloud services to third parties.
• Endpoint protection.

4. Be Prepared for Crises

Misconception: “We are already covered by our business continuity plans and risk mitigation strategies.”

Crisis preparedness, in its entirety, is often overlooked by business leaders. Although many invest in business continuity and incident response plans, they often assume that having defined procedures alongside risk mitigation strategies is sufficient to respond to a crisis event. This is rarely the case.

Organizations should stress-test their plans regularly, proving the effectiveness of these procedures. This will ensure that normal business operations can continue, and that highly sensitive information is protected when real life collides with unexpected events.

Recommended controls:

• Third-party incident response and notification planning.
• Automated incident response.
• First- and third-party security awareness training.
• TPRM business continuity plan exercises (desktop and real-life simulations).

5. Enforce Exit Strategies

Misconception: “Our contracts cover everything.”

While contractual obligations include critical elements such as service-level agreements, failure to properly manage third-party access and relationships, including inadequate exit strategies, can increase the likelihood of data breaches. A Ponemon Institute report reveals that data breaches involving third parties resulted in an average total cost of $4.29 million, higher than breaches not involving third parties. Inadequate exit strategies can contribute to financial losses by prolonging the time to identify and contain breaches.

Recommended controls:

• Procedures, such as cloud portability, for securely deleting or transferring data upon contract termination.
• Swift access revocation.
• Ongoing monitoring and auditing of systems, networks and data following contract termination.
• Documenting all steps taken during the exit process.
• Post-exit reviews.

Sourcing Expertise

Many risk management procedures require expert guidance, and TPRM is no exception. When selecting a partner to help mitigate third-party risk and regulatory compliance, organizations should introduce experienced teams with the following skills and services.

• Regulatory compliance: Thorough regulatory assessments and gap analyses of your current compliance processes in the face of current and emerging regulations and standards.
• Transformation: Risk management practice transformations based on process improvement, data sourcing and maturity assessments to deliver best practices.
• Managed services: Experienced teams that enable your organization to efficiently manage third-party risks on an ongoing basis.
• NextGen solutions: Innovative technologies that drive effective and secure TPRM practices at all stages of the relationship lifecycle.

Gabie Lang and Elena Khoroshun are Senior Consultant and Consultant, respectively, at Capco, a global technology and management consultancy specializing in driving digital transformation in the financial services industry. A version of this article was published previously on the Capco website.