Bank customers and regulators would likely agree: There’s no excuse for a financial institution to accept lackluster cybersecurity measures. But according to a new report from BitSight, that’s exactly what’s happening as FIs work with partners and other third-party service providers.
Last week, the company published its latest report, “The Buck Stops Where? Assessing the Cybersecurity Performance of the Finance Supply Chain,” which explores how financial service providers manage third-party cyber risk. Most of the time, BitSight concluded, banks and other FIs aren’t holding their financial supply chains up to the same security standards as they hold themselves.
“While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close the performance gap between their own organizations and their immediate business ecosystem,” explained BitSight Co-Founder and CEO Stephen Boyer in a statement announcing the research.
“The findings of this report are not only relevant for the finance sector but for companies across all industries who share with and rely upon external business services,” he added. “Organizations should scrutinize the security culture and controls of their third and fourth parties. Ensuring that your vendor’s systems are up to date and that their employees are not engaging in risky peer-to-peer file sharing is one way to reduce immediate third-party cyber risk.”
In a survey of more than 5,200 legal, technology and business services organizations using the BitSight Security Rating Platform, the company explored how financial services companies are exposing themselves to the risk of cyberattacks because their immediate partners and members of their supply chain aren’t adequately secured.
Analysts concluded that legal firms remain top performers when it comes to cybersecurity, while technology firms have some room to grow (though, researchers said, the tech sector has shown some improvement. Business services companies present the greatest cyber risk to their financial service partners.
PYMNTS takes a look at some of the key data points that reveal how banks are putting themselves at risk by not addressing the lapses in cybersecurity by their partners.
-20 percent of business services firms are still using Windows XP, while nearly the same portion of finance firms and technology companies are, too. Significant portions of these players are also still using Windows Vista. This is problematic, researchers warned, because Microsoft no longer supports Windows XP or Windows Vista, “and generally do not have security patches available to protect against new risks.”
-Less than 10 percent of businesses analyzed received an ‘A’ grade for desktop software, with more than a third receiving the dreaded ‘F’ grade because their desktop software tools were outdated. Businesses that received a ‘B’ grade were more than twice as likely to have had some type of compromise of their systems in the last year, the research found. “This means that outdated desktop operating systems and browsers that exist within a supply chain are correlated to more immediate risks of machine compromise and data loss,” the report concluded.
-23 percent of technology companies and 22 percent of business services firms have downloaded applications that lead to an increased likelihood of an unwanted application being inadvertently downloaded onto a network. Previous research from BitSight concluded that high levels of file sharing correlate with higher rates of system compromise.
According to BitSight, the cybersecurity lapses — largely from business services and financial companies — can present increased exposure to risk of cyberattacks to the financial institutions working with these companies.
“Third-party risks management is imperative today for organizations large and small,” the report concluded. “Senior executives and Boards of Directors are increasingly asking for updates into their vendor risk management programs and looking for demonstrable progress in reducing third-party cyber risk.”
“While finance organizations tend to have more sophisticated vendor risk management programs, there is much work to be done to close the performance gap between their own organizations and their immediate business ecosystems,” BitSight added. “The finance of this report [is] not only relevant for the Finance sector; companies across all industries who share data and network access should place a great deal of security on the security culture of the third and fourth parties in their business ecosystem.”