Rising pressure to manage third-party cybersecurity risks

The Australian Prudential Regulation Authority (APRA) has put the spotlight on the need for financial institutions to better manage the risk of cyber attacks via third parties. Prudential Standard CPS 230 Operational Risk Management (CPS 230) states that financial services organisations must “enhance third-party risk management by ensuring risks from material service providers are appropriately managed”.

Financial services organisations may have processes and systems to identify and mitigate cybersecurity risks and threats directly faced but can still be vulnerable to an attack on a third-party supplier or partner.

APRA has ramped up pressure to ensure cybersecurity due diligence in the financial sector extends to encompass all external providers. Organisations in this sector must include third parties in their cybersecurity strategies. This means undertaking annual reviews, or sometimes several throughout the year, to enhance security training and awareness and run a continuous third-party and internal program to detect, mitigate and respond to risk.

Managing third-party risk starts on day one

When engaging with a new third party, regardless of the service or product it is critical that financial services organisations ask questions of all third parties about their cybersecurity posture based on the potential risk the third party represents. Typically, this should be focused on the information they will be managing, but mainly around the risk they represent if compromised. This includes asking what frameworks third parties use to mitigate the risk of successful attacks and their plans should a threat actor breach their defences.

There are many frameworks and standards that organisations can use to ensure they are taking a best practice approach to cybersecurity. These include the Essential Eight from the Australian Signals Directorate, standards published by the National Institute of Standards and Technology from the USA, and international standards such as ISO 27001. Ask if the third party is independently assessed against one of these leading standards.

Control access to unauthorised third-party services

The ease with which employees can access online services, for instance shadow IT, creates new risks. Software as a Service (SaaS) products can provide anything from file-sharing through to productivity apps and scheduling tools. There are two approaches financial services organisations can apply to manage this. First is to detect and, if unauthorised, block access to the services that have been provisioned.

It is important to ask why employees are trying to use unauthorised services and address the business need. A second approach is to understand why employees are trying to use unauthorised tools and to address that need with a tool that has been verified to be safe.

Take a dynamic approach

The cybersecurity landscape is not static. New vulnerabilities are detected regularly, and threat actors are continually looking for new ways to breach systems to steal data and, potentially, large amounts of money. It is important to hold regular meetings with your third-party suppliers and partners and ensure time is set aside to share intelligence about cyberthreats.

This can include what threats are emerging, including information from public sources, as well as a summary of what the internal cybersecurity teams are witnessing at the coal face. In situations where regular meetings aren’t held, a short report can be shared to minimise the risk of someone being surprised.

Mergers, acquisitions and divestments are a major risk

The financial services sector is in continuous flux with companies acquiring and divesting divisions as well as a steady cadence of mergers. It is important to understand that when an organisation takes on the benefits of a merger or acquisition that they also take on their cyber risks, including all third parties associated with the acquired firm. An urgent and thorough review of cyber risks, at both business and technical levels, is critical for ensuring the new venture doesn’t introduce new vulnerabilities.

Trust but verify

We should not implicitly trust once initial due diligence is performed, but instead continually verify the identity or parties connected to systems. While you may issue a third party with a credential that enables access to your systems, ensure you have steps in place to ensure that credential is being used by a trusted third party and not being misused or shared. Continual verification minimises the risk of a stolen username and password being used to steal data or compromise your data and systems.

The financial services sector is a prime target for cybercriminals and nation state threat actors. The ability to steal large sums of money and disrupt economies means the industry must be proactive in detecting and minimising threats. A key component is ensuring your organisation is not compromised through a third-party supplier.

Image credit: iStock.com/maxkabakov