The third-party risk management imperative facing all credit unions

As the financial services landscape becomes ever-more virtual, cybersecurity risk is looming larger than ever before. Much of this has to do with the added layer of third-party partnership. The more credit unions rely on a patchwork of fintech and other vendors to provide the best possible member experience, the larger the potential attack surface becomes. Indeed, Verizon’s latest investigation revealed 15% of all breaches this year involve a third-party, a whopping 68% increase from last year.

Essentially, this boils down to one hard-and-fast truth for credit unions today: Third-party risk management (TPRM) is no longer a cherry-on-top task; it’s an imperative.

What is third-party risk management?

TPRM is the identification and management of the risks that come with vendor relationships. It’s far from new; in fact, most tenured governance, risk and compliance (GRC) professionals have at least some exposure to the strategy.

What’s changing, however, is TPRM’s importance to examiners. The recent surge of digitalization, as well as the aforementioned reliance on more third parties, has heightened regulator interest.

It’s pretty clear why regulatory bodies are paying greater attention to TPRM. In addition to growing in number, TransUnion found that third-party data breaches are often more severe than a direct compromise of a credit union’s systems.

This may be due to the fact that vendors often allow attackers an easier way into their systems—which are often connected to the systems of their clients. That’s because large organizations—and especially those in the highly regulated field of financial services—have comprehensive cybersecurity protections in place. A smaller third party may not have the same culture of data protection and cybersecurity, and therefore, be easier to penetrate.

2 key tenets for credit union TPRM programs

The first component to a successful TPRM program is a solid governance structure whereby the board and credit union executives are ultimately responsible for TPRM activities. The TPRM policy should be documented and reviewed periodically. Providing the board and executives with a comprehensive view of their TP universe, including metrics, is a key component. Ideally this documentation would be included in the board pack and present on the scheduled governance agenda.

Another key component to sound TPRM is maintaining an up-to-date vendor registry. Credit unions should assess their third parties from a risk and criticality perspective on an ongoing basis. Not all vendors will require the same frequency of check-in; criticality classification can drive the depth of ongoing due diligence. And it’s a step no credit union will want to miss. Segmenting criticality often makes TPRM more manageable, particularly for smaller management, risk and compliance teams.

TPRM backed by operational resilience

Of course, the greatest protection against the fallout of a third-party incident is the development of sound operational resilience, encompassing plans for identifying, controlling for and swiftly responding to major incidents.

Credit unions should meticulously gauge their resilience to third-party disruptions, ensuring robust measures are in place to safeguard both their business operations and the interests of their members. Central to this concept is understanding the potential impact of various incidents along a risk spectrum, as well as defining the credit union’s overall risk tolerance.

The people challenge of managing third-party risks

One of the main hurdles to effective TPRM programs is inexperience. Credit unions that lack GRC leadership with expertise in non-financial risks are at a disadvantage. What’s more, adding skilled risk and compliance staff, with the expertise, the know-how (and the chops) to successfully challenge inadequate vendor arrangements is not an easy task. These leaders have to have the backbone and assuredness of mind to effectively enforce appropriate oversight mechanisms with all kinds of vendors—from local office custodians to global core processors.

As credit unions navigate the complexities of an increasingly digital and vendor-rich world, the imperative for robust TPRM is clear. The rise in third-party breaches underscores the necessity of comprehensive TPRM strategies that not only identify and mitigate risks but also ensure operational resilience and regulatory compliance. By prioritizing TPRM, credit unions can better safeguard their operations and member interests, fortifying themselves against the evolving landscape of cybersecurity threats.

Ogie Sheehy

Ogie Sheehy

John "Ogie" Sheehy is Global CIO and CEO European Business for ViClarity, a governance, risk and compliance (GRC) technology and consulting firm. With a degree in Applied Physics and Electronics ... Web: Details