Hackers have discovered a terrifying truth, and it’s costing banks a fortune.
They don’t need to breach your network to steal your data. Instead, they can get everything they want by breaching your third-party vendors—a faster, easier, and more rewarding endeavor.
Such is the risk of interconnectivity in the digital economy.
Bank operations depend on vast networks of suppliers, vendors, and other third-party service providers. If even one vulnerability is exposed, the entire financial ecosystem could collapse.
If the conveniences of the status quo can’t be changed, they must be adequately defended.
In this article, we will discuss why supply chain security deserves your bank’s fullest attention.
Third-Party Risk Management for Banks
Before diving into the state of supply chain security, it’s important to review a few key definitions (and current events).
First of all, what is third-party risk?
In short, it’s the potential for a bank to suffer a data breach through its external relationships.
These entities include software providers, trusted vendors, business partnerships, and even contractors who have access to your firm’s privileged information—internal company systems, customer data, and more.
Most banks overlook the importance of third-party risk management. While they invest in robust banking cybersecurity measures for their internal protocols, they often leave the security of their external networks to chance.
A brief scan of recent news headlines reveals the ubiquity of third-party-induced cyberattacks.
It’s important to note that all banks, no matter their size, are vulnerable to these attacks. In fact, the Bank of America, no less, was a recent victim. Customer personal data was exposed after a service provider was breached.
Last year, the Russian hacking syndicate Cl0P hit paydirt when they breached a popular file-transfer service called MOVEit.
In theory, MOVEit was little more than a common office tool used to send data between partners, customers, and employees.
In practice, however, it was a veritable masterkey to penetrate over 2,600 organizations (and affect the privacy of over 77 million people).
Financial organizations of all sizes were exposed, including:
- Deutsche Bank
- Flagstar Bank
- BankNewport
- First Merchants Bank
- Dow Credit Union
- TD Ameritrade
- Charles Schwab
While Bank of America was also named among the MOVEit attack victims, they were later targeted a second time through an entirely different third-party provider.
In November 2023, the ransomware group known as Lockbit exposed a zero day vulnerability in Infosys McCamish, a leading insurance and retirement SaaS provider.
As a result, Lockbit stole the records of over 57,000 Bank of America customers in an attack that also breached organizations, including Northwestern Mutual and Fidelity.
Unsurprisingly, the increase in third-party breaches merited the attention of Michael Barr, Vice Chair for Supervision at the Federal Reserve:
“Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk. It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard.”
In other words, the conveniences offered by third-party providers have outpaced its security measures, and hackers know it.
A reckoning is imminent, and the eyes of regulators, investors, and customers are closely watching financial organizations.
Fortunately, supply chain security can provide meaningful answers to banks in this uncertain time.
What Is Supply Chain Security?
Supply chain security involves the risk management of a bank’s physical and digital infrastructure.
Though there are many components to supply chain security, its overarching goal is to identify and mitigate any vulnerabilities associated with third-party organizations.
Therefore, supply chain security best practices often involve protocols like penetration testing on third-party companies, minimum cybersecurity baselines for associated vendors, and regular auditing of open-source code.
We will explore these in just a moment.
But before, it’s important to note that, while digital supply chain security is the main focus of this article, banks must also continue to fortify all physical supply chain touchpoints—including logging and tracking shipments, inspecting facilities, investing in CCTV cameras, and requiring background checks on all employees.
Why Supply Chain Security Matters
A streamlined supply chain can be a beautiful thing.
It ensures that operations are running smoothly, that customers have what they need, and that your bottom line is secure.
Unfortunately, it doesn’t take much to derail a supply chain, especially in the digital age.
Cybercriminals are constantly seeking to exploit trusted third-party relationships. After all, they know they only need to find a single access point—just one chink in the armor—to breach a bank.
It’s a double-edged sword: whenever you grant a vendor access to your systems and data, your connectivity grows alongside a list of potential vulnerabilities.
While porous supply chain security can open the door to cyberattacks, there are other dangers downstream from a breach, including:
- Operational shutdown: by targeting your vendors, cybercriminals can easily take your bank offline. In fact, a recent attack on a third-party IT provider caused extended outages at nearly 60 credit unions.
- Data exposure: the average company interfaces with 583 third parties, and 82% of businesses allow vendors full access to their cloud data. Without proper supply chain security, proprietary data is dramatically overexposed.
- Financial drain: in 2023, the average cost of a data breach was $4.45 million. Considering each stolen record costs $165 (according to IBM), even relatively contained breaches can still cost banks millions of dollars.
- Reputational decline: beyond the financial losses, data breaches can irreversibly alter a bank’s reputation. While 66% of consumers lose trust in a company after a cyberattack, 75% will cut ties with them altogether.
Third-party vulnerabilities might sound like “other people’s problems,” but that’s not the case.
In fact, 98% of all businesses are associated with third parties that have suffered a breach.
Far from “one-off” rarities, supply chain attacks are a fixture of the digital world.
Banks must do everything they can to adequately protect their clients, resources, and hard-won reputation.
Supply Chain Security: Best Practices
As we will discuss, supply chain security involves a wide array of individual elements.
