Risks with third-party service providers

For community banks, there are many potential inroads that hackers can use get to banks’ internal operations. These may include:

By Karen Epper Hoffman

1. Financial technology firms
Speaking on the potential cybersecurity risk of third-party access, former OCC comptroller Thomas Curry pointed out, “While fintech companies are still a small portion of the industry, their rapid growth requires banks and regulators to ask big-picture questions about the future of banking, how consumer needs are being met, and whether we have the necessary regulatory tools and structure to ensure that the changes occur in a safe and sound manner, promote financial inclusion and avoid consumer abuse.” In lieu of long-term track records, community banks often must rely on these vendors’ cyber savvy as a main defense of their online security.

2. Billing software and portals
Every community bank has to remit invoices and therefore is using software or online technology such as SAP Ariba, which many banks and other enterprises use for billing and procurement. “Banks need to understand the structure and segmentation of their network,” says Julie Conroy, research director for Aite Group.

3. Payments providers
Payment systems are “well-protected, but as with anything or anyone, they are vulnerable,” says PeoplesBank’s Joseph Zazzaro. “Zero-day malware, ransomware and many other hacking-type events are targeting the end users, and as they say, people are our weakest link and can be easily fooled.”

Banks should require that risk and vendor assessments be completed, with scheduled reviews to see if there have been any changes at the vendor and with its service level. This is especially important for payment providers, which offer direct access to a bank’s most valuable data.

“We have report cards on vendors to see if service issues have occurred and whether a new vendor should be sought out,” Zazzaro says. “This is not a new environment for us; [there are] just many more public channels to utilize services from now, which opens up more vulnerabilities and threats.”

—Karen Epper Hoffman