The Identity Blog

Background image

The Benefits and Challenges of Financial Services Institutions Relying on an Increasing Number of Third Parties

You’d be hard pressed to find an industry that has forgone more changes in the last few years than the financial services industry, as the market has been flooded with new banking options that tout innovative new technology and online-only services.

The marketplace is full of new options, and if a bank wants to retain their customers and attract new ones, it must evolve.  To do that, many financial services organizations have turned to an increasingly diverse number of third parties (vendors, contractors, partners, and affiliates) to cost-effectively access the skillsets required to meet their operational needs and remain competitive.

The use of contractors has surged as the contractor-to-employee ratio has risen 48% in the past 5 years, with financial institutions relying on third-party specialists to procure capabilities and amenities at a lower price than they would secure if they were to hire internally. Often these third parties have special skillsets and knowledge that bring a significant difference to the value of an institution’s products and services.

Additionally, third parties help provide the geographic reach and scale that an organization needs to compete in today’s highly competitive market, allotting additional flexibility and, if managed correctly, a reduction in operational risk.

While the benefits of utilizing third parties are significant, so are the challenges that they bring to your organization.      

To achieve operational agility and meet consumer demands, financial services organizations must first ensure that these business opportunities align to their risk appetite before committing to work with a third-party company. Organizations generally perform risk assessments on the third-party companies they’re considering. Yet, most organizations overlook, or simply have no way to centrally track and manage each third-party worker’s lifecycle and the risk that they pose gaining access to the organization’s assets or network.

Collecting third-party identity data, and then provisioning access to this large population of extended enterprise users, has historically been a highly complex and convoluted process that is inefficient, often manual, and riddled with errors. This reoccurring pain point has big consequences. In fact, Gartner recently reported that 30 percent of data breaches are the result of some sort of insider event, and 63 percent of all insider events stem from either a deliberate error or carelessness.

Common missteps that financial services organizations make when managing third-party vendor identities that often lead to a third-party breach include relying on undefined and manual processes to manage access, neglecting to centrally track relationships with their third-party users and the system access that they require, and utilizing a “green light/red light” approach to managing risk, rather than implementing different risk levels with appropriate security controls designed for each level.

Making a misstep with your extended enterprise identities is especially dangerous in the financial sector, where a whopping 74% of those polled in a recent Bank of England survey deemed cyberattacks as the highest risk to the financial sector, ranking higher than all other risk sources, including inflation, geo-political incidents, and the pandemic.

Executives within the UK financial sector that answered that they believe their company is “at high risk of attack” doubled within this year alone, a jump from 31% in the first half of the year to 62% in the second.  With more cybercriminals targeting the financial services institutions, banks are starting to realize that they’re only as secure as their extended enterprise.

Read more about how financial services institutions can properly manage their growing extended enterprise, including the five most common third-party identity missteps that organizations make that lead to a third-party breach, by clicking here.

For more information about SecZetta, visit www.seczetta.com, schedule a demo, or take a self-guided product tour.