FS-ISAC’s Barel: “Intelligence sharing is critical to manage third-party cyber risks”
Several high-profile attacks in the last year have highlighted the risk of cyberattacks on third-party vendors to financial firms, their customers and the financial system. Security principles should be part of a robust and systematic protocol for managing these third-party risks
- Third-party security lapses have led to cyberattacks
- An attack on one vendor could impact many firms in the financial system
- Firms need a robust and systematic protocol for managing third-party risks
Recent attacks on large organisations including SolarWinds, Accellion and Kaseya, among others, have garnered rising concerns about the growing risk posed by cyber-threat actors to institutions around the world and especially in the Asia Pacific (APAC) region.
Third-party security lapses led to cyberattacks
Despite the recent surge in cyberattacks globally, many of which originate from third-party security lapses, cybercrime has not received as much media attention in APAC as it has in other regions. This could result in lower levels of awareness and preparedness for cyberattacks, which could ultimately lead to damaging outcomes for victims.
Furthermore, a FireEye report this year found that “dwell time” in APAC is the highest in the world at 76 days – nearly three times the global median of 24 days. This is concerning, as dwell time represents the amount of time that a cyber-threat actor has access to a network or system, from the point of initial penetration to the time they are locked out or otherwise removed.
Attack on one could impact many in the financial system
In an increasingly competitive financial services landscape, financial firms are offering more digital services than ever, as part of the digital shift in APAC that has accelerated as a result of the pandemic. A 2021 survey by cloud banking platform Mambu found that 40% of financial institutions (FIs) in APAC plan to significantly increase investment in big data, 37% expect to significantly increase spending on machine learning, and 34% are targeting ledger technologies such as blockchain.
In the race to get new digital services to market quickly, most financial firms use third-party suppliers to provide software, services, infrastructure and products to optimise their time to market and operational efficiency.
With more digital services comes an expansion of the attack surface and an increase in potential vulnerabilities to cyberattacks. FIs have a long history of robust security because of the requirement to maintain customer trust as well as compliance with regulatory demands. However, third-party suppliers, many of them relatively young technology companies, may not always have the same legacy of strong security controls or regulatory requirements.
Many firms use the same suppliers, layering an additional challenge of concentration risk, where an attack on one major vendor has the potential to impact a significant number of participants in the financial system, regionally or globally.
Robust and systematic protocols are needed to manage third-party risk
Today, financial firms are actively investing in strengthening both third-party due diligence and operational resiliency. The following security principles should be part of a robust and systematic protocol for managing third-party risk.
Adopt a zero-trust mindset. FIs’ overall strategy should seek to maximise cybersecurity on all interactions with third parties, minimising the chances that third-party vulnerabilities will impact the FIs’ systems and data. This model extends to internal systems, which further lessens the chance of lateral migration of malware and bad actors.
Implement a third-party risk management programme. FIs should systematically review documentation, processes, security protocols and personnel related to or used by a third party.This is the most common and widely used mechanism to evaluate third-party risk. However, it can be both time-consuming and labour-intensive, and thus may not be done frequently enough to keep risk assessments current.
Employ risk monitoring services to assist in evaluating the internet-facing risk posture of vendors.Employing independent sources of risk data can help with scalability, addressing the practical limitations of manual assessments. However, many services do not monitor risk in real-time and are not always transparent about their assessment methodologies. Understanding the methodologies and processes behind third-party risk management assessments will help security teams devise a more holistic, actionable and proactive risk mitigation strategy, instead of simply reacting to threats when they arise.
Become a member of a global intelligence sharing organisation.No matter how many threat intelligence feeds a firm subscribes to, no single firm can anticipate all cyber threats – especially to third parties – all the time. Suppliers to the financial sector often serve firms around the world. Therefore, it is critical to share intelligence on a trusted platform that has a global reach.
Communication between firms and their suppliers should not be limited to formal assessments and reporting. Greater collaboration and intelligence sharing between firms and their third-party vendors will greatly enhance the effectiveness of any third-party risk management programme.
It is likely that third-party and even fourth-party risk will remain in the spotlight in the foreseeable future. With only a handful of firms offering business-critical infrastructure such as cloud services, and with digitisation accelerating and therefore increasing reliance on those services, concentration risk continues to grow. Financial institutions must double down on fortifying supply chain risk management, sharing cross-border industry-specific threat intelligence, and investing in operational resiliency to protect their customers and trust in the global financial system.
Christophe Barel is the managing director for Asia Pacific of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry consortium dedicated to reducing cyber risk in the global financial system.
Views and opinions expressed in this opinion-editorial belong strictly to the authors/contributors and do not reflect that of The Asian Banker.
Keywords: Cybersecurity, Cyber Risk, Cyber Crime, Cyber Attack, Risk Management, Financial System, Digitalisation
Institution: FS-ISAC, SolarWinds, Accellion, Kaseya, Mambu, FireEye, Microsoft
Region: Asia Pacific