Investigating a vendor’s cybersecurity can be a time-consuming hassle. Wouldn’t it be nice if you could pay someone else to monitor and report back on a vendors’ cyber risk? That’s the appeal of cyber-security ratings. Firms provide scorecards on third-party vendors’ cyber risk, supposedly making it easier for financial institutions to manage their own risk.
But these scorecards mostly provide a false sense of security. Here are three reasons why:
- They use only public data. Cybersecurity ratings companies comb through publicly available data and plug it into an algorithm to come up with a score. The problem is that just a handful of the things you need to know are available in public documents, leaving many other areas unexamined. The cyber-security firms can tell you if a vendor’s website is restricted or up-to-date, but it can’t get into the non-public facts that matter. After all, if a vendor is experiencing problems, there is a high probability the cause of the problems is not available in public data.
- Vendors won’t give you details of a problem. If the cybersecurity ratings company uncovers a problem, you’ll know there’s a potential problem, but the vendor isn’t obligated to remedy the issue. What exactly was the problem? Why is it a problem? Has any security measure been exploited because of the issue? Were they following procedures? They have no obligation to respond or provide complete responses.
- The vendor will fix the problem anyway. Name one financial institution that avoided harm by buying a cybersecurity rating. I bet you can’t. When a cybersecurity ratings company finds a problem, the vendor hears about it and fixes it for everyone, not just the client who notified it of the problem. Let someone else buy the cyber-scorecard and tell the vendor to fix the problem. You can win without spending any resources.
Instead of wasting money on cybersecurity ratings, make sure you’re receiving timely, accurate and relevant reports from your vendors and taking the time to review them. Your vendor agreement should be structured so that the audit rights and reports you need to understand and monitor cyber risk will be available to you. They should also include detailed information about breaches, including everything from potential damages to how the vendor will handle them.
Last year the FDIC’s Office of Inspector General’s evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions found that many financial institutions’ contracts fall short when it comes to cyber incident response. Many contracts don’t address vendor responsibility for assessing and responding to incidents, including determining the potential effect on the institution or its customers or reporting and notifying authorities. Even if they require notification, most don’t include information requiring a vendor assess the nature and scope of potential incidents, including information and systems accessed and the possible harm, inconvenience or misuse of data that could result; contain and control incidents to preserve evidence; provide detailed incident response and recovery metrics; and remedy the situation if it failed to meet response and reporting standards.
Rather than paying someone to worry about tracking public information, put your effort into making sure your institution has a vendor agreement that gives you the information you need to control cyber risk and then making the most of that data.
Comments