Investigating a vendor’s cybersecurity can be a time-consuming hassle. Wouldn’t it be nice if you could pay someone else to monitor and report back on a vendors’ cyber risk? That’s the appeal of cyber-security ratings. Firms provide scorecards on third-party vendors’ cyber risk, supposedly making it easier for financial institutions to manage their own risk.
But these scorecards mostly provide a false sense of security. Here are three reasons why:
Instead of wasting money on cybersecurity ratings, make sure you’re receiving timely, accurate and relevant reports from your vendors and taking the time to review them. Your vendor agreement should be structured so that the audit rights and reports you need to understand and monitor cyber risk will be available to you. They should also include detailed information about breaches, including everything from potential damages to how the vendor will handle them.
Last year the FDIC’s Office of Inspector General’s evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions found that many financial institutions’ contracts fall short when it comes to cyber incident response. Many contracts don’t address vendor responsibility for assessing and responding to incidents, including determining the potential effect on the institution or its customers or reporting and notifying authorities. Even if they require notification, most don’t include information requiring a vendor assess the nature and scope of potential incidents, including information and systems accessed and the possible harm, inconvenience or misuse of data that could result; contain and control incidents to preserve evidence; provide detailed incident response and recovery metrics; and remedy the situation if it failed to meet response and reporting standards.
Rather than paying someone to worry about tracking public information, put your effort into making sure your institution has a vendor agreement that gives you the information you need to control cyber risk and then making the most of that data.