The Know-Your-Third-Party approach in financial services

The last cybersecurity-related blog entry of this special and ineffable 2020 is about the Know-Your-Third-Party approach, which allows for the standardisation of third-party oversight processes, including managing cybersecurity risks proactively.  

The more technology spreads across the world of work, the more financial institutions rely on software applications and specialised IT service providers. In fact, to live up to the growing demands from customers, they search for support outside the organisation.

Third parties, then, are becoming a fundamental component for the business, creating room for financial institutions to focus on strategy, innovation, growth and development matters while they take charge of more operational and often repetitive tasks. For clarification, a third party is any body or entity your business has a relationship with. Suppliers, service providers and vendors, however, are the most common entities grouped under that term.

Although teaming up with third parties is a well known, convenient strategy for financial institutions regardless of their size, it brings inherent risks linked, for instance, to quality, cybersecurity or digital fraud

Third-party management and, by default, the associated risk management, has gained in importance as IT managed services, IT outsourcing and the use of third parties grow. Regulators, hence, are more and more attentive to these practices and the regulatory compliance built around them. Remember, when a business outsources certain operations, it remains accountable for any cybersecurity attack or data breach.

That’s why embracing the Know-Your-Third-Party approach is a smart move for regulatory compliance, risk management and operational efficiency. Read through the article and learn how it works in the case of cybersecurity. 

Note: For readability, we use the term “vendor” as a generic for all the types of third parties. 

Assessing vendors associated risk

For instance, a bank or insurer that commonly works with numerous vendors requires them to complete an assessment questionnaire. By means of an exhaustive form, financial institutions determine vendors’ risk levels in several domains—including cybersecurity—based on controls the latter have put in place to mitigate them and address them. 

Assessing a handful of vendors periodically might be perfectly doable but when the list includes dozens or even hundreds of them, the process—repetitive and time intensive —becomes tedious and difficult to handle. Also, the more complex the organisation, the more difficult is to perform a consistent and uniform assessment because different units or departments are involved.

That’s why adding a risk management component to your Know-Your-Third-Party approach can be a game changer. It helps financial institutions to simplify risk management for third party vendors, centralises it, and makes it more pragmatic. 

All organisations, but especially the large ones, need to prioritise their investments in time and budget. The Know-Your-Third-Party approach guarantees that the most critical services are first assessed and so the associated risks covered.

Simply put, with a proper Know-Your-Third-Party approach, risks can be managed timely and proactively. In addition, it makes the assessment of new providers and the consequent onboarding process better. 

An important observation is that, although this approach is nowadays a key component of any financial institution’s action plan to manage third party risks, especially digital, it should be smartly orchestrated with the others—compliance, reputational and operational risks—that you shouldn’t leave unattended.  

Why is it important to manage risks associated with vendors? 

Working with vendors exposes financial institutions to different risks. Following the Know-Your-Third-Party approach is especially important for a more transparent, informed and controlled assessment of high-risk vendors processing sensitive client data, intellectual property or other susceptible information.

Let’s say you’re an insurer outsourcing the management of your network infrastructure to a vendor. You need to trust, but always verify, your vendors’ processes in terms of how prepared they are to face cybersecurity threats or attacks and how resilient they are if a data breach happens. 

The Know-Your-Third-Party approach helps determine whether the controls the vendor has implemented are enough compared to how critical the service is for the financial institution. 

Know-Your-Third-Party in Luxembourg

Although Know-Your-Third-Party isn’t really new, it isn’t yet used extensively. The reality tells us that some companies still prioritise costs rather than a solid security plan. In our recent publication Out of the shadows: CISO’s in the spotlight, 88% of respondents declared to outsource at least one IT function, however, a considerable 30% of them don’t use a questionnaire to monitor their third party security.

In today’s context, IT security and, by extension, cybersecurity should be considered unavoidable investments at any financial service business. 

Not enough attention to them can cause serious reputational damage, client dissatisfaction and regulatory penalties. And once trust in you is lost, there is no bulldozer, not even the most advanced and expensive, that can clean, in the short or medium term, the debris of a lost reputation.

Based on our experience, the banking and insurance sectors are more and more embracing the Know-Your-Third Party approach. We’ve also seen some large companies in the transportation sector doing so. 

Although it varies per business and its reality, the set of questions (assessment form) for the vendors revolve around similar subjects. The most recurrent are business continuity (BCP) and disaster recovery (DR) plans, physical and environmental security (Phys/Env security) and information systems (InfoSys). 

The ultimate goal of Know-Your-Third-Party is determining the criticality of each vendor and its risk maturity level in an efficient way so the financial institution can prioritise work and future plans. It’s the CISO that orchestrates vendors due diligence and makes sure that each business owner determines their maturity level. 

Some vendors have taken one step forward and have got certified under ISO 27001, the international standard for information security. Although it eases the assessment processes, it doesn’t replace it. 

While ISO 27001 certifies that the vendor manages information security processes following a standardised approach, each organisation should also determine the risk level posed by the vendor depending on the service it provides.   

Getting a hand from Know-Your-Third-Party specialists

Because of the growing number of vendors a financial institution works with, it’s common that it partners up with a specialised organisation that runs Know-Your-Third-Party processes end-to-end. These organisations also take care of the tasks to carry out at a vendor’s premises to assess risk. 

Know-Your-Third-Party usually includes these sequential processes:

  1. Define vendor risk criteria;
  2. Classify vendors based on criticality, and establish priorities;
  3. Perform assessment. The assessment can be for both, onboarding a new vendor or screening an existing one;
  4. Assess performance results, and;
  5. Perform further audit work, if necessary.

Remember, a vendor is part of your supply chain or procurement function. When it relates with your clients or manages their information, your business is accountable for any IT security incident, no matter the shape it takes. 

We invite you to embrace the Know-Your-Party approach. It’s worth it.

What we think 
Maxime Pallez, Cybersecurity Manager at PwC Luxembourg
Maxime Pallez, Cybersecurity Manager at PwC Luxembourg

The principles of the Know-Your-Third-Party approach are not rocket science but remain a puzzle for many of our clients due to implementation complexity. The challenges for organisations are to prioritise time and resources, and to remain pragmatic in their methods. For medium and large organisations, this process is a must-have  and external support, through tooling or external consultancy, can be a relieving accelerator. 

Leave a Reply

Your email address will not be published. Required fields are marked *