In this episode, Matt Kelly and I take a deep dive into a report from the Financial Stability Oversight Council on the cybersecurity risk of third party technology providers in the financial industry.  Financial firms have come to rely on technology service providers so much, the report said, that a poor understanding of their cybersecurity postures could create risk for the financial system overall. Some of the risks, including the maintenance of confidence in the security practices of third-party service providers. To help manage this risk the FSOC Council encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language. As Matt noted, FSOC even raised the idea of regulating tech providers in a more uniform fashion, so the current patchwork of supervision doesn’t allow cracks in the system that others could exploit.

We use this as a jumping off point to explore how such issues are becoming more and more the purview of the compliance practitioner. Some of the solutions are directly in the wheelhouse of the compliance professional. They included: (1) Scoping of SOC 2 audits, as compliance practitioners are very familiar with audits of third party provider, both on the sales and supply chain side of things; (2) implementing NIST written protocols, as what is more compliance related than setting written standards; and (3) addressing additional requirement from regulators such as both the SEC on disclosure and PCAOB on audit requirements going forward into 2018.

For addition information on this topic see some of Matt’s writings in this area see the following:

Feds Eye Cybersecurity Risks of Tech Providers

The Fine Art of Scoping a SOC 2 Audit

NIST Standards and Why They Matter