What kind of trends are you seeing in the risk and compliance space at the moment?
There’s no question that, at the moment, firms are on high alert—there is constant news around cyber breaches. Whether institutions are being forced to address the issue because of regulation, or whether it’s the board that’s afraid of the threat a cyber event could pose, it’s something firms are focusing on.
Companies are just starting to understand that there is tremendous exposure in an environment where outsourcing has become the norm. If you’re sharing your data, or if your operations are based on another company’s technology, then those third parties become an extension of your technology environment. We are seeing businesses recognise the importance of third parties in cyber risk, and taking that risk very seriously.
Opus’s focus is on identifying, mitigating and reporting on customer and third-party risk, to allow our customers to make fast and confident business decisions. The idea is that risk and compliance can be a business advantage, rather than a drag. If you know who your third parties and customers are and you can manage those relationships effectively, that’s a competitive advantage.
There are two types of companies: those that have experienced a cyber breach, and those that don’t yet realise they’ve experienced a cyber breach. Chief information officers are facing a very difficult environment in which they can go to their operation centres, check their indicators, speak with their staff and conclude that they’re fine. The next day, news of a malware attack could surface, and they can still believe they’re safe, because all their systems seem up to date. In fact, the opposite is true, because their third parties had not updated their own systems.
A lot of the infrastructure in these companies is run by third parties, and according to Trustwave research, some 63 percent of data breaches are either caused by, or come through, third parties, so it’s a problem of epic proportions.
A cyber attack could put a company out of business; it could knock down the company’s market cap; and it could create tremendous reputable damage.
How do you begin to address that problem?
It is similar to many other areas in that, disciplines and best practices that have been around for a while, if followed properly, will provide a very good defence.
There are very well-developed cybersecurity standards such as the ISO 27001 standards, which essentially provide a list of prescriptive defences, worked out over a period of many years by experts in the field. If you follow those carefully, you are more likely to be safe.
We specialise in extending this discipline into the third-party space. You can apply best practices in cybersecurity to your own environment, but you can’t control third-party environments in the same way, so the game is played a bit differently.
It’s about trust, and about verifying that trust. Every third-party exercise begins with a segmentation process—an inventory of the third-party population. That can be very difficult, depending on the company we’re working with. Some have many different lists of vendors, and duplicate vendor records that have to be reconciled.
By collecting data on those vendors, firms can figure out the risks third parties could potentially expose them to, and what controls they should have.
Then, firms assess the third party’s controls by talking to them, inspecting their facilities and reviewing the documentary evidence supplied, in order to identify any potential deficiencies in the environment. Vendors can be asked to improve in any areas where they’re not up to a firm’s standards, and contractual agreements can be bought in to enforce that those standards are met. After the cycle of assessment and remediation, they will need to continue monitoring the providers on a periodic basis through audits and assessments. That is best practice today.
If those third parties are sharing data, should firms be assessing fourth parties, and beyond? How far should that go?
It’s very hard to assess fourth parties. Vendors don’t typically want their clients assessing their own third parties, who they will have their own agreements with. The thing to be aware of is concentration risk.
If a firm has, for example, 50 third-party software providers, providing a combination of cloud and software-as-a-service technology models, it will need to know where those providers host the applications it uses.
If 10 of them host on Amazon web services and five host on Microsoft AZURE, that poses a concentration risk; if something happens to Amazon, that’s going to affect 20 percent of the firm’s solution.
The question is in how to ensure safety in that respect, and that’s a worry that goes beyond fourth or even fifth parties and creates some very complex issues.
How prepared are financial institutions to manage these risks?
We’re talking about very regulated institutions, some of which have very mature third-party and cybersecurity practices. They’re not surprised. They’ve been through this before. The surprises come from breaches in areas where they didn’t expect them.
A lot of the big banks will do very intensive audits and monitoring of their key provider relationships, but these relationships may not be where the real risks lie. The risk can come from smaller, but still crucial, relationships where they don’t have the same level of spend, but it’s those innovative new financial technology firms that might not be as ‘buttoned down’—they don’t have their own security practices as well in hand.
A lot of big financial services companies are not applying the same level of rigour to that middle tier of providers. That’s a bigger group, with a larger population, and it’s harder to assess, but that’s the area firms should really be focusing on now.
