In through the back door

Like most other enterprises, community banks are looking more carefully at the potential security risks coming from their third-party service providers, with the knowledge that vulnerabilities could be exploited through a number of vendors.

By Karen Epper Hoffman

It has been nearly four years since a major data breach at Target Corp. captured the world’s attention—not just because the incident was so high-profile and the impact so widespread, but because it shined a bright light on a little-discussed way in: third-party vendors.

When pressed, spokespeople from the major retailer admitted that cybercriminals wormed their way into Target’s payment system through a refrigeration, heating and air-conditioning subcontractor. This and similar attacks initiated through third parties highlight how hackers can view a company’s reliance on its vendors as a weakness to exploit.

“Cybercriminals will target community banks through whatever method they can,” says Thomas L. Frale Jr., director for business development at RLR Management Consulting Inc. “We’ve had clients that reported incidents of criminals stealing a retail or commercial customer’s identity and trying to perpetrate fraud and money theft via that method. Whether they can get at a bank through identity theft or a third-party relationship, they are consistently refining their attacks.”

Trend watch
Eric Olson, vice president of intelligence operations at LookingGlass Cyber Solutions, a threat intelligence company that works in various sectors, says concerns with third-party providers are exacerbated by a couple of growing trends: namely, the transition of bank networks and data to the cloud and the “shallowness of the talent pool” in cybersecurity expertise. “There is no ‘cloud’; it’s just someone else’s computer,” Olson points out. “When you look at community banks and their back-end operators … even if they haven’t been hit already, they have a big bullseye on their backs.”

Phil Agcaoili, chief information security officer for Elavon, a global provider of payment processing solutions and a subsidary of U.S. Bancorp, likens this particular cybersecurity risk to public health concerns. “If there’s a weak person, or a weak organization, any weak link in the chain, that is where concerns will strike and spread,” he says.

All banks at risk
This uptick in third-party risk is not specific to community banks; it concerns all banks, according to Joan McGowan, senior industry analyst for consultancy Celent. “This is forcing banks to treat all third parties as they would treat their own [internal] operational risk,” she says. “To consider human resource management, resilience, risk activity levels and metrics, insurance coverage, technology infrastructure and operational adequacy of subcontractors, all this is up for question now.”

Joseph Zazzaro, senior vice president and chief information officer for the $2 billion-asset PeoplesBank of Holyoke, Mass., points out, “With so many partnerships with hosted solutions now becoming the normal operating environment for banks, we have to rely on outside audits, SOC [security operations center] reports and other information to help ensure that these third-party vendors are doing their due diligence when offering services.”

PeoplesBank requires SOC and/or SSAE16 (auditing standards for service organizations developed by the American Institute of Certified Public Accountants), reports on every third-party vendor. “They provide the details of their best practices, including background checks and facility access,” Zazzaro says. “One of the best things you can do is visit a vendor site and see for yourself.”

In December 2016, Thomas Curry, then head of the OCC, not only named cybersecurity as the single greatest systemic threat to our financial system; he also cited the tremendous growth of fintech companies as a major strategic risk.

It’s clearly not an issue that can be swept under the carpet. But what are community banks, short on resources and staff, to do?

Wes Bjorklund, senior director at Cornerstone Advisors, says community banks should focus on vetting and reviewing vendors that have “non-escorted or unsupervised access” to their facilities, as well as those third parties that have network access to a bank’s computer systems. “That’s where you have to rely on a variety of safeguards and controls,” he says. While Bjorklund maintains that most community banks are doing “a better job today than several years ago” in vetting and reviewing their third-party vendors, there is still “opportunity for improvement.”

“In some instances, the banks may have a great [vendor review] program and process in place to gather documents from their vendors, but they do not go beyond the basic SSAE16,” he says. “They do not address everything that might be of concern.”

But with so much ground to cover, Bjorklund and other industry insiders recommend community banks focus their limited resources on vendors providing “critical services to run their bank,” particularly those involved in processing and those with access to sensitive network information.

“It comes down to banks truly understanding what is being provided [by the vendor] and what the bank’s risks are, and having a solid vendor management program,” Bjorkland says. He adds that aside from initially vetting vendors, banks should conduct annual reviews, looking at key vendors’ risk methodology, security practices and financial information.

“Community banks need to do a thorough level of due diligence,” says Agcaoili, adding that banks should implement the NIST framework for understanding risk and look to groups like the FC-ISAC and the Financial Services Roundtable. “There is support in the community.”

The party’s over

Who: Target
When: November–December 2013
What: 40 million customer payment details
How: Hackers infiltrated Target’s data systems through its HVAC contractor.
What happened next? Target agreed to various settlements with card issuers, banks and customers, which cost it more than $148 million in damages. Target stock prices took a hit, customers became skeptical of the retail giant’s security and the CEO stepped down in 2014. In 2015, Target invested in chip-and-PIN terminals and chip cards for all REDcard customers.

Who: Wendy’s
When: October 2015
What: Customer payment details at 1,025 locations
How: Malware compromised the fast-food chain’s third-party point-of-sale providers.
What happened next? Wendy’s faced class-action lawsuits due to its “inadequate approach to data security,” and its stock price tumbled in 2016.

Who: Netflix
When: April 2017
What: Hackers claim to have stolen unaired episodes of Orange is the New Black.
How: System breach of post-production company Larson Studio.
What happened next? The hackers threatened to release the show before its release date unless a ransom was paid. An FBI investigation is underway.
—Sara Schlueter

Three third parties to keep an eye on

For community banks, there are many potential inroads that hackers can use get to banks’ internal operations. These may include:

1 Financial technology firms
Speaking on the potential cybersecurity risk of third-party access, former OCC comptroller Thomas Curry pointed out, “While fintech companies are still a small portion of the industry, their rapid growth requires banks and regulators to ask big-picture questions about the future of banking, how consumer needs are being met, and whether we have the necessary regulatory tools and structure to ensure that the changes occur in a safe and sound manner, promote financial inclusion and avoid consumer abuse.” In lieu of long-term track records, community banks often must rely on these vendors’ cyber savvy as a main defense of their online security.

2 Billing software and portals
Every community bank has to remit invoices and therefore is using software or online technology such as SAP Ariba, which many banks and other enterprises use for billing and procurement. “Banks need to understand the structure and segmentation of their network,” says Julie Conroy, research director for Aite Group.

3 Payments providers
Payment systems are “well-protected, but as with anything or anyone, they are vulnerable,” says PeoplesBank’s Joseph Zazzaro. “Zero-day malware, ransomware and many other hacking-type events are targeting the end users, and as they say, people are our weakest link and can be easily fooled.”

Banks should require that risk and vendor assessments be completed, with scheduled reviews to see if there have been any changes at the vendor and with its service level. This is especially important for payment providers, which offer direct access to a bank’s most valuable data.

“We have report cards on vendors to see if service issues have occurred and whether a new vendor should be sought out,” Zazzaro says. “This is not a new environment for us; [there are] just many more public channels to utilize services from now, which opens up more vulnerabilities and threats.”

—Karen Epper Hoffman

Karen Epper Hoffman is a writer in Washington state.