Cyber Risks Force Banks to Rethink Vendor Relationships

Hefty questionnaires have long been a favored method for banks to perform due diligence on service providers, but financial companies are suggesting to regulators that these are increasingly inadequate.

Vendor risk management is becoming a crucial area of cybersecurity, particularly as banks move operations to the cloud and asset managers hire third parties to manage their technology.

Banks worry that weak controls at technology providers could allow hackers into their own systems. Regulators are also concerned that a cyberattack that takes down a major financial company could destabilize markets.

Questionnaires, even long ones, “actually provide a limited understanding of the true business risks that a firm faces when using a vendor,” said Jason Harrell, head of business and government cybersecurity partnerships at the Depository Trust & Clearing Corp., the institution that settles all stock trades in the U.S. He was speaking at a meeting of the Commodity Futures Trading Commission’s technology advisory committee on Oct. 3.

Such documents usually seek a range of information on various topics and fail to provide any substantial information on areas like cybersecurity, Rick Holland, chief information security officer at security firm Digital Shadows Ltd., said in an interview.

“They represent a snapshot in time and are primarily a box-checking exercise designed to reflect a modicum of due diligence,” he said.

During the committee hearing, Mr. Harrell said that the documents can involve hundreds of questions, many allowing for only yes or no answers, which limits their utility.

Regulators have become increasingly focused on cybersecurity risk management. Earlier this year, the Securities and Exchange Commission sent several questionnaires to investment advisers asking about security arrangements with their cloud service providers. The SEC in May issued an alert cautioning broker-dealers and investment advisers about the risks associated with storing customer records in the cloud.

The CFTC, meanwhile, fined futures broker Phillip Capital Inc. $1.5 million in September after hackers compromised the firm’s email system and withdrew $1 million in client funds. Of the total, $1 million was earmarked for client restitution. The regulator’s last cybersecurity-related fine was in February 2018, when it fined AMP Global Clearing LLC $100,000 for failing to properly supervise a third-party technology supplier.

Precisely what could either augment or replace the maligned questionnaire is unclear. Full audits of vendors are labor-intensive and expensive, Chris Morales, head of security analytics at software provider Vectra AI Inc., said in an interview. That means such an exercise generally makes sense for only critical suppliers.

Steve Durbin, managing director of the Information Security Forum, a nonprofit that advises organizations on cybersecurity issues, said that financial firms should move away from “outdated” processes like questionnaires. Instead, he said, they should focus on monitoring and protecting their networks and understanding how suppliers interact with them.

“The implications [of third-party breaches] are stark and the potential impacts very real,” he said.

During the CFTC meeting, Mr. Harrell suggested that vendors could be forced to comply with a set of cybersecurity and resilience standards, needing certification showing they comply in order to provide services. Gary DeWaal, special counsel at law firm Katten Muchin Rosenman LLP and a member of the CFTC technology advisory committee, questioned who would issue those certifications.

“How can industry participants be satisfied that the accreditation, or certification, means anything?” he asked.

Mr. Harrell replied that financial firms and regulators would have to collaborate to figure that out and the industry recognizes that the system needs improvement.

“For the last 15 or 20 years, we’ve been using this questionnaire-based approach and maybe the threat landscape has changed enough now where that is no longer enough to provide reasonable assurance [about a vendor’s cyber resilience],” he said.