CIOReview
CIOREVIEW >> Compliance >>

Securing the Banks' Biggest Data Problem: Third Party Risk Mitigation

David DiCristofaro, Global Lead Partner, IT Advisory in Risk Consulting, KPMG LLP
David DiCristofaro, Global Lead Partner, IT Advisory in Risk Consulting, KPMG LLP

David DiCristofaro, Global Lead Partner, IT Advisory in Risk Consulting, KPMG LLP

Banks everywhere are under pressure. It is hard for them to grow organically in the post-crisis period, while increased regulation imposes costs and limits capital available for external growth. With turnover stagnant, banks have to concentrate on driving out costs and finding new ways to drive growth.

This is where service providers and other intermediaries play an important role—and where external risk factors come in. And it is why any bank relying on third parties needs to make sure that the controls and compliance bar is set as high at its service providers as it is within the bank’s own systems and procedures.

This is not an option—regulators are increasingly expecting ever more oversight of third parties. Rationalizing relationships by cutting numbers and consolidating external suppliers can help (although there is a fine balance between having a manageable number of suppliers while not being dependent on too small a number). Banks should also focus on the underlying contracts related to their supplier relationships, and on monitoring their suppliers’ organizational control reports or exercising the other kinds of validation procedures over their controls and compliance.

“The resulting exposure from lapses in data security and privacy at third-party providers poses a serious threat to individual banks”

The resulting exposure from lapses in data security and privacy at third-party providers poses a serious threat to individual banks. This risk extends down throughout the banking supply chain, where a security or privacy incident at a bank as a result of a third-party error in one of their suppliers can signal the end of the service provider. And in a worst case scenario, if a major provider whose services were to have a problem, then the domino effect would cascade throughout the world.

I believe that these risks will also impact smaller banking institutions, possibly disproportionately. These institutions may rely more on third parties for their core banking capabilities than a larger bank does, plus they might not have the resources to be as proactive over validation of third-party controls and compliance.

What will banks do in response to these risks? I believe that the industry is forward-looking enough to draw risk out of the service provider community. The major service providers are certainly motivated to step up to the challenge. As their business becomes more complicated, it will be in their best interests to be on the cutting edge of how they mitigate the risk for fear of being shut out of the market. They will find ways to innovate, such as through security analytics, to seek out and prevent risk events occurring.

I think that the right roles already exist within most large banks to mitigate this risk. The challenge will be around governance and communication between the people on the business, technology and compliance sides, and the constantly changing nature of the banking supply chain. The focus will be to own supplier relationships and risk across the supplier life-cycle and across the enterprise—quite a challenge given that often several different functions have a relationship with one supplier over each one of the many aspects of the business. Banks are looking at ways to improve this, and certainly the regulators are expecting it. Many of our clients are on this journey, and I believe that this will be an enduring trend in the management of their technology risk.

Read Also

Driving Innovation and Delivering What Matters

Driving Innovation and Delivering What Matters

Myron Wright, President, UPS Flight Forward
Building a Topic-centric Experience: Using Business Vocabulary and Semantics to Drive Data Visibility

Building a Topic-centric Experience: Using Business Vocabulary and...

Rodney Kagarise, Data Modeling Senior Manager with Fannie Mae
How the Semiconductor Industry Will Transform the Next Wave of Emerging Technologies

How the Semiconductor Industry Will Transform the Next Wave of...

David Britz, New Business Development, Applied Materials
A Unique Approach toward Virtual Broadcasting

A Unique Approach toward Virtual Broadcasting

Aron Kennedy, Vice President, Game Day Production, San Francisco 49ers
Using Technology to Advance Population Health Strategies

Using Technology to Advance Population Health Strategies

Patrick Young, President of Population Health, Hackensack Meridian Health
Data Encryption is the way to Deal with Ransomware

Data Encryption is the way to Deal with Ransomware

Randall Frietzsche, Enterprise Chief Information Security Officer (CISO), Denver Health