Description: Supply chain attacks are on the rise.
5/30/2023 11:30 A.M.
According to a recent State of Ransomware survey, 55% of financial service firms were victims of at least one ransomware attack in 2021—a 62% rise in just one year. The same study showed that 91% of financial services organizations hit by ransomware said the attack affected their ability to operate, while 85% stated the attack caused the organization to lose business and/or revenue.
Many of the cyber incidents are due to third-party supply chain attacks. Financial institutions (FIs) often rely on hundreds or even thousands of third-party vendors—from call centers to cloud providers—making them especially vulnerable to these types of attacks.
As third-party cyber risks continue to escalate, companies must adopt effective strategies to manage these threats. To start, it is crucial to limit access permissions granted to third parties. Their activities should also be proactively monitored on an ongoing basis. If a vulnerability is discovered during continuous motioning, the organization can ask a third party to supply a patch and fix it before it gets exploited.
Additionally, companies should demand transparency and prompt notification from their third parties in the event of a data breach, as confidence in this area remains low. The SEC has proposed a rule requiring FIs to report incidents within 48 hours, while the FDIC and OCC require incidents to be reported within 36 hours. FIs must keep up with regulatory requirements and ensure that their vendors do, too.
While there are other measures to consider to minimize the potential impact of third-party cyber risks, proactive monitoring, restricting access privileges, and fostering transparent communication with third parties should be on the top of your list.
Overseeing third-party providers is also part of the FTC’s Safeguards Rule, which is coming into effect on June 9, 2023. The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure that they are following the requirements set forth in the Safeguards Rule.
If you need help with becoming defensible for the Safeguards Rule or have other cybersecurity questions or concerns, feel free to contact TPx at www.tpx.com/aca.