Reducing third-party cybersecurity risk: it’s all about vigilance

A critical tenet of cybersecurity is understanding that data is always on the move. Third-party vendors, though essential to doing business, can pose a risk of exposing sensitive member data. In fact, 59 percent of organizations say they’ve experienced a vendor-related data breach¹. When you consider outsourcing a function or service to a third party, the best approach is to measure risk vs. reward. The primary point to keep in mind is that even when your member data is in the hands of a vendor, its protection remains your credit union’s responsibility.

Understand your data

Before you engage any vendor, it’s important to understand what type of data you collect — whether it’s personally identifiable information (PII) such as Social Security numbers or personal health information (PHI) for HR purposes — and how you store and grant access to these data sources. You should also have a clear sense of your credit union’s own data security standards so that you have a benchmark against which to judge potential vendors.

With that analysis in hand, you can begin to weigh the benefits of a specific vendor relationship against the costs. One handy method to achieving this is to create a numerical score that indicates the risk that a vendor represents based on a series of questions. For example:

• Will the vendor have access to member and/or employee data? If not, the risk could be considered low. If the vendor has access to non-PII information, the risk is greater. Vendor access to full member records would typically receive the highest risk score.
• Will the vendor have access to the credit union’s network? Vendor access to your network risks creating breaches indirectly, using the vendor as a gateway for malware or other types of attacks. The vendor’s risk score depends on the degree of access.
• How susceptible is the vendor function to frequent changes in regulations and laws? Privacy regulations are becoming increasingly complex. The most prominent example is the European Union’s General Data Protection Regulation (GDPR), but new regulations are being enacted around the world. If your vendor is compliant today, there’s no guarantee it will be compliant tomorrow.

Set the terms of the relationship

Once you understand your data and the access that your vendor requires, you need to perform due diligence to understand your vendor’s security program and set ongoing expectations. You must also be certain that your credit union has the capacity to maintain ongoing oversight of vendors, particularly those with access to sensitive data:

• Set your criteria. Define your minimum acceptable security standards and use this as the basis from which to assess vendors.
• Create apples-to-apples vendor comparisons. Create a cybersecurity assessment questionnaire using a resource like the NIST Framework², which provides recommended guidelines for managing security risks, to compare vendors and to conduct a security audit of their processes.
• Conduct due diligence. Ask key questions about each vendor’s technology capabilities, incident response plan, and what data security standard they adhere to, such as NIST or GDPR. Also learn more about each vendor’s security infrastructure, including whether the vendor has a security officer and established data security policies. Remember that third-party and vendor risk management is an ongoing process. Your initial due diligence must continue throughout the vendor relationship.

If your credit union outsources key functions or services to third-party vendors, it inevitably takes on greater risk. You can mitigate this risk by choosing vendors that make cybersecurity a priority. To learn more about how you can mitigate your cybersecurity risks, see our new infographic and sign up for our 3-email educational series today.