Keith Donnelly, Fintech Solutions Provider, Vice President, Global Head of Risk & Compliance
- Vendor cyber risk evaluation must include a basic security scan using a security tool that identifies the vulnerabilities of assets visible on
the public internet and rates the vendor’s security health. - Once a vendor is on board, conduct periodic security reviews and control checks within your vendor portfolio. These reviews involve developing a frequency of review based on the type of services each vendor provides.
“When you think of financial services, you must consider the weakest link in the chain of potential threat vectors. That link is often the vendors that provide noncritical services.”
Managing cyber risk posed by third-party vendors in the financial services industry is critical for several reasons. The most obvious reason is that financial services is a high-value target to which malicious hackers pay a great deal of attention. Another reason is that third parties are typically the weakest links in a financial services company’s attack surface.
Keith Donnelly, vice president of global risk and compliance at Broadridge, notes that “When you think of financial services, you must consider the weakest link in the chain of potential threat vectors. That link is often the vendors that provide noncritical services.” Many companies focus on the biggest, most critical vendors, but it’s the little ones that provide noncritical services that can be points of exposure—precisely because they attract so little attention.
It’s important that those in management understand the risk of working with a vendor before they onboard that vendor. This knowledge comes from a risk evaluation methodology that includes contracts that specify the service level and data-handling practices your business requires and give you the right to perform security audits on the vendor.
This is an excerpt from 7 Experts on Evaluating and Managing Supply Chain Risk. This eBook was generously sponsored by BlueVoyant.