Managing Vendor Risk Complexity: Insights from Financial Institutions

Managing Vendor Risk Complexity: Insights from Financial Institutions

Earlier this week I had the privilege of attending the invitation-only BNY Mellon 2015 Third Party Risk Management Symposium. The keynote speaker was General Keith Alexander, former Director of the National Security Agency. General Alexander painted a big (scary) picture of our national security and then quickly tied his remarks to the topic at hand: vendor security. He predicted that nation states like North Korea will come after the financial services industry with distributed denial of service (DDOS) attacks, combined with “wiper” malware, through their vendors’ networks. (Wiper malware was used in the recent attacks against Sony-- the first time this type of attack was used against a business operating in the U.S.)

Financial firms are frequently themselves the targets of information security attacks and have been working together through organizations like the FS-ISAC to further improve. The general’s statement reinforced the fact that they need to start treating their vendors and business partners as extensions of their own enterprises.

The Challenges of Managing Vendor Risk

It’s not easy to manage risks across your vendor portfolio, especially when your organization has thousands or even tens of thousands of vendors. The challenges were highlighted in all three panels, whose titles reveal what’s top-of-mind for the largest financial institutions in the world:

  • Building a Third Party Risk Management Program for the Future – Be Prepared!
  • Taking a Proactive Stance on Third Party Risk Management to Meet Regulatory Compliance
  • Third Party Assessments – Are They Enough?

Panelists and audience members from global organizations-- ADP, Citigroup, Credit Suisse, Goldman Sachs, and Wells Fargo, to name a few-- contributed to the lively discussions. Some have more mature vendor risk management (VRM) programs than others, but all acknowledged that developing these programs is especially challenging given the threat landscape and increasing regulatory scrutiny.

Classifying Vendors

Classification of vendors is one of the key steps to take in VRM, and one panelist gave some hints to how they tier their vendors. They develop an inherent risk rating based on the following:

  1. Access to sensitive data (if ‘Yes,' this triggers an automatic risk review)
  2. Mobile access
  3. Criticality to the business
  4. Cloud offerings

The risk rating determines whether the vendor falls in one of 4 categories:

  1. Most critical (<50 vendors, even for the largest organizations)
  2. Critical
  3. Major spend
  4. Active

Note that it’s not always about the size of the vendor but also the level of access they have. The Target breach showed us that a non-strategic vendor -- an HVAC provider -- had network access that led them to the billing system. General Alexander highlighted the need for network segmentation amongst your vendors, which can only be done once you’ve classified them.

Current Tools for Vendor Classification

One of the key tools firms use today to help with classification is a standard questionnaire or assessment, the size of which varies dramatically. Some attendees have 12-question surveys while others have more than 1,000. These questionnaires are time-consuming to administer and only show a point in time. Further, panelists pointed out that they often don’t represent reality.

The Way Forward

The general consensus was that we must move toward more evidence-based questionnaires and tools. SOC 2, on-site visits, penetration tests, and Bitsight Security Ratings were mentioned by the panelists. Security Ratings were highlighted by panelists and audience members alike as a great way to objectively and continuously monitor vendors. All of the information factored into the ratings is publicly accessible, so no information or permission is needed by the vendors, which is another key advantage attendees pointed out.

While it won’t be easy, these leading institutions are paving the way to a more secure future. Together, they are collaborating to find better ways to combat the bad guys. As one panelist put it best: “Third party risk management is the tide that’s going to lift us all.”