CUNA Mutual Group: Reducing third-party cybersecurity risk

A critical part of cybersecurity is understanding data is always on the move. Third-party vendors, though essential to doing business, can pose a risk of exposing sensitive data, according to CUNA Mutual Group. A study found that 59 percent of organizations said they have experienced a vendor-related data breach. When considering outsourcing a function or service to a third party, the best approach is to measure risk vs. reward. The critical point to keep in mind, according to CUNA Mutual Group, is that even when member data is in the hands of a vendor, its protection remains a credit union’s main responsibility.

CUNA Mutual Group noted that before engaging with any vendor, it is important to understand what type of data is collected. Whether it is personally identifiable information such as Social Security numbers, or personal health information or HR purposes, it is important to have a clear sense of a credit union’s own data security standards so that there is a benchmark to judge potential vendors.

When weighing the benefits of a specific vendor relationship against the costs, here are three important examples:

• Will the vendor have access to member and/or employee data? If not, the risk could be considered low.
• Will the vendor have access to the credit union’s network? Vendor access to a credit union’s network risks creating breaches indirectly, using the vendor as a gateway for malware or other types of attacks.
• How susceptible is the vendor function to frequent changes in regulations and laws? Privacy regulations are becoming increasingly complex. If a credit union’s vendor is compliant today, there’s no guarantee it will be compliant tomorrow.

Once a credit union understands the data and access that the vendor requires, it is important to perform due diligence to better understand the vendor’s security program and set ongoing expectations. Credit unions must have the capacity to maintain oversight of vendors, particularly those with access to sensitive data. When evaluating a relationship with a vendor, CUNA Mutual Group encourages credit unions to:

• set criteria: define the minimum acceptable security standards and use this as the basis to assess vendors;
• create apples-to-apples vendor comparisons: create a cybersecurity assessment questionnaire using a resource like the NIST Framework2, which provides recommended guidelines for managing security risks, to compare vendors and to conduct a security audit of their processes; and
• conduct due diligence: ask key questions about each vendor’s technology capabilities, incident response plan, and what data security standard they adhere to, such as NIST or GDPR. Also learn more about each vendor’s security infrastructure, including whether the vendor has a security officer and established data security policies. Remember that third-party and vendor risk management is an ongoing process; due diligence must continue throughout the vendor relationship.