The Third-Party Risk Management Imperative Facing All C

The Third-Party Risk Management Imperative Facing All Credit Unions

June 28, 2024

By ViClarity's Global CEO Ogie Sheehy

As the financial services landscape becomes ever-more virtual, cybersecurity risk is looming larger than ever before. Much of this has to do with the added layer of third-party partnership. The more credit unions rely on a patchwork of fintech and other vendors to provide the best possible member experience, the larger the potential attack surface becomes. Indeed, Verizon’s latest investigation revealed 15% of all breaches this year involve a third-party, a whopping 68% increase from last year.

Essentially, this boils down to one hard-and-fast truth for credit unions today: Third-party risk management (TPRM) is no longer a cherry-on-top task; it’s an imperative.

What is Third-Party Risk Management?

TPRM is the identification and management of the risks that come with vendor relationships. It’s far from new; in fact, most tenured governance, risk and compliance (GRC) professionals have at least some exposure to the strategy.

What’s changing, however, is TPRM’s importance to examiners. The recent surge of digitalization, as well as the aforementioned reliance on more third parties, has heightened regulator interest.

It’s pretty clear why regulatory bodies are paying greater attention to TPRM. In addition to growing in number, TransUnion found that third-party data breaches are often more severe than a direct compromise of a credit union’s systems.

This may be due to the fact that vendors often allow attackers an easier way into their systems—which are often connected to the systems of their clients. That’s because large organizations—and especially those in the highly regulated field of financial services—have comprehensive cybersecurity protections in place. A smaller third party may not have the same culture of data protection and cybersecurity, and therefore, be easier to penetrate.

2 Key Tenets for Credit Union TPRM Programs

The first component to a successful TPRM program is a solid governance structure whereby the board and credit union executives are ultimately responsible for TPRM activities. The TPRM policy should be documented and reviewed periodically. Providing the board and executives with a comprehensive view of their TP universe, including metrics, is a key component. Ideally this documentation would be included in the board pack and present on the scheduled governance agenda.

Another key component to sound TPRM is maintaining an up-to-date vendor registry. Credit unions should assess their third parties from a risk and criticality perspective on an ongoing basis. Not all vendors will require the same frequency of check-in; criticality classification can drive the depth of ongoing due diligence. And it’s a step no credit union will want to miss. Segmenting criticality often makes TPRM more manageable, particularly for smaller management, risk and compliance teams.

TPRM Backed by Operational Resilience

Of course, the greatest protection against the fallout of a third-party incident is the development of sound operational resilience, encompassing plans for identifying, controlling for and swiftly responding to major incidents.

Credit unions should meticulously gauge their resilience to third-party disruptions, ensuring robust measures are in place to safeguard both their business operations and the interests of their members. Central to this concept is understanding the potential impact of various incidents along a risk spectrum, as well as defining the credit union’s overall risk tolerance.

The People Challenge of Managing Third-Party Risks

One of the main hurdles to effective TPRM programs is inexperience. Credit unions that lack GRC leadership with expertise in non-financial risks are at a disadvantage. What’s more, adding skilled risk and compliance staff, with the expertise, the know-how (and the chops) to successfully challenge inadequate vendor arrangements is not an easy task. These leaders have to have the backbone and assuredness of mind to effectively enforce appropriate oversight mechanisms with all kinds of vendors—from local office custodians to global core processors.

As credit unions navigate the complexities of an increasingly digital and vendor-rich world, the imperative for robust TPRM is clear. The rise in third-party breaches underscores the necessity of comprehensive TPRM strategies that not only identify and mitigate risks but also ensure operational resilience and regulatory compliance. By prioritizing TPRM, credit unions can better safeguard their operations and member interests, fortifying themselves against the evolving landscape of cybersecurity threats.

Originally published in CUInsight on June 24, 2024.  

Check Out Our Vendor Management Needs Assessment Tool Banner Graphic

Back

Recent/Related Articles

Complaint Management: Why CUs Should Sweat the Small Stuff

October 10, 2024

Every good credit union compliance officer will tell you that even small, seemingly isolated complaints must be thoroughly investigated. Here are some key steps to help CUs maintain a comprehensive process that is consistent, efficient, and demonstrates commitment to member satisfaction and regulatory compliance.

3 Big Compliance Problems Facing Small Credit Unions – and How to Solve Them

October 08, 2024

Being small isn't necessarily a bad thing. Smaller credit unions enjoy greater agility when it comes to decision making and have closer ties between staff and members than their larger counterparts. However, being small can also come with challenges, like these common ones: managing consumer complaints, sticking to an adequate audit schedule and managing findings resolution tracking, and staying on top of vendor management.