On July 19, 2021, The Board of Governors for the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released their proposed interagency guidance around third-party risk management. SecurityScorecard submitted comments in response to the proposal urging the agencies to include the adoption of security ratings to mitigate the cyber risk to financial institutions introduced by third-party vendors and suppliers.
The Proposed Guidance on Third-Party Relationships
The proposed guidance defines a third-party relationship as, “any business arrangement between a banking organization and another entity, by contract or otherwise.” Effective risk management practices for these relationships has long been a concern of regulators, but as banking organizations increase their use of third-party vendors, and as the services provided by these vendors have become more complex and integrated into every facet of a financial institutions’ activities, the guidance seeks to support these institutions’ security efforts. The guidance clarifies the term “critical activities” and outlines additional relationship life cycle management practices, covering:
- Planning
- Due Diligence and Third-Party Selection
- Contract Negotiation
- Oversight and Accountability
- Ongoing Monitoring
- Terminations
- Supervisory Review of Third Parties
SecurityScorecard’s Comment and Position on the Proposed Interagency Guidance
SecurityScorecard agrees that banking organizations need a uniform framework for managing third-party relationships. Continuously monitoring third-party cybersecurity posture with security ratings can add critical visibility and understanding of risk for banks across three primary stages of the third-party risk management life cycle:
- Due Diligence and Third-Party Selection
- Ongoing Monitoring
- Contract Negotiation
Security ratings are an effective tool to reduce risk and achieve economies of scale in the cyber diligence context
Security ratings provide a continuous, non-intrusive approach to monitoring third-party risk. They support the Proposed Guidance in several ways:
- Provide an independent review of third-party cybersecurity posture during the due diligence process;
- Support continuous cybersecurity risk monitoring for audit and remediation purposes as part of contract performance and third-party risk management; and
- Enable smaller and less complex banking organizations to achieve economies of scale with standardized, objective metrics without significant resource investment.
Security ratings platform offer reputable cybersecurity metrics that supplement a banking organization’s information security due diligence
SecurityScorecard also offered comments on OCC FAQ No.5. SecurityScorecard recommends that the Proposed Guidance incorporate alternative, complementary methods to analyze third-party cybersecurity. Specifically, security ratings provide critical additional support in the following ways:
- Provide banking organizations with publicly-available indicators for accurate and complete independent visibility disconnected from the third-party’s decision to share or withhold information;
- Afford increased negotiating power related to information security, management of information systems, and operational resiliency;
- Supply performance measure or benchmarks for service-level agreements during contract negotiations by giving banking organizations a way to establish a minimum score requirement for entering into and maintaining a contract;
- Encourage organizations to prioritize security as part of the procurement process; and
- Enable banking organizations to verify third-party point-in-time security claims during the due diligence process and contract period.
SecurityScorecard enhances cybersecurity posture across the financial services ecosystem
SecurityScorecard’s security ratings platform provides visibility across ten categories of risk factors. The platform’s real-time, continuous monitoring uses an easy-to-read A-F rating scale so that banking organizations can get at-a-glance insights into third-party cybersecurity risk.
SecurityScorecard’s Atlas platform enables banking organizations to independently validate third-party questionnaires in real-time. By using insights from the security ratings platform, Atlas provides insights that enhance the due diligence and contract negotiations processes.
For more information about how SecurityScorecard can help meet third-party risk management practices outlined in the Proposed Guidance, contact one of our representatives here.
