Subscribe
Full Editions
Cover Stories
Feature Articles
Contributed Articles
Special Columns
Contact Us

Vendor Risk Management: When the Outsider Becomes the Insider Threat

Industry News
November 2017 Edition
By: The Originate Report Team
Read the full edition

Cybersecurity should already be one of your top priorities, regardless of whether you’re running a small credit union or an international bank. The safety of your most precious information — your clients’ information — is one of the most expensive building blocks of any company. Even worse, it’s slated to become even costlier as areas of growth in cybersecurity expand to cyber risk, cyber insurance, and IoT security.

Companies of the past might approach these problems by imposing firewalls or by hiring white-hat hackers. Although these methods may provide temporary peace of mind, they can’t stop what experts are calling an even greater risk: third-party vendors.

To investigate what many deem “the insider threat,”we spoke to Synoptek’s Information Security Program Manager, John Avery.  John identified key  oversights made by many financial institutions (FIs), and offered some solutions as to what you can do to keep  your    FI safe, even from those whom you may have given the “keys to the kingdom.”

What’s the Risk?

“It’s not uncommon for FIs to outsource pretty much every function,” Avery said. “Things you think FIs are managing themselves are often managed by a third party — everything from development to deployment, to ATMs and call centers to IT.”

Although third-party vendors — such as management and HR companies — are not inherently dangerous, they carry with them an immense risk, even under the noses of the companies who contracted them. A 2016 Bomgar study reported that, on average, 89 vendors access a company’s network every week; furthermore, the number of data breaches attributed to third-party vendors has increased by almost 25% since 2015. Recent high-profile breaches at Target and Home Depot are just the beginning, Avery said, and the consequences for FIs are likely more devastating due to the high number of third-party vendors they use.

“We’re talking about providing access to non-employees… to critical data,” he said. “How do we control what they do with that access? What’s the vendor’s risk mitigation strategy? FIs aren’t just on the hook to shore up their own environment, but they share responsibility for what these third parties are bringing to the table.”

The costs of investigating an internal breach add up quickly, even if you can’t identify the source. Although every situation is different, FIs are universally high-risk. As “critical infrastructure,” they are categorized among those in most danger of attack. Avery identified Health- care ($369 per record), Education ($260 per record), and FIs ($222 per record) as the “most expensive” data, due to their roles in fraud and identity theft. FIs, he noted, can easily get wrapped up in these breaches because they supply money on the back end.

Breaches may be costly, but to some the price of vetting third-party vendors is equally prohibitive. As a result, these companies often contract to the lowest bidder, resulting in risky vendors and opening them to attack.

Why Should Financial Institutions Perform Third-Party Due Diligence?

“Part of why they’re throwing so many resources at this is because if there’s a breach and you can validate you performed your due diligence, there may be some cost benefits to it,” he said. “On the other hand, if you’re asked, ‘why did you choose this vendor?’ and you say, ‘because it was the cheapest,’ you’ll be in hot water, be- cause you didn’t do your due diligence by validating that they had proper security controls in place.”

Avery suggested some further tips for practicing due diligence. “[Of third-party vendors] we ask, what are their policies? What sorts of vulnerability scans are they leveraging within their own environment, and how are they using those scans? What about penetration tests? What do they do with the information they find? How are they managing their own security?”

What can you do to Mitigate Risk?

“FIs are a top target for cyber-attacks, they need to understand that they need a dedicated team around the clock to monitor and investigate anomalous activity,”Avery said. “Most FIs don’t have the resources to do that — which is why it makes sense to partner with a firm like, Synoptek, to manage their security for them.”When gone unchecked, third-party vendors can easily become an inside threat, and wreak costly havoc on a company. And perhaps more importantly, it’s the responsibility of the contracting company — those who “give the key”— to properly vet their vendors.

Cybersecurity should already be one of your top priorities, regardless of whether you’re running a small credit union or an international bank. The safety of your most precious information — your clients’ information — is one of the most expensive building blocks of any company.

Originate Report Team

The Originate Report Team consists of writers, editors, and graphic designers with a passion for sharing stories.
Contact Our Team
Subscribe to Our
Newsletter
Read more in the Industry News Category
Geraci Logo

Subscribe to our Newsletters

Receive attorney-authored articles, legislative updates, webinar reminders, magazines, and more straight to your inbox. Choose the newsletters below you’d like to receive.

CONTACT US

CONNECT WITH US

Facebook Instagram Youtube Linkedin
  • (949) 379-2600
  • 20 Pacifica, Suite 300, Irvine, CA 92618
CONTACT US

CONNECT WITH US

Facebook Instagram Youtube Linkedin

Copyright 2025 GERACI LLP

All Rights Reserved
View Terms

Copyright 2025 GERACI LLP

All Rights Reserved
View Terms
The information on this website is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.
Geraci
Geraci Conferences
Originate Report Magazine
Lender Lounge Podcast