Streamline Your Bank's Third-Party Vendor Management Risk Assessments
Banks and other financial institutions are a proving ground for new risk management methods. High risk and intense regulations feed into a culture of serious, comprehensive security — a culture that has manifested in mature methodologies such as the three lines of defense.
This culture has also created a “no stone unturned” approach to cybersecurity, one that undoubtedly has protected banks from serious breaches. This can be seen clearly in the third-party risk management programs of financial institutions.
Understanding that vendors could act as a backdoor for cyber criminals, mature TPRM programs go to great lengths to assess every vendors’ cybersecurity performance. To accomplish this, risk management teams use a variety of methods, including cyber risk assessment questionnaires, penetration tests, and on-site visits.
However, this “no stone unturned” approach can create hidden risks. Operating with limited resources, any time devoted to assessing one vendor is time taken away from assessing another. As the third-party landscape grows thanks to new IT initiatives, this is rapidly becoming too time intensive an approach to sustain.
Avoiding this problem requires prioritizing vendors based on the risk they pose to the organization. Only a certain number of vendors might require the full assessment treatment (comprehensive questionnaire, pen test, on-site, etc.), while other vendors might be adequately assessed with less effort.
New technologies can be used to supplement assessment data as well, enabling TPRM teams to streamline their bank’s vendor management risk assessments.
Creating Vendor Tiers
In order to determine which third parties require the most diligent assessments, TPRM professionals should ask themselves three questions:
- What data and systems does this vendor have access to? Third parties that could potentially access account information and PII, or get into the systems which house this data, should be considered high-priority.
- How has this vendor performed on previous assessments? Past performance doesn’t necessarily correlate with present security posture, but it’s safe to assume that vendors who have had serious vulnerabilities in the past should be watched more closely than those with immaculate records.
- What is this vendor’s security rating? Using a continuous monitoring solution, TPRM teams can get a near-real-time assessment of a vendor’s risk based on externally observable risk factors. Security ratings are numerical expressions of this risk.
Taking these three data points into account, risk management teams can construct a list of their vendors arranged from most to least critical.
Using Vendor Tiers
Those vendors at the top of the list — the ones with access to the most critical data and systems, the worst performance on past assessments, and the lowest security ratings — should receive the traditional “no stone unturned” treatment. These are the vendors who are most likely to be involved in a data breach, and they should receive the longest questionnaires, be subject to the most comprehensive pen tests, and, if possible, should be visited in person by a TPRM team member.
However, those vendors farther down the list — the ones with less access to critical data and systems, higher security ratings, and better past performance — represent opportunities to streamline the cyber risk assessment process.
Streamlining Assessments
There are many ways to streamline the risk assessment process for a low-risk vendor.
TPRM teams might choose to skip the vendor on-site. They could also perform a less intense penetration test, or forego it altogether.
The most scalable way to streamline assessments is to shorten your risk assessment questionnaires.
Shortening Questionnaires
The key to shortening your bank’s vendor management risk assessment questionnaires is to take advantage of security ratings, like those offered by Bitsight.
Bitsight Security Ratings are continually updated analyses of an organization’s security posture based on externally observable data. In addition to an overall rating which gives the organization an at-a-glance view of their vendors’ security performance, Bitsight users can also look at ratings for individual risk vectors, such as:
- Botnet Infections
- Spam Propagation
- Malware Servers
- Open Ports
- TLS/SSL Certificates
- Patching Cadence
- And many more
This analysis is automatic — it doesn’t require any input from the vendor or from the third-party risk management team. Best of all, Bitsight Security Ratings are updated daily, allowing banks to have a strong sense of their vendors’ security performance between assessments.
Security ratings are not a replacement for cyber risk assessment questionnaires. However, by leveraging the data available via the Bitsight platform, TPRM teams can remove overlapping questions. Some Bitsight customers have reported reducing their surveys by up to 50%.
The Benefits of Shorter Questionnaires
Shorter risk assessment questionnaires enable a range of improvements to third-party risk management programs.
Shorter assessments take less time to customize, complete, and analyze, meaning they can be sent more frequently, closing potentially dangerous gaps in a bank’s risk knowledge.
In addition, shorter assessments are simpler for vendors to fill out, which won’t go unappreciated. This is one way to improve your bank’s relationship with its vendors — and a strong relationship is as important as anything when it comes to remediating potential security risks.
Conclusion
Banks don’t necessarily need to respond to a growing third-party network by committing more resources to third-party risk management.
In fact, banks can achieve a comparable level of security by redistributing resources away from assessing the least risky vendors and into assessing the most critical ones. New technologies are making this redistribution simple.