By Terry Flanagan

Third-Party Providers Pose Cyber Risk: Sifma

The management of cybersecurity at critical third parties is essential for financial firms, according to a set of cybersecurity principles issued by the Securities Industry and Financial Markets Association.

Principle number ten notes that many of the systems and data stores within the critical infrastructure sectors reside not in the firms themselves, but in third-party service providers that are typically unregulated.

When storing data in the cloud, firms need to take the proper steps upfront to understand the safeguards they have in place, as well as the people that will be touching and processing the data.

“There’s always a human element,” Jay Leek, chief information security officer at Blackstone Group, told Markets Media. “When you say you’re putting something into the cloud, you might be looking for the cheapest, lowest cost storage you can find, and that could mean going somewhere offshore to a geography where you might not have the jurisdiction and the regulatory protections you have in place to protect your data. If something were to happen to it the recourse might be limited.”

Protections must be promoted at these non-regulated entities that the financial sector relies on, Sifma said. Similar to financial firms, third parties that pose a systemic risk to the industry should be identified, evaluated more closely, and encouraged to provide more information on the status of their cybersecurity programs.

Regulators should increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve.

Small- and medium-sized firms are particularly reliant upon third-party service providers. Many smaller firms outsource many components of their infrastructure, but lack the negotiating leverage to require third parties to implement robust cybersecurity protections, Sifma noted. Agency oversight in conjunction with market forces should work together to ensure that such third parties implement these protections and do not leave the financial sector vulnerable.

Sifma outlines ten foundational principles that serve as a framework for robust and efficient cybersecurity guidance. The recommendations are meant to help regulators as they move forward with plans to review, update and harmonize cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector’s defense and response to cyber-attacks, Sifma noted in a release.

Sifma recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.

Featured image by James Thew/Dollar Photo Club

Related articles

  1. Global ETFs had record net inflows of $1.3 trillion in 2021.

  2. The Universities Superannuation Scheme is the UK’s largest private pension scheme.

  3. Daily Email Feature

    Traders Seek Desktop Harmony 

    Buy-side and sell-side firms need to integrate applications to streamline traders' UX.

  4. ETF Issuers Welcome Deutsche Börse Initiative

    Passive funds represented nearly all U.S. equity inflows.

  5. J.P. Morgan is hiring senior bankers and traders as other firms cut

    President and chief executive officer of State Street Global Advisors will retire in 2022.