We recently had an opportunity to discuss the state of vendor oversight with a former FDIC examiner. During our meeting, we discussed the importance of third party oversight and the convergence of cybersecurity impacting financial institutions.
Not a day goes by without yet another cybersecurity incident being reported. For financial institutions and regulators alike it has become obvious based on 2017 hacker chatter, phishing scams and data breaches that information security risk is here to stay. My one prediction for 2018 is that if anything, cyber threat schemes will only become more intense and creative.
Interestingly, the importance of data security isn’t a new thing although the attention and awareness of cyber threats seems to be on the increase. The threat to borrower’s non-public private information doesn’t always stem from malicious hackers either. In some cases, simple human error is the break in the chain.
Recent Third Party Cyber Data
In a recent report, it was reported that approximately 63% of all reported data breaches were determined to originate from third parties. Here are two notable breaches which were traced back to third party vendors:
- The most recent data breach was reported by Verizon whose offshore third party vendor released PIN data, borrower’s phone numbers and email accounts. At the time of this release, July 2017, Verizon had determined that only FIOS customers were impacted but have not been able to tell which customers were impacted. Verizon deemed the incident human error by a third party.
- The national Retailer Target Corp. was yet another well-known company which experienced a data breach and linked to a third party vendor. This breach proved costly to the retailer and as recently as May of 2017, reached an $18.5 million settlement with 47 states and the District of Columbia. The total cost of the breach was estimated to have been $202 million.
Cyber Criminals Do Not Discriminate Where They Grab Information
In late 2016, the Internet Service Provider Yahoo announced that they had also suffered a breach which dated back to 2014. Estimates range from 200 to 500 million user accounts were hacked. Information included dates of birth, email addresses and telephone numbers. This incident may have even impacted the total selling price of the subsequent Verizon acquisition. Financial Risk and Reputation Risk would be two crucial factors flying in the wind after such an event.
Healthcare is another prominent holder of NPI data. In 2015, Anthem discovered a cyberattack on their IT system which impacted an estimate 80 million patient and employee records. The potential exposure would have included income, data, SSN and other sensitive data. In late July, Athem announced a second breach of up to 18 million enrollees NPI. This is the second breach in two years!
Smaller Institutions At Cyber Risk Too
While the news may report the larger institutions cyber incidents, the smaller financial institution is equally at risk to the cyber threat:
- In 2008, a Texas-based lender settled with the Federal Trade Commission for failing to provide reasonable security to protect sensitive customer data. The allegation pointed to a third party home seller access to the data. Subsequently, a hacker compromised the third party system and obtained access to the lenders log in information. Hundreds of consumer credit reports were stolen. In addition to the monetary fine, the lender was ordered to conduct a third party risk assessment by an outside IT security specialist every other year for a minimum of 20 years.
- More recently and on a larger scale, JP Morgan Chase reported in 2015 that it had been the victim of what was called, the largest theft of customer data from a financial institution in US history. Estimates range from 76 – 83 million customer accounts had been accessed. According to one report, the cost of this incident was approximately $12 billion. As vendor managers, we tend to think about reputation, operational and financial risk so the actual cost may be higher if the loss of potential new business is taken into consideration.
So far, we have determined that any institution which handles, transmits or stores NPI or for that matter engages a third party vendor is open to a cyber security threat.
Recent Cyber Guidance
Let’s look at the regulators and review some recent guidance.
In December 2016, the New York State Department of Financial Services (NYSDFS) amended their Cybersecurity Requirements for Financial Services Companies. While the changes were in response to feedback, they do provide guidance on reporting requirements and risk-based approach of assessments of covered entities. There is specific mention regarding the security assessments of third party providers. In addition, the board or senior officer of a covered entity must certify annually with the compliance of the rules.
The 3 key terms here are:
- Third Party Providers
It’s reasonable that this area of interest for the regulator will surely be a topic of conversation for a lender operating in the state of NY. As more states follow the NY example, this could well prove to be considered a best practice for an internal oversight program.
More recently, the OCC published their Semiannual Risk Perspective. The analysis provides some great insight into the current state of where the financial services finds itself. A couple key notes from it are:
- “Operational risk continues to challenge institutions because of increasing cyber threats, reliance on concentrations in significant third party service providers, and the need for sound governance over product service and delivery.”
- “Sophisticated cyber threats continue to pose high inherent risks to an interconnected financial services marketplace. Boards and management play a critical role in establishing a sound culture and implementing effective resiliency practices."
- Cyber threats are increasing in speed and sophistication. These threats target large quantities of personally identifiable information and proprietary intellectual property and facilitate misappropriation of funds at the retail and wholesale level. Phishing is a primary method for breaching data systems and is often the entry mechanism to perpetrate other malicious activity, such as installing ransomware, accessing confidential information, compromising internal systems to effect payments or conducting espionage.
- The number, nature and complexity of third party relationships continue to expand, increasing risk management challenges for institutions. Consolidation among service providers has increased third party concentration risk, where a limited number of providers service large segments of the financial industry for certain products and services.
- Operational third party risk: Assessing information security and data protection, model risk management and third party risk management, including risks associated with third party relationships. Seven OCC supervisory staff members will evaluate bank management’s plans to respond to increasing operational risk resulting from the introduction of new or revised business products, processes, delivery channels or third party relationships.
Watch Vendor Cybersecurity Closely
Regardless of your primary regulator or state, it’s vital that all institutions recognize the current cyber threat to consumer data and their business operations.
- As the lending and financial industry move toward and embrace technology to streamline the consumer experience, the reliance on third party vendors to perform services or oversee those who have access to NPI will become a prerequisite in vendor approval.
- Include cybersecurity in your scope when planning your vendor management goals for 2017/2018.
- Ensure that cybersecurity due diligence is included in your vendor management examination preparation. Further guidance can be obtained on the FFIEC cybersecurity examination at ffiec.gov/cyberassessmenttool.htm.
- The importance of expertise in adequately performing risk assessments and establishing vendors are doing everything possible to protect the data will play a major factor in managing operational, financial and reputation risk for your organization. The proof of how well you have embraced this factor will be tested during the regulatory examination process or worse still, during the fall out of a data security breach.
With all that in mind, it's best to take cybersecurity as a clear and present danger.
For more information on how to protect yourself from vendor cybersecurity risk,download our infographic.