Content

Banking industry security protocol falters in third-party vendor contracts

Nearly a third of banking organizations do not require their third-party vendors to notify them in the event of an information security breach, according to a recent study on the banking sector's cybersecurity practices.

The New York State Department of Financial Services issued its “Update on Cyber Security in the Banking Sector: Third-Party Service Providers” earlier this month to analyze the “due diligence processes, policies and procedures governing relationships with third-party vendors, protections for safeguarding sensitive data, and protections against loss incurred due to third party information security failures.”

A survey with 40 banking organizations yielded the report's findings, which indicated that fewer than half of those surveyed conduct any on-site assessments of their third-party vendors. Plus, approximately one in five banks do not require third-party vendors to represent that they have established minimum information security requirements. One-third of banks mandate that those requirements be extended to subcontractors of third-party vendors.

Jamie Wodetzki, founder of Exari, a contract management and document assembly solutions provider, noted the lack of requirements most likely are a result of outdated contracts.

“Five years ago, [a bank] might not have bothered to say that a particular supplier must meet these security levels [in a contract],” he told SCMagazine.com.

Plus, contracts tend to be hefty, making it hard to ensure that all security bases are covered.

Ultimately, Wodetzki said, the report highlights a need for IT security professionals to coordinate with their companies' legal teams to make sure current needs are being met in years-old contract formats.

“Security teams can also maybe go and look at these vendors,” he said. “They can analyze them and write a report.”

This might help point out lacking protocol that should be written into the contract as a necessity. Furthermore, Wodetzki noted the best contracts are explicit, have unqualified promises and clear timelines about when something needs to be done.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds