Cyber risk has been a hot topic in recent months, not least because of the huge IT challenges companies have had to overcome during the COVID-19 crisis. In an increasingly digital work environment, organisations are exposed to a complex and evolving set of risks. In particular, many companies could do more to address their Third-Party Cyber Risk – risks arising from external or affiliate service providers with weak or compromised IT infrastructures. In Financial Services, monitoring the financial, operational and other risks posed by these entities has been common practice for years – but comprehensive cyber analysis is less common. In this article, we discuss Third-Party Cyber Risk and what Thomas Murray will be doing in 2021 to help our clients manage it.
Third-Party Risk Management: What is Cyber Risk?
Third-party cyber risk is a growing area of scrutiny for companies with significant exposure to third parties, particularly in the financial industry where the financial, regulatory and reputational consequences of a failure can be so acute.
Thomas Murray’s clients manage large networks of third parties, including banks, financial infrastructures and fund counterparties. This exposure to external or affiliate service providers needs to be carefully managed in order to safeguard investors’ assets throughout the investment lifecycle. Third-Party Cyber Risk is a critical component of this risk management.
Cyber risks can emerge in a variety of ways, some of the most common being:
- Malware – malicious software designed to disrupt, damage or gain unauthorised access to a computer, server, client or computer network and sensitive data on them;
- Phishing – where an attacker sends fraudulent electronic communications or otherwise impersonate itself as a trusted party to induce individuals to give up sensitive information;
- DDoS Attacks (Denial of Service or Distributed Denial of Service) – an interruption in authorised users’ access to a computer network. This is usually what’s meant when a website is “brought down by hackers”, and it is what halted the New Zealand Stock Exchange in August.
- Direct server or workstation breach – an attacker using existing vulnerabilities in software to bypass protection and gain access to a computer, networking hardware or computer network.
- ...and a number of others including Spear Phishing, MitM attacks, Trojans, Ransomware and attacks on IoT devices.
Cyber attacks can have a huge array of consequences, including direct monetary loss, regulatory fines, loss of personal data and loss of business due to reputational damage. Examples abound, and we are all familiar with them.
The Financial Industry experienced the third-highest number of cyber attacks in 2019, after Government agencies and industry, according to analysis from Positive Technologies. The same report stated that the volume of cyber-attacks are increasing year-on year, are increasingly targeted and are focusing more and more on stealing information. Criminals target financial institutions because that is where the money is, but instances of data theft accounted for 66% of financial services attacks in 2019.
The Industry’s Response
To demonstrate how seriously the industry takes this issue, most financial institutions now have either a Chief Information Security Officer or another c-suite director with primary accountability for third-party cyber risk.
In addition, in recent years a whole industry has emerged to support financial institutions and other companies in managing their Third-Party Cyber Risk. Many of these are security ratings services that continuously asses third-parties’ cybersecurity performance, alerting companies when there are issues and providing resolution services to fix them.
According to analysis undertaken by BitSight and CeFPro, 97% of respondents said that cyber risk affecting third parties is a “critical” or “important” issue – but only 22% are currently using a security ratings service. Of that 22%, it is likely that companies are only monitoring the third parties that they already deem high risk, or those that are critical service providers. There is a fallacious belief in some quarters that the larger a service-provider – or the more exposure one has to it – the bigger the cyber risk associated with it; while this can be true, it is certainly not always the case.
Thomas Murray’s Response
Thomas Murray currently monitors hundreds of third parties on behalf of clients, including custodian banks, cash banks, CSDs, CCPs, transfer agents and many more. In 2021, we will roll-out cyber ratings across these third-party risk assessments, to provide clients with continuous monitoring of third parties’ IT infrastructures. Crucially, these ratings will extend to every entity we assess – rather than just critical service providers – in order to provide comprehensive risk analysis of third-party networks.
The ratings are based on a thorough analysis of companies’ network footprints, and have been developed by Thomas Murray Technologies in partnership with established industry providers. The ratings and company footprints are constantly re-evaluated, using state-of-the-art methodology and custom Machine Learning solution.
The rating methodology addresses a wide variety of cyber security aspects observable from outside, and uses several dozens in-house checks and trusted third-party sources to assess each public component of an organisation’s network. Those checks and sources are aggregated in a single organisation cyber score indicator on a range of 0 to 1000. The aggregation methodology is carefully designed to provide enough variability to serve as a useful and comprehensible indicator across the monitored third parties.