Reducing Third-Party Cybersecurity Risk: It’s All About Vigilance
A critical tenet of cybersecurity is understanding that data is always on the move. Third-party vendors, though essential to doing business, can pose a risk of exposing sensitive member data. In fact, 59 percent of organizations say they’ve experienced a vendor-related data breach1. When you consider outsourcing a function or service to a third party, the best approach is to measure risk vs. reward. The primary point to keep in mind is that even when your member data is in the hands of a vendor, its protection remains your credit union’s responsibility.
Understand Your Data
Before you engage any vendor, it’s important to understand what type of data you collect – whether it’s personally identifiable information (PII) such as Social Security numbers or personal health information (PHI) for HR purposes – and how you store and grant access to these data sources. You should also have a clear sense of your credit union’s own data security standards so that you have a benchmark against which to judge potential vendors.
With that analysis in hand, you can begin to weigh the benefits of a specific vendor relationship against the costs. One handy method to achieving this is to create a numerical score that indicates the risk that a vendor represents based on a series of questions. For example:
- Will the vendor have access to member and/or employee data? If not, the risk could be considered low. If the vendor has access to non-PII information, the risk is greater. Vendor access to full member records would typically receive the highest risk score.
- Will the vendor have access to the credit union’s network? Vendor access to your network risks creating breaches indirectly, using the vendor as a gateway for malware or other types of attacks. The vendor’s risk score depends on the degree of access.
- How susceptible is the vendor function to frequent changes in regulations and laws? Privacy regulations are becoming increasingly complex. The most prominent example is the European Union’s General Data Protection Regulation (GDPR), but new regulations are being enacted around the world. If your vendor is compliant today, there’s no guarantee it will be compliant tomorrow.
Set the Terms of the Relationship
Once you understand your data and the access that your vendor requires, you need to perform due diligence to understand your vendor’s security program and set ongoing expectations. You must also be certain that your credit union has the capacity to maintain ongoing oversight of vendors, particularly those with access to sensitive data:
- Set your criteria. Define your minimum acceptable security standards and use this as the basis from which to assess vendors.
- Create apples-to-apples vendor comparisons. Create a cybersecurity assessment questionnaire using a resource like the NIST Framework2, which provides recommended guidelines for managing security risks, to compare vendors and to conduct a security audit of their processes.
- Conduct due diligence. Ask key questions about each vendor’s technology capabilities, incident response plan, and what data security standard they adhere to, such as NIST or GDPR. Also learn more about each vendor’s security infrastructure, including whether the vendor has a security officer and established data security policies.Remember that third-party and vendor risk management is an ongoing process. Your initial due diligence must continue throughout the vendor relationship.
If your credit union outsources key functions or services to third-party vendors, it inevitably takes on greater risk. You can mitigate this risk by choosing vendors that make cybersecurity a priority. To learn more about how you can mitigate your cybersecurity risks, see our new infographic and sign up for our 3-email educational series today.
Beyond IT: How to Create an Organization-wide Cybersecurity Culture
- Skip to Main Content
- Americas Fastest Growing Homebuying Demographic
- Beyond IT
- Credit Union Trends Report
- Cyber Security: Millions of Dollars On the Line
- Economic Commentary: 2018 Tax Cuts and Jobs Act
- Economic Commentary: Indicators Investors Should Monitor To Understand Market Direction
- Economic Commentary: The US Equity Market Outlook and Valuations
- Help Your Credit Union Stand Out from the Competition
- How Risk Aversion Impacts Wealth Management
- Inflation Guard
- IRS Limits Adjustments for 2018
- Is There a Cost to Convenience
- Lessons Learned for Charitable Giving
- Medicare and Social Security
- Member Perceptions Are Reality
- NCUA amends regulations on fidelity bonds
- Pandemic shines a light on need to help members with investments
- Ransomware Attacks Continue as Predominant Cyber Issue
- Reducing Third-Party Cybersecurity Risk
- Retain Your Top Talent
- SERP Checklist
- The Changing Retirement Landscape
- The History of the Dow Why Risk Control Matters More Than Ever
- Ties That Bind SERP
- Whats In Store for Investors in 2018 and Beyond
- Where Does Financial Advice Fit in the Age of Information
1 BuckelySander and Treliant Risk Advisor, Ponemon Institute: Data Risk in the Third-Party Ecosystem PDF. November 2018. 2 NIST, Framework for Improving Critical Infrastructure Cybersecurity. 16 April 2018.
CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group. Some coverages may not be available in all states. If a coverage is not available from one of our member companies, CUNA Mutual Insurance Agency, Inc., our insurance producer affiliate, may assist us in placing coverage with other insurance carriers in order to serve our customers’ needs. CUMIS Specialty Insurance Company, our excess and surplus lines carrier, underwrites coverages that are not available in the admitted market. Cyber policies are underwritten by Beazley Insurance Group or other nonaffiliated admitted carriers. CSS-2407331.1-0219-0321