Banking industry security protocol falters in third-party vendor contracts

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/new-york-state-department-of-financial-services-issues-report/article/409562/

Nearly a third of banking organizations do not require their third-party
vendors to notify them in the event of an information security breach,
according to a recent study on the banking sector's cybersecurity practices.

The New York State Department of Financial Services issued its “Update on
Cyber Security in the Banking Sector: Third-Party Service Providers”
earlier this month to analyze the “due diligence processes, policies and
procedures governing relationships with third-party vendors, protections
for safeguarding sensitive data, and protections against loss incurred due
to third party information security failures.”

A survey with 40 banking organizations yielded the report's findings, which
indicated that fewer than half of those surveyed conduct any on-site
assessments of their third-party vendors. Plus, approximately one in five
banks do not require third-party vendors to represent that they have
established minimum information security requirements. One-third of banks
mandate that those requirements be extended to subcontractors of
third-party vendors.

Jamie Wodetzki, founder of Exari, a contract management and document
assembly solutions provider, noted the lack of requirements most likely are
a result of outdated contracts.

“Five years ago, [a bank] might not have bothered to say that a particular
supplier must meet these security levels [in a contract],” he told
SCMagazine.com.

Plus, contracts tend to be hefty, making it hard to ensure that all
security bases are covered.

Ultimately, Wodetzki said, the report highlights a need for IT security
professionals to coordinate with their companies' legal teams to make sure
current needs are being met in years-old contract formats.

“Security teams can also maybe go and look at these vendors,” he said.
“They can analyze them and write a report.”

This might help point out lacking protocol that should be written into the
contract as a necessity. Furthermore, Wodetzki noted the best contracts are
explicit, have unqualified promises and clear timelines about when
something needs to be done.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!