Managing Third Party Risk in Financial Services Organizations: A Resilience-Based Approach
September 2016 • White Paper
John Haller, Charles M. Wallen
A resilience-based approach can help financial services organizations to manage cybersecurity risks from outsourcing and comply with federal regulations.
Software Engineering Institute
Outsourcing to third parties and the resulting dependency risks have become a leading consideration for financial services firms, drawing extensive management attention and regulatory scrutiny. This is particularly true for third party risks that arise from the use of information and communication technology (ICT), which may include data breaches, fraud, access to sensitive internal information, reputation impacts, or disclosure of intellectual property. These concerns are exacerbated by a pervasive and dynamic cybersecurity threat landscape. Attackers know that third party suppliers can be a weak link and target them accordingly.
Recent, high profile incidents involving the financial industry highlight the unexpected or unintended consequences that can arise when organizations outsource support and processing activities. This is particularly true for customer-facing services supported by outsourced information technology. Regulators have emphasized careful oversight of third party suppliers and have strongly urged senior management to more directly engage in this area of risk management.