FinXTech Intel 2023 report final 2 - Flipbook - Page 22
CYBERSECURITY AND INFORMATION SYSTEMS
By: Kiah Lau Haslett
Fintech partnerships often increase a bank’s
technology stack, or the software, processes and
systems a company uses to conduct its operations. New technology is added on top of older
technology that is never fully retired, which can
make it hard for IT staff to sift through these
layers to monitor the entire security environment
of the bank.
attacks has increased as the amount of vendors they use has
Security technologist Bruce Schneier wrote in 1999 that
proposed joint regulatory guidance on third-party relation-
“The worst enemy of security is complexity.” That observa-
ships. Smaller institutions may need to work with an external
tion has gotten only more acute in the near-quarter century
consultant who has the knowledge and resources to conduct a
since he wrote those words. There are more ways than ever to
thorough assessment of these vendors.
break into a bank virtually, as partnerships forge more connections to a bank’s internal systems and create more points
of entry for malicious actors.
increased, Bank Director magazine reported in 2021.
Banks cannot make themselves invincible, but they can prepare by making themselves resilient. One way to do that is by
assessing the information security program of their third-party vendors as part of their risk management programs,
“including identifying, assessing, and mitigating known and
emerging threats and vulnerabilities,” according to the 2021
The proposed guidance contains considerations for bank executives to assess when evaluating a third party’s information
security and incident reporting programs, excerpted below:
•
tion security program with the banking organization’s
89%
of bank leaders say they have invested in
cybersecurity in the last 18 months.
program, and whether there are gaps that present risk
to the banking organization.
•
Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and
Source: Bank Director’s 2022 Technology Survey
emerging threats and vulnerabilities.
•
When technology supports service delivery, assess the
third party’s data, infrastructure and application secu-
“We are always adopting new technology before we figure
rity programs, including the software development life
out how to defend it, how to secure it,” says Chuck Herrin,
cycle, and results of vulnerability and penetration tests.
chief technology officer of Wib Security. “Every single iteration is an attack surface you have to manage.”
Consider the consistency of the third party’s informa-
•
Consider the extent to which the third party uses controls to limit access to the banking organization’s data
The Office of the Comptroller of the Currency’s 2022 fall
and transactions, such as multifactor authentication,
semiannual risk perspective noted that operational risk is
end-to-end encryption and secured source code man-
increasing due to cyberattacks becoming more sophisticated
agement.
and an upward trend in ransomware attacks targeting banks’
•
Evaluate the third party’s ability to implement effective
service providers and other third parties in recent months.
and sustainable corrective actions to address deficien-
Those attacks use compromised credentials of the service
cies discovered during testing.
provider to gain access to its networks. If not detected,
•
Review the third party’s incident reporting and manage-
they can traverse the network to access the provider’s bank
ment programs to ensure there are clearly documented
customers and target those institutions with ransomware
processes, timelines and accountability for identifying,
or other extortion campaigns. The vulnerability of banks to
reporting, investigating and escalating incidents.
20 | FINXTECH INTELLIGENCE REPORT
POWERED BY BANK DIRECTOR