Mitigating Cyber Security Threats: A Risk-Based Approach

Business continuity and security threats are the greatest risks a financial institution faces when choosing a vendor for an information and communication technology (ICT) service. This is especially true with respect to both the custody of personal data and potential cyber attacks.

Third parties that handle the systems and the customer data of a financial institution could be infiltrated by cyber criminals, particularly when ICT services cover the storage and the extract-transform-load process of data.

Therefore, to guarantee the confidentiality of the information and to comply with regulatory requirements, external ICT services need strong security measures. The ICT-related risks a financial institution should consider include the leakage of confidential information and the unauthorized usage of company's tools after a cyber attack.

A possible countermeasure is the adoption of a holistic risk management framework to handle ICT risks during the entire life cycle of the outsourcing. To improve cyber resilience - through both ex-ante assessment techniques and ongoing monitoring - a company must assess third-party dependence via its value chain.

Financial institutions are responsible for managing relevant risks and for implementing the information security measures related to external ICT services; therefore, they must continuously verify the adequacy of vendors' procedures, according to best practices. This is true regardless of the nature of the arrangement - e.g., whether it's full or partial outsourcing, or even just a third-party supplier agreement.

Even if it would be desirable to implement the same security measures and controls indiscriminately for all the external ICT services (both the outsourced and the third-party provided ones), we believe that every financial institution should adopt a risk-based approach that aims at streamlining the risk management process. A risk-based approach that requires the implementation of the security measures and controls should be proportional to the riskiness of each of a firm's external ICT services.

The starting point is defining a process to manage the external ICT services risk, for both outsourced and third-party ICT services. This process should be ideally divided into three main phases: (1) initiative approval and vendor selection; (2) conclusion of the agreement and service configuration; and (3) monitoring of external ICT services.

Approval and Vendor Selection

External ICT services should be classified before the initiative approval, to distinguish between the outsourced ICT services and the third-party products. In the latter case, it may be useful to carry out a further distinction to identify the most dangerous products that require stronger protection measures.

External ICT service classifications constitute an inventory that contains additional information - e.g., on users, data typology and internal processes supported by each ICT service. This inventory should enable more precise risk assessments of ICT services.

A risk assessment is a vital component of the approval procedure. It should consider both the data classification and the relevance of the reference operation to evaluate - inter alia - potential risks. These risks include losing direct control of the critical components of the external ICT service, information leakage and unauthorized use of company's tools subsequent to a cyber attack.

To estimate the potential residual risk exposure of its ICT services, both in terms of inherent riskiness and the adequacy of controls, the risk assessment of an external ICT service can, for instance, take the form of a survey that analyzes the three traditional dimensions of information security: confidentiality, integrity and availability.

Service Configuration

When signing an agreement with a vendor, a company typically establishes proper protection clause, in alignment with the service configuration. For instance, the protection clauses should prescribe that the vendor respects the information security policies of the customer.

Using the classification of the external ICT services available in the inventory and the results of the risk assessment, a company can adopt proper security measures and controls to mitigate the ICT third-party risk. In line with the risk-based approach, the higher the riskiness of an ICT service, the higher the number of the protection clauses.

Monitoring procedures should include periodic reports (including a vendor-supplied executive summary) delivered to internal control functions, detailing (1) all the operational and security incidents; (2) the security measures taken by the vendor in response to such incidents; and (3) the results of the performance indicators used to verify service-level agreements.

Parting Thoughts

Effectively managing the third-party risk for ICT services is becoming more and more crucial for cyber security programs that aim to ensure the integrity, confidentiality and traceability of data. Though smaller financial institutions are generally more vulnerable to external ICT risks than larger ones, bigger firms are more subject to systemic issues if they mismanage these risks.

While it is difficult for every company to assess its internal controls, it is much harder to understand the effectiveness of a vendor's controls, because of the information asymmetry between a company and its third-party vendors. A holistic framework for ICT third-party risk management is a necessity for guaranteeing effective data protection against cyber security threats.

Andrea Giacchero and Jacopo Moretti both work at Cassa Depositi e Prestiti. Giacchero is the head of operational risk; Moretti is an operational risk analyst.

The opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Cassa Depositi e Prestiti.