How Does Instant Issuance Work?
It has been nearly four years since a major data breach at Target Corp. captured the world’s attention—not just because the incident was so high-profile and the impact so widespread, but because it shined a bright light on a little-discussed way in: third-party vendors.
When pressed, spokespeople from the major retailer admitted that cybercriminals wormed their way into Target’s payment system through a refrigeration, heating and air-conditioning subcontractor. This and similar attacks initiated through third parties highlight how hackers can view a company’s reliance on its vendors as a weakness to exploit.
“Cybercriminals will target community banks through whatever method they can,” says Thomas L. Frale Jr., director for business development at RLR Management Consulting Inc. “We’ve had clients that reported incidents of criminals stealing a retail or commercial customer’s identity and trying to perpetrate fraud and money theft via that method. Whether they can get at a bank through identity theft or a third-party relationship, they are consistently refining their attacks.”
Eric Olson, vice president of intelligence operations at LookingGlass Cyber Solutions, a threat intelligence company that works in various sectors, says concerns with third-party providers are exacerbated by a couple of growing trends: namely, the transition of bank networks and data to the cloud and the “shallowness of the talent pool” in cybersecurity expertise. “There is no ‘cloud’; it’s just someone else’s computer,” Olson points out. “When you look at community banks and their back-end operators … even if they haven’t been hit already, they have a big bullseye on their backs.”
Phil Agcaoili, chief information security officer for Elavon, a global provider of payment processing solutions and a subsidary of U.S. Bancorp, likens this particular cybersecurity risk to public health concerns. “If there’s a weak person, or a weak organization, any weak link in the chain, that is where concerns will strike and spread,” he says.
All banks at risk
This uptick in third-party risk is not specific to community banks; it concerns all banks, according to Joan McGowan, senior industry analyst for consultancy Celent. “This is forcing banks to treat all third parties as they would treat their own [internal] operational risk,” she says. “To consider human resource management, resilience, risk activity levels and metrics, insurance coverage, technology infrastructure and operational adequacy of subcontractors, all this is up for question now.”
Joseph Zazzaro, senior vice president and chief information officer for the $2 billion-asset PeoplesBank of Holyoke, Mass., points out, “With so many partnerships with hosted solutions now becoming the normal operating environment for banks, we have to rely on outside audits, SOC [security operations center] reports and other information to help ensure that these third-party vendors are doing their due diligence when offering services.”
PeoplesBank requires SOC and/or SSAE16 (auditing standards for service organizations developed by the American Institute of Certified Public Accountants), reports on every third-party vendor. “They provide the details of their best practices, including background checks and facility access,” Zazzaro says. “One of the best things you can do is visit a vendor site and see for yourself.”
In December 2016, Thomas Curry, then head of the OCC, not only named cybersecurity as the single greatest systemic threat to our financial system; he also cited the tremendous growth of fintech companies as a major strategic risk.
It’s clearly not an issue that can be swept under the carpet. But what are community banks, short on resources and staff, to do?
Wes Bjorklund, senior director at Cornerstone Advisors, says community banks should focus on vetting and reviewing vendors that have “non-escorted or unsupervised access” to their facilities, as well as those third parties that have network access to a bank’s computer systems. “That’s where you have to rely on a variety of safeguards and controls,” he says.