3rd Party Risk Management , Finance & Banking , Governance & Risk Management
ISMG Summit Highlights Growing Third-Party Vendor Threats
Financial Services Experts Call for Stronger Focus on Third-Party Risk ManagementHackers frustrated by the online fortifications of banks are taking an easier path to treasure troves of financial data: Less well-defended third parties including cloud providers and data warehousing platforms.
See Also: Understanding Risk With Name Matching, Screening, Trade and More
Experts said Thursday at an Information Security Media Group financial services summit in New York City said vendor risk is nudging financial institutions into enforcing stringent risk management frameworks for third party contractors and even fourth party vendors.
"Every time you hear about a data breach it's from a third party that enables your business," said Eric Boateng, CISO of MassMutual, during a keynote session on the shifting responsibilities of infosec leaders (see: Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits).
The attack surface has significantly expanded since the global novel coronavirus pandemic, with remote work and a growing reliance on cloud platforms now central to critical operations, Boateng said. The expanded attack surface requires a shift away from "typical risk management" to a more proactive, multi-layered approach.
"Attackers are realizing these third parties are not doing enough to strengthen the control area, and they'll continue to hit them as far as they allow themselves to be exploited."
The use of third parties across the financial services sector has surged within the workforce, as well, with organizations increasingly allowing workers to connect to their networks through an ever-expanding set of devices, said Erika Dean, CSO of Robinhood Markets.
"While humans are one of the most important assets we have, they're also the most easily manipulated," Dean said. The growing reliance on third parties forces CISOs to consider not only their vendors' cybersecurity but also their remote work practices and internal security policies.
Human error remains a critical factor in cyberattacks, with accidental actions like stolen credentials, social engineering, and privileged misuse contributing to 68% of incidents, according to Joanna Huisman, senior vice president of strategic insights and research at KnowBe4. But Huisman added that research indicates workers can also play a "significant role moving forward in being able to raise the readiness level" within organizations through enhanced access to security awareness programs and resources.
The full-day financial services summit brought together experts from government, finance and technology, including cybercrime specialists from the Treasury Department and FBI, as well as innovators from Google Cloud Security, to discuss the latest strategies for combating rising cyberthreats (see: Top Financial, Cyber Experts Gathering for ISMG's NYC Summit).
The summit also included a session "Protecting Digital Identity: Combatting Account Takeovers in Financial Services" with Anthony Scarola, SVP at Apple Bank, and Carlos Suarez, Deputy ISO at Helaba, who discussed account takeover mechanics, emerging identity-based attack trends and strategies for robust identity management frameworks. Another panel on "New Age of Payment Fraud: Hackers vs. Heroes" included Aaron Simpson, partner at Hunton & Williams, Seth Rose, supervisory special agent at the U.S. Treasury's Cyber Investigations Unit and Michael Woodson, information security director at Sonesta Hotels, discussing rising threats such as synthetic identity fraud and advanced social engineering attacks.