3 Key Reasons You Should Know Your Service Provider
November 16, 2015 | DevOps |
Increasingly, regulators are coming to recognize the relative importance of third party firms to the financial services industry broadly, and to the DevOps Community specifically. For the past few years, a pattern has emerged in which regulators are placing an increased emphasis on how financial institutions work with, rely upon, and share sensitive data with third party firms.
With no end in sight to how prevalent third party firms are to the financial infrastructure, it makes sense to look at a few highlights as it relates to their role:
- For years, the FFIEC has argued that regulated financial institutions must review the way in which outsourced firms, which service the smaller segment of the US banking market, access and store their data. The scope of these rules has extended from availability, controls, audit readiness, attestations (e.g. SOC I, SOC II, etc.), and standards such as those described by the ISACA, NIST, the Shared Assessments Program, and others. How those regulatory rules, controls frameworks, and standards systems expand and morph in the coming years as a result of a continually expanding and elaborate threat environment remains to be seen. One thing’s for sure; the status quo is certainly not a given.
- Recent large-scale data breaches have resulted in vulnerabilities within third party firms. In the U.S., there are many examples of this. Just look at how an HVAC firm was implicated in the massive Target data breach or how the marathon charity-race organizers were identified by investigators as the main culprit in the large JPMC data breach. It is important to keep in mind that outside the public limelight there are even more scenarios that undoubtedly occur. In short, third party service providers of seemingly little relevance to the main organization they are servicing , oftentimes serve as the soft underbelly of these financial services firms.
- Recently, the SEC and FTC – neither of which have historically come out with specific rules and requirements having to do with cybersecurity – are pushing into this realm and the third party handling of data. This focus, which stems from the point I made above, will continue to grow if the past 12-18 months are any indication. To make matters worse, the hurry to issue regulations as a result of recent cybersecurity incidents makes it difficult for examinees and the other regulated entities to truly be prepared within the prescribed time-frame.
So, what does this all mean?
- Well, firstly, how well you know the data practices of your downstream 3rd party firms is very critical. Even if this is not something that regulators are asking you about, it is only a matter of time until they do.
- Secondly, it is key that you can demonstrate to your shareholders and internal stakeholders (e.g. internal audit, infosec, etc.) that you can prove how your 3rd party service providers are protecting your data. Again, if they’re not yet asking you for this sort of information, make no mistake – they will shortly.
- And finally, if those 3rd party service providers know you are watching them and are able to audit them remotely, etc., then this is likely to enforce a strong culture of data integrity, data protection, and general best practice when it comes to access, authorization, and authentication. Research shows that changing cultural perceptions is critical as a first step in such situations.