Third-party vendor risk: protecting your company against cyber threats

July 10, 2023

As supply chains become more global and complex, managing cybersecurity risk requires extending information security perimeters to include third-party vendors. Careful management of service partnerships and interconnected systems can help prevent costly incidents.

In a world of ever-growing cybersecurity threats, it’s no longer enough to focus on your own company and its defenses and the fraudsters plotting to break through them. You also have to worry about the potential danger posed by third-party vendors in your supply chain. 

According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 62% of system intrusion incidents in the past year came through an organization’s partner.1

“Compromising the right partner is a force multiplier for cybercriminals,” Verizon notes. In other words, it’s very efficient for them to compromise a supply chain vendor, because once that’s done, all the vendor’s clients are compromised too.

Forms of third-party risk

The danger associated with supply chain cyberattacks is often referred to as “third-party risk,” and there are two primary forms:

  • Risk associated with service partnerships. Your company assumes additional cybersecurity risk when you use third parties to support or directly provide a service to your customers. Often such a partnership requires your business to share customer data with the third-party.
    The added risk of working with third-party providers is that you are no longer counting on just your company’s own defenses to protect your customer’s data. You are also relying on the defenses of those third parties.
  • Risk associated with your interconnectedness with a supply chain partner or vendor. This is the risk that a third party, having access to your network, could unwittingly serve as an access point for a fraudster to compromise the network or data you have stored there.
    An example of this danger is the highly publicized data breach at retail giant Target Corp. in late 2013 that affected more than 41 million of the company’s customer payment card accounts.

    According to published reports, cyberattackers gained access to Target’s computer network through credentials stolen from one of the company’s heating and air conditioning vendors.
    The fraudsters breached the vendor’s network through malware delivered in an email. They stole the virtual private network credentials the vendor was using to remotely connect to Target’s network and used those credentials to gain access to Target’s customer service database.2

Effectively managing supply chain cyber security risk requires companies to extend their information security perimeters. Failure to do so, as Target and others have discovered, can lead to a range of consequences, from customer data breaches to account takeovers. Such events can cause operational disruptions; loss of data, including intellectual property; financial losses; and reputational damage. 

"The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it."

Evaluating a third-party’s policies and practices

To minimize third-party vendor risk, companies need to thoroughly review the information security policies and practices of their vendors before bringing them on and then at regular intervals.

Start by reviewing the vendor’s Service Organization Control 2 (SOC 2) report, an outside auditing firm’s evaluation of its controls. Make sure the vendor has implemented key security principles such as segregation of duties and “least privilege.”

The principle of least privilege limits individual users’ access rights to ensure only vendor employees who need it will have access to your data. A vendor should have an identity and access management (IAM) policy outlining what access each employee will have to your data and what they are allowed to do with it.

Companies should also investigate to see if a vendor has any technical vulnerabilities. For instance, does its software have all the necessary, up-to-date patches? Are its security settings properly set, allowing it to defend against unauthorized access? And is any of the vendor’s technology at the end of its life or no longer supported by the supplier?

You should review higher-risk vendors at least once a year. Also, consider reviewing vendors with access to your company’s most sensitive data and core banking processes on site, where your staff member or a contracted auditor can witness whether the vendor is actually practicing the principles such as segregation of duties and least privilege that are attested to in the SOC 2 report.

Companies can also use third-party information security ratings providers to bolster their evaluations. These providers will review a vendor’s technology controls and provide a report with a score. Be sure to choose a provider that is commonly used by your industry.

Also include in your evaluations a review of the vendor’s financial health and stability. This can tell you if the vendor is well-positioned and a healthy company, and therefore more likely to invest appropriately in information security. 

Avoiding a supply chain attack

Here are four actions you can take to protect your company against supply chain cyberattacks: 

1. Stay informed. Keep abreast of news that might require you to take action to protect your systems and data from a supply chain attack. On June 3, 2022, for instance, software vendor Atlassian introduced software patches to address a critical security flaw affecting its popular Confluence server and data center products. By staying informed, users, including a number of U.S. federal agencies, were able to immediately block all internet traffic to and from the affected products and apply the patches.3

2. Use fewer vendors and evaluate each one more thoroughly. Using few vendors reduces the “attack surface” from your supply chain and thus your overall exposure to cyberattacks. It also makes it more manageable to conduct deeper and more effective security reviews. 

