BreachExchange mailing list archives
Banking industry security protocol falters in third-party vendor contracts
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 16 Apr 2015 19:30:15 -0600
http://www.scmagazine.com/new-york-state-department-of-financial-services-issues-report/article/409562/ Nearly a third of banking organizations do not require their third-party vendors to notify them in the event of an information security breach, according to a recent study on the banking sector's cybersecurity practices. The New York State Department of Financial Services issued its “Update on Cyber Security in the Banking Sector: Third-Party Service Providers” earlier this month to analyze the “due diligence processes, policies and procedures governing relationships with third-party vendors, protections for safeguarding sensitive data, and protections against loss incurred due to third party information security failures.” A survey with 40 banking organizations yielded the report's findings, which indicated that fewer than half of those surveyed conduct any on-site assessments of their third-party vendors. Plus, approximately one in five banks do not require third-party vendors to represent that they have established minimum information security requirements. One-third of banks mandate that those requirements be extended to subcontractors of third-party vendors. Jamie Wodetzki, founder of Exari, a contract management and document assembly solutions provider, noted the lack of requirements most likely are a result of outdated contracts. “Five years ago, [a bank] might not have bothered to say that a particular supplier must meet these security levels [in a contract],” he told SCMagazine.com. Plus, contracts tend to be hefty, making it hard to ensure that all security bases are covered. Ultimately, Wodetzki said, the report highlights a need for IT security professionals to coordinate with their companies' legal teams to make sure current needs are being met in years-old contract formats. “Security teams can also maybe go and look at these vendors,” he said. “They can analyze them and write a report.” This might help point out lacking protocol that should be written into the contract as a necessity. Furthermore, Wodetzki noted the best contracts are explicit, have unqualified promises and clear timelines about when something needs to be done.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Banking industry security protocol falters in third-party vendor contracts Audrey McNeil (Apr 24)