When I think of a robbery and hostage situation, “Dog Day Afternoon” with Al Pacino comes to mind. But the reality in 2017 is there is likely a greater danger of an organization’s data being held hostage through a ransomware infection or other cyber-attack. Recently, the Netflix series “Orange Is the New Black” was prematurely released to the public by the hacker(s) that goes by the name “thedarkoverlord”. The hacker stole the unreleased television show from a vendor used by Netflix. The postproduction company Larson Studios is apparently a third-party provider to Netflix and a variety of other television and movie studios. The hacker demanded money from Netflix and when they refused to pay, the series was released to the public. More ransom is being demanded from other studios due to the breach.
This is the latest in a long line of attacks by cybercriminals in the past few years. With the advent of Bitcoin, cyber-attacks are becoming more prevalent and likely more profitable for the criminals. Bitcoin provides an untraceable form of payment. Criminal success provides assurance these types of attacks are not going away any time soon. According to a data breach investigations report by Verizon; ransomware attacks have increased every year since 2005 and were up 50% in 2016 compared to 2015. Criminal strategies may include threats of deleting information from systems or exposing confidential information.
It’s not news that these types of threats exist. Your credit union should have policies, procedures, and practices in place to help protect your data. But, these attacks should also be an important consideration when evaluating and monitoring third-party vendors. Your data is only as safe as your weakest vendor. Do you have a comprehensive program in place to evaluate the cybersecurity of vendors that have access to your data?
All third-party relationships are not created equal. You should have a standard practice in place to determine the inherent risk a vendor may pose to your organization. This should be determined during the initial risk assessment stage. Your risk assessment will determine the type of due diligence required. If the vendor performs a critical function or touches sensitive member information you will want to take a deep dive into the vendor’s information security controls and determine if there is potential risk from fourth-party (or Nth party) contractors through that vendor. It’s extremely critical that contracts protect your credit union and are very specific about responsibilities in the case of a data breach. In managing your third parties, the mindset should be not if, but when a data breach will occur. Unfortunately, that’s today’s reality. Once you have completed the risk assessment, conducted appropriate due diligence, and incorporated the appropriate contract clauses, you can then begin working with the vendor. But, this doesn’t mean your job is done. You should expect to conduct ongoing oversight and reviews of the vendor relationship. Any changes to the risk exposure should be documented and addressed to ensure it is still acceptable considering the value provided by the vendor.
Ultimately third-party risk management should not be viewed as simply a compliance task or regulatory hurdle. Vendors should be viewed as business partners and maximizing the value of the relationship can create additional opportunities, save costs and potentially enable a competitive advantage.
A deep understanding of your vendor’s products and services can help you integrate their capabilities with your long-term strategies. A mature third-party risk management program will enable you to not only mitigate risk but also create additional value for your organization. If you need assistance, or would like more information about Rochdale Paragon’s third-party risk management services, please contact Jeff Owen at (913) 890-8011, jowen@rochdaleparagon.com.