Third Party Information Risk Mitigation


The third party information security landscape for financial institutions is becoming increasingly complex to navigate. In addition to an ever more intricate regulatory environment, they must also keep pace with rapid increases in fraudster sophistication in order to safeguard crucial assets. Therefore, the need for a formal and well defined internal infrastructure that can address these risks is imperative. While the merits of such a bulwark are clear however, organizations often struggle to design and build solutions that are comprehensive enough to defend against threats on so many fronts, and agile enough to keep pace with rapidly evolving external pressures.


Emphasis here should be placed on designing a system that inventories existing capabilities and vulnerabilities, while bridging the gap between the current organization and an audit compliant operating model. In Exhibit 1 we highlight four focus areas.

Exhibit 1: Sample Compliance Program

risk mitigation 1


In this step, attention is paid to bringing current facets of the organization up to speed; by updating the organization’s risk assessment process and current contracts to be regulation compliant, and analyzing key information assets and their respective vulnerabilities, we can ensure we are developing appropriate security protocols. This in turn assures a successful rollout of any new security measures, and the continued safety of current assets.


In order to ensure audit compliance and continuous incremental improvement on a go forward basis, a holistic, enterprise-wide risk management and control framework is crucial. This is best realized through an independent organizational structure, headed by a Chief Information Security Office (CISO), whose primary function is to govern the protocols and best practices surround third party vendor interaction, as well anticipate threats and develop defenses for the future (see Exhibit 2).

Exhibit 2: Sample CISO Org Chart

risk mitigation 2


Here, the CISO organizational structure is comprised of three echelons: the CISO themselves, an operating committee of internal stakeholders belonging to the different lines of business, necessary to disseminate information and ensure buy-in, and a program director to oversee the direct implementation of best practices, which encompass all facets of vendor interaction. In this way, organizations can ensure established protocols are disseminated throughout the business, and that every area of the business is well insulated from risk.


The final stage in developing an effective third party information security framework is mapping the vendor lifecycle and ensuring that at each stage there are appropriate imperatives in place designed to protect the business and enable Know Your Vendor (KYV) compliance. An outline of this model is illustrated in Exhibit 3.

 Exhibit 3: Sample Vendor Lifecycle

risk mitigation 3


This process, designed to ensure an end-to-end information security framework for the duration of the vendor contract agreement, is crucial in order to ensure appropriate protocols are followed for each part of the vendor contract. Further, it delineates the stages of the vendor lifecycle around which different kinds of particular safeguards are needed. In defining this process and constructing an appropriate operating model, organizations can ensure not only that there internal assets are secured, but also that vendor operations themselves are held to a high standard of excellence.


In following these three steps, organizations are able to inventory not only their own internal vulnerabilities and information assets, assuring that necessary internal safeguards are implemented, but also ensure that vendor behavior is governed in such a way so as to protect assets outside of the organization. In doing so, they can quickly meet regulatory compliance standards, and ensure they have the necessary security constructs in place to adapt to a changing landscape of external threats.

Read More