How well are you managing cyber risk from your third party relationships? - Banking blog

In an effort to reduce costs, increase efficiencies and build strategic advantage, Financial Services organisations are expanding their use of outsourcing and are relying extensively on third parties for critical business and IT processes. While third parties bring multiple benefits to business, there is a corresponding increase in cyber risk exposure as third parties access critical systems, sensitive information, and potentially engage sub-contractors. Beyond cyber, there are further third party risks such as the risk of lock-in, regulatory compliance, and others, but these will not be considered in this blog post.

Despite a high dependency on third-parties, organisations are not yet managing the risks in a holistic and coordinated manner. Additionally, heavily regulated industries, such as the Banking and Financial Services Industry, are required to strategically think about third party cyber risk management. Potential penalties for managing third party cyber risk insufficiently range from regulatory fines to losing the license to operate. With more and more European regulators preparing to adopt requirements as stringent as outlined in the new cyber regulations by the New York State Department of Financial Services (NYDFS), Swiss Financial Services organisations are required to take proactive measures to manage this risk.


Third party cyber risk management

Third party cyber risk management (TPCRM) is the process of identifying, evaluating, and preventing or reducing cyber risks associated with third parties to an acceptable level. Determining that level depends on the organisation, the value of the assets, the threat level, and the size of its budget. A holistic TPCRM framework requires a multi-layered approach covering compliance requirements (e.g. breach notification, support for e-discovery, data location requirements, etc.), security requirements (e.g. multifactor authentication for remote access, encryption, disaster recovery, etc.), and legal requirements (e.g. right to audit, data ownership, sub-contracting, NDAs, etc.).

Steps to consider for the implementation of an effective TPCRM

To implement an effective, value-adding TPCRM, the programme must be embedded in your company’s vendor lifecycle management, starting from the due diligence process to the on-boarding and contracting, to the continuous monitoring and, finally, to the off-boarding and termination.

The core of each TPCRM framework is the approach to assessing third party cyber risk, where a two-tier approach is considered best practice. First, an inherent risk assessment will be used to categorise the third party into low, medium or high inherent risk vendors based on the nature of its services and without accounting for its controls. Secondly, based on the inherent risk rating, you need to assess if the vendor has sound security controls in place that meet your organisation’s risk appetite. Conduct the ‘tell me’ exercise via questionnaires to get insights on the current level of security risks among your critical supplier base. Finally, use these insights to plan and undertake on-site reviews or remote assessments adopting a ‘show me’ approach to controls testing.

In some organisations, the number of vendors is equal to, or higher than the number of employees. To manage third party cyber risk on scale, your organisation needs to think about staffing and an agile, scalable execution model. Using a managed service is increasingly common for a number of reasons:

  • It allows organisations to benefit from economies of scale and associated cost benefits.
  • It provides the ability to quickly scale up and down depending on demand.
  • An external assessor is often preferred by regulators and usually comes with a high level of trust.
  • The concern of finding skilled security professionals with an audit mind-set can be reduced that way.

Key take-aways

With the rapid adoption of cloud computing solutions and outsourcing of business processes, the dependency of businesses on third parties will further increase. Based on our experience, organizations are encouraged to consider:

  1. Defining a TPCRM programme that improves security and provides value to the business who owns the risk, and not just addresses compliance.
  2. Implementing third party risk management solutions fully integrated in the vendor life cycle to be least disruptive for business.
  3. Executing third party risk assessments in a scalable manner to ensure a high degree of consistency and standardization of the assessments.
  4. Getting a complete picture of the cyber risks associated with third parties by also looking into the effectiveness of your company’s internal control framework (e.g. access recertification, data protection measures, patch management, etc.).
  5. Including third party cyber risk management into your company-wide risk and security awareness as well as training programmes.

Source: Deloitte Third party governance risk management (TPGRM) Extended enterprise risk management global survey 2017


Klaus Julisch, Partner, Risk Advisory, Zurich

Dr. Klaus Julisch is a Partner in Deloitte’s Cyber Risk Services practice, with over 15 years of experience in designing, assessing, and transforming secure enterprise solutions. He leads the areas of cyber security and data protection in Switzerland and specialises on helping financial services clients resolve some of their most challenging security issues. Klaus’ work has been published internationally in over 20 articles and resulted in 15 patents in the areas of security and privacy. He holds a Ph.D. in Computer Science from the University of Dortmund, Germany, and an MBA from Warwick Business School, UK.



Patrick Lechner, Manager, Zurich

Patrick Lechner is a Manager in the Cyber Risk Services team at Deloitte in Switzerland. He leads the Cyber Strategy service offering which supports organisations in the transition to an executive-led cyber risk programme that balances requirements to be secure, vigilant, and resilient in line with the strategic objectives and risk appetite of the organisation.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.


!-- OneTrust Cookies Settings button start -->