3. Limit and control third-party vendor access. This gets back to ensuring that your vendors practice the principle of least privilege. You only want vendors to have access to data relevant to the functions they provide on your behalf. The more access to data a third-party has, the greater the risk for a cyber incident.  

4. Identify and evaluate the controls of any fourth parties. Does your vendor contract with other parties that might have access to your network or data? For instance, you might have a company hosting your servers that subcontracts out to another company for database management. If that fourth party has connectivity with your systems or could potentially cause a disruption of your third-party vendor’s services, you need to subject that fourth party to a security review as well. 

5. Increase the cybersecurity awareness of your employees. Regardless of where attacks originate, it’s important that you have employees who are alert and educated about potential cyber threats. According to the 2022 Verizon report, between social engineering attacks, human errors and misuse of privilege, “the human element accounts for 82% of analyzed breaches over the past year.”1 Educating and training employees on how to spot and report issues can have a major impact on reducing the risk of a cyber incident. 

Addressing a huge and growing risk

The potential for supply chain cyberattacks is a huge and growing risk for companies. These days, all businesses are connected to the internet, and the threat has only been magnified as we’ve moved from local to global supply chains. 

As a result, it’s critical that all companies work to fully understand the risks they face related to third parties, have a complete list of all companies involved in any of their supply chain activities, and ensure they have the proper controls in place to protect themselves.

At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.

Related content

CRE trends

A checklist for starting a mobility program review

Why Bond Issuers Should Consider a Successor Trustee

At your service: outsourcing loan agency work

ABL mythbusters: The truth about asset-based lending

Easing complex transactions: Project finance case studies

Easier onboarding: What to look for in an administrator

The reciprocal benefits of a custodial partnership: A case study

What is CSDR, and how will you be affected?

Avoiding the pitfalls of warehouse lending

Crack the Swift code for sending international wires

Automate escheatment for accounts payable to save time and money

Ways prepaid cards disburse government funds to the unbanked

Optimizing treasury management

Automating healthcare revenue cycle

Changes in credit reporting and what it means for homebuyers

Look to your custodian in times of change

Tapping into indirect compensation to recruit foreign talent

Why other lenders may be reaching out to your employees

How institutional investors can meet demand for ESG investing

Sustainability + mobility: Trends and practical considerations

Mortgage buydowns and subsidies in today’s talent-focused relocation policies

Managing complex transactions: what your corporate trustee should be doing

High-cost housing and down payment options in relocation

Why retail merchandise returns will be a differentiator in 2022

Digital processes streamline M&A transactions

4 benefits of independent loan agents

Save time with mobile apps for business finances

Middle-market direct lending: Obstacles and opportunities

How RIAs can embrace technology to enhance personal touch

Best practices for optimizing the tech lifecycle

What corporate treasurers need to know about Virtual Account Management

Work flexibility crucial as municipalities return to office

An asset manager’s secret to saving time and money

Overcoming the 3 key challenges of a lump sum relocation program

Treasury management innovations earn Model Bank awards

Crypto + Relo: Mobility industry impacts

For today's relocating home buyers, time and money are everything

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

Technology strategies to complement your business plan

How jumbo loans can help home buyers and your builder business

Disclosures

1.   “Ransomware threat rises: Verizon 2022 Data Breach Investigations Report,” Verizon press release, May 24, 2022. https://www.verizon.com/about/news/ransomware-threat-rises-verizon-2022-data-breach-investigations-report

2.    “Target to pay $18.5M for 2013 data breach that affected 41 million consumers,” USA Today, May 23, 2017. Available at: https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932

Also: “Inside Target Corp., Days After 2013 Breach,” KrebsOnSecurity, Sept. 21, 2015.

Available at: https://krebsonsecurity.com/2015/09/Inside-Target-Corp-Days-After-2013-Breach

3.    “Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134,” Cybersecurity & Infrastructure Security Agency, June 2, 2022, https://www.cisa.gov/news-events/alerts/2022/06/02/atlassian-releases-security-advisory-confluence-server-and-data

Start of disclosure content

Loan approval is subject to credit approval and program guidelines. Not all loan programs are available in all states for all loan amounts. Interest rate and program terms are subject to change without notice. Mortgage, Home Equity and Credit products are offered through U.S. Bank National Association. Deposit products are offered through U.S. Bank National Association. Member FDIC.