Third Party Cybersecurity: A Salient Concern for the U.S. Banking System

by Michelle Krasniak

Earlier this year, staff economists from the Federal Reserve Bank of New York published a report on the effects of a potential cyberattack on the U.S. banking system.  Thomas Eisenbach, Anna Kovner and Michael Junho Lee in Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis model various cyberattacks on the wholesale payments network.  The study explores the intersection between finance and technology and concluded that a cyberattack on any one of the five largest U.S. banks could have exponential ramifications to the entire U.S. financial system.  Recent news articles have highlighted the study’s summation that if a cyberattack were to breach the banks’ technologies, “the reconciliation and recuperation process would be an unprecedented task”.  However, what most of these summary articles did not report was how the analysis includes a scenario pertaining to the banks’ third party service providers and that the consequences of a cyberattack on the banks’ third party service providers would be of greater magnitude.

Pre-Mortem Analysis and Third Party Cybersecurity Risk Management

The study identifies third party cybersecurity as a “salient concern,” particularly when multiple banks have common third parties.  The “Technological Commonality” scenario’s results demonstrate that a successful cyberattack on a common third party could possibly trigger a “systemic event” throughout the U.S. financial system.

The analysts explain the difficulty of managing third party cybersecurity risk, especially for smaller institutions who have limited resources.  Regardless of a financial institution’s size, however, organizations have difficulty in understanding the business ecosystems of third, fourth and fifth party relationships. 

CyberGRX for Financial Institutions

Recognizing this complexity and the importance of third party cybersecurity, the Federal Reserve has issued numerous Supervision and Regulation Letters, including SR 13-19 / CA 13-21, to provide guidance on third party risk management for any outsourced business activities to each Federal Reserve bank and the institutions it supervises.  The Fed’s guidance includes the necessary elements to theoretically successfully manage third party risk, such as performing third party cybersecurity risk assessments, continuously monitoring the third party’s cybersecurity, instituting third party business continuity plans, etc., but does not solve the overarching problem of understanding the interconnectedness of these institutions.

CyberGRX not only understands how the business ecosystems are interconnected, but also has utilized this knowledge to create a proprietary marketplace where organizations can work together to generate quality, reliable information and actionable insights pertaining to third party businesses’ cybersecurity risk.  One CyberGRX banking customer stated, “We all use the same third parties,” recognizing that her organization and any similar financial institution will immediately benefit by belonging to the CyberGRX Exchange because it will have access to current, validated risk information for thousands of companies already assessed on the CyberGRX Exchange.

The collaboration does not stop there.  Because so many organizations are reviewing information about another business’s cybersecurity, each business being reviewed has great incentive to address any existing cyber threats, thereby making a stronger and more resilient ecosystem.  CyberGRX leverages a modern approach to enable third party cybersecurity risk management more efficient, less costly and more effective through its Exchange, an international community where organizations of all industries and sizes contribute information about the interdependencies between businesses and their cybersecurity.  The CyberGRX Exchange continuously strengthens these relationships by securing industry ecosystems, making the world a safer place through systemic cooperation and the distribution of cybersecurity best practices.