Outsourcing providers may promote themselves as trusted partners to their clients, but when it comes to cybersecurity risk, financial services firms would be wise to treat them as an extension of their own business — with all the hard scrutiny and ongoing monitoring of vulnerability they do inside their own corporate walls.
And maybe more, because these third-party providers add potential cyber-risk that is not under their clients’ direct control, said security experts at last week’s Securities Industry and Financial Market Association’s technology gathering in New York.
The idea makes sense, but the execution raises questions — such as what standards will be required, and how to oversee them. Regulators have already put financial firms on alert that cybersecurity is now a compliance issue. The US Securities and Exchange Commission (SEC) will be examining the cybersecurity policies and programs of asset managers as part of its exams process while the Financial Industry Regulatory Authority (FINRA), the self-regulatory agency for broker-dealers, says it will do the same in that industry sector.
With fund managers and broker-dealers on the hook for the security of their sensitive data, there’s no question that they will also be liable for the security of the data if it’s handled by third-party contractors, and even the subcontractors that they may use. This message was delivered loud and clear to attendees at last week’s SIFMA Tech event. “Financial firms will now have to more closely monitor their third-party and even fourth-party providers for cybersecurity preparedness,” warned Robert Ganim, chief information security officer and global head of business continuity planning for Neuberger Berman in New York and a panelist at a cybersecurity presentation.
Such monitoring will mean more than just filling out an annual self-assessment check list. And although financial firms typically don’t communicate with such fourth parties, they will have to start leaning heavily on third-party providers for assurance they know what they and their contractors are doing to protect critical customer and transaction data. “Getting such assurance was always standard practice, but it will be taking on greater importance in the coming months as financial firms formulate and document the procedures they will use to address cybersecurity concerns,” said Ganim.
Third-party providers include custodians, fund administrators and IT application and hardware hosting shops. In turn, those firms may rely on yet another external supplier or fourth wheel. A fund manager that outsources a business process could discover that it has not just one but two or even three supppliers to monitor. With outsourcing an increasingly popular option, it stands to reason that fund managers’ oversight workload — and liabilities — will snowball.
Research conducted by FSO Knowledge Exchange showed that in 2012 alone fund managers took up about a third of all global outsourcing deals followed by broker-dealers at 30 percent — the greatest increase among industry sectors evaluated from the previous year. While investment management firms had experienced a decline in outsourcing contracts, FSO KX expected the trend to reverse itself as they looked to concentrate on reinventing their investment strategies. Middle-office functions such as risk and compliance, performance measurement, performance attribution, and trade lifecycle management are the business processes most often outsourced.
Ganim and other panelists at the SIFMA event didn’t address the current state of preparedness for cybersecurity risk control, but there is other evidence that organizations are ill-equipped to address information technology and other security risks that come from outsourcing, according to a study released last month by Shared Assessments Program and consulting firm Proviti. Based on responses from 450 IT and risk management professionals, the survey found a general lack of mature risk practices in outsourcing relationships, as well as insufficient resources and staff to meet current best practice standards.
Voluntary Standards
Just what is best practice in cybersecurity is still an open question. So far, the regulatory guidance has leaned toward to voluntary and internally developed standards, rather than offering prescriptive rules. Although the US National Institute of Standards and Technology (NIST) has come up with a broad framework for the financial and other industry sectors to address cybersecurity, outsourcing-related risk apparently isn’t addressed in depth. “I’d like to see more information on third- and fourth-party risk within the NIST’s standards,” said Ganim. Still, he added, the US Department of Commerce sponsored agency has succeeded in promoting a common language for all of the participants in the “supply chain” to evaluate their own and their partner’s capabilities.
Another cybersecurity model that addresses exactly this problem of risk posed by third-party suppliers is emerging from a group of ten financial firms — including Aetna, Citibank, Morgan Stanley and Thomson Reuters. The Third Party Software Working Group, sponsored by the Financial Services Information Sharing and Analytics Center (FS-ISAC), recommends that financial firms evaluate the maturity of their suppliers’ software and product development efforts using a process known as Build Security in Maturity Model or BSIMM. Companies should also evaluate software for defects and vulnerability and evaluate their use of open-source libraries and framework.
Ganim’s advice: an ounce of prevention can go a long way. “Before signing an outsourcing contract, do a solid due diligence of where data will be located and how it will be protected,” he recommended. “Talk to all of your vendors and even their partners, if possible.” The goal is to incorporate a comprehensive list of security requirements into outsourcing contracts and service level agreements, including ongoing reporting mechanisms to evaluate cybersecurity status.
Without such oversight, there is no way to monitor the vulnerability of data handled by third parties. Any part of the supply chain could be a target for hackers, so any potential weakness in data security needs to be identified and secured. Vendor contracts need to stipulate that third-party service providers carry their own insurance and be as detailed as possible on financial liability in the case of a data breach, compliance specialists attending the SIFMA Tech event told FinOps Report. “Such due diligence is necessary to ensure potential reimbursement for shareholders and to mitigate the potential of a shareholder lawsuit for breach of fiduciary duty in not vetting the vendor properly before a contract was signed,” said one compliance director at a New York brokerage firm.
For financial firms subject to existing contracts, Peter Allor, security strategist for federal critical infrastructure at IBM Security Systems in Atlanta who also spoke at the SIFMA Tech event, suggested that they will have to be quickly revisited. “There will need to be a review and constant monitoring of cybersecurity preparedness,” he said.
Such oversight, said a compliance director from a New York fund management firm, should include information on how service providers have already prevented attempted data breaches and how they quickly they responded to mitigate the damage from any which did occur. “It’s a parallel process to what should occur within one’s own shop,” he said. “Reports also need to be evaluated not only by IT and compliance specialists, but the chief executive, chief financial officer, chief information officer and even board of directors.” The reason: the buck, or legal liability for any data breaches, rests with them.
Although such leakage may still take place regardless of just how diligent financial firms are in analyzing the entire supply chain of providers, at the very least they can show regulators, customers and vendors they did their best to prevent them.
Leave a Comment
You must be logged in to post a comment.