Wow, how much technology has changed in the past 15 years? I remember when “vendor” reviews were uncommon, technology was hosted in-house in 95% of businesses, and arguments were made that a bad actor would never make it past the firewall. How about that?
Well, here we are now, “vendor” reviews are key control and are now called third-party reviews because vendors have vendors and one layer isn’t enough, technology is externally hosted in 95% of businesses, and firewalls are not near enough to keep bad actors out.
The changes leading to this new state of technology are that the cloud and the Internet of Things (IoT) have made technology more affordable and Information Technology (IT) talent more accessible than ever. As always, this presents new challenges and risk tradeoffs.
I imagine you or someone you know was impacted by the outage caused by CrowdStrike recently. This is a good example of Supply Chain Risk, one of the risks we traded off for access to affordable and talented IT services. The impact of a single bad software update brought many industries down worldwide, disrupting services for days, even weeks in some instances. Flights were grounded, fuel, healthcare, and financial services were unavailable, it was an estimated $5.4 billion loss in Fortune 500 companies alone.
This is just the latest example of Supply Chain Risks, right? We have had some other examples in SolarWinds, MOVEit, Kaseya, etc.
I am not saying I am against outsourcing IT services, that would be a bit hypocritical, right? What I am saying is that we need to be aware of the risks involved and manage these appropriately. After all, we can never outsource our risks and the responsibility to run our businesses. So, we need to manage and ask the same of these services as we used to when they were under our own management. I have heard all the excuses about "we have no power in those relationships, we are lucky they work with us", etc. Honestly, those attitudes are a bit of a victimhood mindset and get us nowhere but trouble. There are many providers out there who would love the level of service and revenue a financial institution requires. If they aren’t meeting the mark do yourself a favor and start looking for other providers, they are out there! This is the silver lining of that cloud mentioned earlier…. more opportunities than ever!
How do we manage this risk? I’d say two big ways to mitigate this risk:
- Due Diligence- DO THIS BEFORE YOU SIGN…please. Ask about how this product or service is managed. Dive under the hood. Think about what could go wrong and how it would impact you. How do they control risk themselves? Are there documented, repeatable, measurable processes in place? Do they understand and comply with GLBA? Do they have disaster plans in place? Do they perform background checks on employees? Third Party Risk Management is no longer a compliance exercise, it is now part of business risk management. Use that contract you waited to sign as a risk mitigation tool. Put the required process, compliance, and risk management practices in the contract. It’s too late if you’ve already signed their contract as presented, they’ve put in what’s important to them…I promise that. Don’t let it be a one-sided relationship.
- Have backup plans- Yes, when the CrowdStrike incident happened, many institutions had core, compliance, and other services down and they kept servicing customers and members because of these plans. We stood out among the less prepared industries and that was a great feeling. We need to continue to use this capability—plan for those vendors to fail or cause a compromise of your systems and data. I promise you it will happen, it’s just a matter of when and to what extent. Have a paper and pen backup process in place. Document, test, and train employees on those. Have an incident response plan in place for the compromise. Test those plans with the third party. Make sure everyone knows their responsibility in those cases and put it in the contract.
If you can do those things to the extent possible, you will be more prepared than most and have mastered Supply Chain Risk, at least for today. If you need help with this, please contact us at support@bedelsecurity.com.
--
Source:
https://www.parametrixinsurance.com/reports-white-papers/crowdstrikes-impact-on-the-fortune-500