The management of cybersecurity at critical third parties is essential for financial firms, according to a set of cybersecurity principles issued by the Securities Industry and Financial Markets Association.
Principle number ten notes that many of the systems and data stores within the critical infrastructure sectors reside not in the firms themselves, but in third-party service providers that are typically unregulated.
When storing data in the cloud, firms need to take the proper steps upfront to understand the safeguards they have in place, as well as the people that will be touching and processing the data.
“There's always a human element,” Jay Leek, chief information security officer at Blackstone Group, told Markets Media. “When you say you're putting something into the cloud, you might be looking for the cheapest, lowest cost storage you can find, and that could mean going somewhere offshore to a geography where you might not have the jurisdiction and the regulatory protections you have in place to protect your data. If something were to happen to it the recourse might be limited.”
Protections must be promoted at these non-regulated entities that the financial sector relies on, Sifma said. Similar to financial firms, third parties that pose a systemic risk to the industry should be identified, evaluated more closely, and encouraged to provide more information on the status of their cybersecurity programs.
Regulators should increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve.
Small- and medium-sized firms are particularly reliant upon third-party service providers. Many smaller firms outsource many components of their infrastructure, but lack the negotiating leverage to require third parties to implement robust cybersecurity protections, Sifma noted. Agency oversight in conjunction with market forces should work together to ensure that such third parties implement these protections and do not leave the financial sector vulnerable.
Sifma outlines ten foundational principles that serve as a framework for robust and efficient cybersecurity guidance. The recommendations are meant to help regulators as they move forward with plans to review, update and harmonize cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector's defense and response to cyber-attacks, Sifma noted in a release.
Sifma recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.
Featured image by James Thew/Dollar Photo Club