Insights blog.

You’re responsible for information security at your organization. You dedicate yourself every day to identifying weaknesses and patching vulnerabilities in your network. You’ve developed policies to protect employees from cyber threats. You’ve designed procedures for responding in the event of a data breach, and you’ve practiced those procedures with company stakeholders.

In March 2017, the New York Department of Financial Services (NYDFS) cybersecurity regulations—known as 23 NYCRR Part 500—went into effect. According to the regulation, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” is considered a covered entity and must comply.

Compliance, at its core, is a legal responsibility. It is defined as “act or process of doing what you have been asked or ordered to do.” Creating a successful vendor compliance program isn’t as simple as asking third parties to comply with your security requests or pestering them to answer your security risk assessment questions.

You can’t go more than a few weeks (or sometimes a few days) without hearing about yet another company whose data was compromised after hackers gained access through a third-party vendor. These attacks show that it’s no longer enough to secure only your own network from cyber attacks—you have to ensure your vendor networks are secured as well.

In today’s expanding business ecosystem, managing vendor risk is becoming increasingly critical to protecting companies’ sensitive data. With new threats emerging daily and companies continuing to outsource, vendor risk management is an issue that will only grow in affecting organizations and their business partners. According to a recent Navex Global study, the ability to promptly resolve newly identified risks is a top challenge for organizations’ third party risk management programs.

In today’s security climate, talk of proper cybersecurity procedures must include discussion of a continuous monitoring plan that applies both internally and externally (with the company’s third-party vendors). And while continuous monitoring is critical to the health and well-being of your company, it’s also incredibly challenging to do.

As a U.S.-based company, you may be asking yourself, “Does my company need to prepare for the EU’s General Data Protection Regulation (GDPR)?” Simply put, if you process personal data for anyone in the European Union, the answer is very likely yes.

In a report focused on cybersecurity in the banking and financial sector, Bitsight researchers examined the security performance of more than 5,200 organizations in the Legal, Technology, and Business Services industries. These organizations—monitored by Finance organizations on the Bitsight Security Rating Platform—represent a critical part of the financial services supply chain. Our report shows a number of findings representative of information security in banking and financial industry.

This August, Bitsight announced the release of several new risk vectors specifically chosen to help organizations identify and manage risks across their own networks and the networks of their third parties. Bitsight chose those new risk vectors to enhance the insights across the “spectrum of risk” and provide a more comprehensive picture of an organization’s security posture.

October is Cybersecurity Awareness Month, which offers organizations the opportunity to thoroughly examine their security and risk programs and identify where any vulnerabilities might exist. Here at Bitsight, we talk about risk management every day. However, we have to practice what we preach — our IT Team offered some insight into areas where organizations can improve their network health not just this month, but regularly.

Ransomware is rapidly becoming one of the most common forms of malware distributed on systems all over the world.

Reducing cyber risk that stems from third and fourth party vendors is no easy task. It requires that organizations not only have the ability to continuously monitor and identify new risk, but also the ability to work with their vendors to fix security issues quickly. Getting to risk reduction quickly means that both organizations are communicating effectively, using data and evidence rather than conjecture to make progress.

When it comes to vendor risk management, organizations ultimately need their vendors to meet the same standard of security performance they hold for their own organization. For years, the Finance industry has been a trailblazer in managing the risk posed by vendors, suppliers, and business partners. However, are vendors in the Finance supply chain meeting the same level of security performance held by Finance organizations?

The goal of cybersecurity is to help mitigate or prevent a cyber attack that could cause significant harm to your business, your operations, your financial performance, or your customers. But organizations with mature cybersecurity programs are increasingly aware of the fact that they cannot address every cyber threat since bad actors will continually find ways to hack and mine data. Instead, they choose to focus on preventing catastrophic attacks from taking place.

The financial services industry is known for its mature cybersecurity programs. There are many drivers for this, one being the increasingly strict regulatory environment. For example, the Office of the Comptroller of the Currency (OCC) indicated in early 2017 that financial service companies should be prepared for examiners to evaluate third-party cybersecurity.