While it’s easy to get overwhelmed by the breadth of responsibility, three categories are the most common targets for cybercriminals and demand immediate attention: software security, hardware security, and data security.
Beyond the software/hardware/data triumvirate, it’s important to maintain a holistic incident response plan (IRP)—ideally one that upholds the latest regulatory demands.
Though it may sound nihilistic, it’s more practical to assume a cyberattack is inevitable.
Statistics support this reality: in 2023, 78% of financial institutions experienced a third-party data breach. While that’s a bleak figure, organizations with robust cybersecurity infrastructure reduced their time-to-response by 74 days (compared with those who were unprepared).
More significantly, companies that invested in thorough IRPs saved an average of $2.66 million more than businesses without them.
It’s wise to begin preparing for conflict before an attack occurs.
And while supply chain security requires continuous monitoring and assessment, the following best practices can help you establish trusted protocols:
1. Map Your Supply Chain Threat Landscape
In order to enhance your supply chain security, you must first assess all possible risks.
Though it might sound reductive, start by making a list of your suppliers, vendors, and third-party liaisons.
Group them into risk profiles, prioritizing each vendor according to their vulnerability level.
This can be determined by ranking their level of access to your network and systems, along with their direct impact on your organization, and their commitment to cybersecurity.
It may also be useful to identify which assets and data are most valuable to your firm, and, therefore, most likely to be targeted. Then, work backward to determine which vendors may have access to that essential information.
Beyond your partnerships, it’s also important to highlight any internal processes in your supply chain that may threaten client data and bank security.
This includes mitigating remote work endpoint exposures, especially any devices leveraged by contractors and other part-time staff. Traditional security tools, including virtual desktop infrastructure (VDI) and virtual private networks (VPN), are far less effective than advertised.
2. Establish Minimum Cybersecurity Baselines
As you probably know, it can be quite difficult for your banking cybersecurity protocols to align with other companies—specifically software companies.
Far too many SaaS providers prioritize speed and convenience over security and privacy—which your bank values above all else.
Therefore, your leadership must establish minimum cybersecurity baselines for all of your third-party vendors, past, present, and future. These expectations should be written directly into all of your vendor contracts.
If possible, try to visit each vendor on-site to determine their security posture. If that’s not feasible, request that they complete comprehensive questionnaires that detail their cyber hygiene, incident response plans, and containment protocols.
Any business relationships that fall short of your baselines should be given a limited window of time to improve their overall security. If they are unwilling to do so, the partnership should be terminated in favor of more diligent alternatives.
3. Consistently Audit Source Code
There’s a reason hackers love to target third-party vendors (like MOVEit).
Here’s why: thanks to modern development organizations, most software isn’t made from scratch. Instead, it’s typically a composite of open-source codes and third-party APIs, all of which can be easily breached.
According to recent studies, 84% of businesses are at risk by open source code used in their systems (a year-over-year increase of 4%).
Therefore, it’s essential that your IT professionals review the DNA of all open-source and third-party vendor source code. If your in-house experts aren’t confident in what they find, consider finding new third-party vendors with more advanced encryption and tokenization standards.
Your rigorous expectations of vendors should also be applied internally. To detect low-level vulnerabilities, be sure to routinely conduct penetration testing and tabletop exercises with your staff.
Top Level Domains and the Supply Chain
In banking cybersecurity, supply chain security relies on domain authenticity.
Unfortunately, many third-party vendors corrupt the domain registration process and open the door to cyberattacks.
While all new domains are filed with the Internet Corporation for Assigned Names and Numbers (ICANN), consumers can still hire third-party providers to handle the details on their behalf.
These organizations are known as resellers, of which GoDaddy has the largest market share.
While resellers offer convenient services, they operate outside the boundaries of ICANN and are not obligated to meet accreditation requirements.
In other words, many top level domains (including .com and .net) are bought and sold by resellers that haven’t been properly vetted. As a result, the reseller business model frequently obfuscates the domain registration process and leaves companies vulnerable to a breach.
If in doubt, always go directly to the registrar; never to a reseller.
At .Bank, we heavily vet our registrars through an in-depth application process. Besides meeting stringent .Bank onboarding requirements, some of our largest registrars also hold certifications for some of the highest international standards for information security, including ISO 27001, ISO 9001, and SOC 2.
All .Bank registrars must fulfill the 18 requirements stated in the fTLD Operations Pledge, including use of multifactor authentication for domain account access. We only work with registrars who meet these standards.
For your convenience, .Bank maintains a curated list of exclusively approved registrars.
Whether you search by certifications, geographical location, or technical services (i.e., DNSSEC or DMARC/SPF/DKIM), you will be able to quickly find a legitimate registrar to begin your domain migration process.
.Bank: Your Good Name, Made Stronger
There’s no way around it: supply chain security depends on having an authentic domain.
With .Bank, you can have confidence your digital storefront won’t be spoofed, phished, or hijacked.
While anyone can access open domains—and resellers can jeopardize the registration process—.Bank cannot be faked.
Why? Because other industries can’t use it. We built it exclusively for banks.
Security, trust, and recognition are just a domain away. Schedule a meeting to find out how we can help fortify your firm.