Financial regulators just named cybersecurity as one of their top concerns going into 2018, with a heap of worry specifically about third-party contractors supporting the financial system.
So for compliance officers looking for yet another reason to move third-party risk management up the priority scale, now you have one.
The alarm was raised last week in the 2017 report of the Financial Stability Oversight Council. (That’s the council of U.S. financial regulators mandated by the Dodd-Frank Act, to help coordinate regulatory policy and anticipate future financial crises.) Financial firms have come to rely on technology service providers so much, the report said, that a poor understanding of their cybersecurity postures could create risk for the financial system overall:
Maintaining confidence in the security practices of third-party service providers has become increasingly important, particularly since financial institutions are often serviced by the same providers. The Council encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language.
What’s more, the FSOC even raised the idea of regulating tech providers in a more uniform fashion, so the current patchwork of supervision doesn’t allow cracks in the system that others could exploit:
[T]he authority to supervise third-party service providers continues to vary across financial regulators. The Council supports efforts to synchronize these authorities and enhance third-party service provider information security. The Council recommends that Congress pass legislation that grants examination and enforcement powers … to oversee third-party service providers and encourages coordination among federal and state regulators in the oversight of these providers.
Wow. When a group of Republican regulators tell a Republican Congress that they might need more regulation, you know things are bad.
Will Congress actually respond to these ideas? Probably not, given the floundering leadership in Washington these days. But the fundamental point — that service providers can now pose dire cybersecurity risk to the financial sector and many others — is not news to compliance officers. So let’s ponder a few other points about how to manage third-party risk in useful ways right now.
The Business Imperative
First, consider the FSOC’s true worry here. Regulators are one party, acting to protect the interests of a second party: the public, which ultimately supports and pays for the financial system. Regulators do that by imposing standards on third parties (financial firms) — and now regulators are worried about the tech service providers supporting those financial firms.
In other words, the FSOC is really worried about fourth-party risk to the financial system.
This underlines a point I’ve been making for a while: the better your firm is at at managing third-party risk, the more attractive you become as a third party yourself. After all, your third parties are your customer’s fourth parties. Fourth-party risk is where your customers start to get antsy, because they can’t easily see what those risks might pose to them. They don’t have visibility into those distant parties.
And that’s what third-party risk management is all about: making your supply chain more transparent, so you can see those risks more clearly. So any compliance program that can achieve that transparency, and pass that assurance along to your customers, will have a strategic advantage over your rivals.
The compliance community likes to talk a lot about the strategic advantage of a strong compliance program. This is the most urgent example. When your board or CFO start complaining about that budget request for more investment in third-party governance, remind them: “If we can’t govern our third parties and possible cybersecurity risk, eventually we’ll get locked out of courting financial services firms.” That’s why investing in third-party governance is worth it.
Three Practical Challenges
So what bumps will compliance and audit officers hit on the road to better cybersecurity assurance? A few come to mind.
Scoping SOC 2 audits. A SOC 2 audit examines a service provider’s data security controls. A Type I audit determines whether vendor’s controls are designed properly at a certain point in time; a Type II audit examines whether the controls work as designed for a set period of time.
Yes, your big firm can probably squeeze an eager vendor to pay for the SOC 2 audit — but scoping the audit correctly is still your responsibility. If the scope is too narrow, you might miss risks that the vendor has, but weren’t audited; if the scope is too broad, you’ve wasted money on “over-compliance” for risks you won’t face.
I wrote a longer essay about scoping SOC 2 audits earlier this year for Reciprocity Labs, if you want to read more there. Suffice to say, you need to understand your own firm’s cybersecurity risks, and the risks of outsourcing some data functions to a vendor, and the vendor’s own security protocols, to do this well.
Implementation of NIST protocols. NIST has several sets of controls it recommends for cybersecurity. They are an outstanding resource, and should be adopted. The FSOC praised NIST, and urged financial regulators to keep current with new advances in the NIST standards as they evolve.
In the private sector, compliance officers, audit executives, and internal control departments should examine the standards and see how to implement those controls into your own operations — and this is especially true for tech service vendors themselves. NIST 800-171 is the standard government contractors are supposed to use to comply with DFARS, which spells out cybersecurity standards if you want to bid on defense contracts.
I have another essay, and companion white paper, about the NIST standards that I wrote for Rapid7 earlier this year. Companies may have a long want to go for compliance, but the NIST standards are the clear destination.
Preparing for more scrutiny. The Securities and Exchange Commission already pressures companies to disclose cybersecurity concerns as risk factors. Good news: many more companies are. According to a report from Intelligize released last week, the number of firms disclosing cybersecurity as a risk factor went from 426 in 2012 to 1,680 this year.
The bad news: those disclosures usually don’t say much, and they certainly don’t capture the full picture of risk from tech service providers. Hence the SEC is talking about enhanced disclosure of cybersecurity risk, or even required disclosure of cybersecurity incidents. (Imagine filing a Form 8-K to disclose a breach every time you have one.)
Likewise, the Public Company Accounting Oversight Board wants audit firms to step up their scrutiny of your cybersecurity risks. I still struggle to understand what that scrutiny will look like in practice, since cybersecurity breaches rarely lead to a material risk of misstated financial results — but that’s the point, really. Regulators know they need to do more about cybersecurity; they just aren’t quite sure what.
I suspect many of us feel the same way.