Financial services companies today face the challenge of balancing opportunity and innovation with the security controls and oversight needed to maintain consumer and stakeholder trust, while building cybersecurity resilience and mitigating financial crime in an evolving threat landscape.
These dynamics are increasing as traditional financial institutions mix their services with those of digital asset companies. Collaboration between established organizations and crypto-native businesses is being accelerated by the support of the current US administration and its work to make America the “crypto capital of the world.”1
While the integration between traditional finance and decentralized finance offers opportunities, it can also create new third-party cybersecurity risks as financial services companies increasingly endorse vendors, partners and fintechs as part of their digital ecosystems. This can expand their attack surface and provide malicious actors with numerous access points to exploit. In turn, financial services companies should thoroughly vet their formally contracted third parties and affiliates, understand the corresponding risks, and determine what their third-party risk management programs should include.
How well known are approved third parties?
Third-party risk management, traditionally a function focused on process and documentation compliance, is under new scrutiny in many organizations. A range of macroeconomic factors have amplified third-party risk, including growing cyber threats, data privacy risks, supply chain disruptions, geopolitical instability, high inflation and cloud outages. Technology incidents affecting a wide range of customers continue to occur, disrupting businesses and damaging reputations.
Finding the balance between protecting the business while maintaining common sense controls to provide the right level of control and diligence is often more complex and expensive to implement than expected. Additionally, risk reporting rarely provides the full picture to the board and senior management.
One-size-fits-all solutions are not effective and a high degree of tailoring is required to implement a program that properly measures and manages each entity’s specific third-party risk profile. It is essential to fully understand the activities, broader risk management capabilities and range of exposures of approved third parties, particularly those related to the integration of crypto offerings into the traditional value chain, before integrating or refining a third-party risk program. This will help improve the operating model across all processes, including due diligence and onboarding, continuous monitoring, contract negotiation, reporting and termination.
Third-party risks
Integrating risk metrics and control environments to align with other organizational risk policies is essential. Additionally, when it comes to cryptocurrency, organizations should focus on the specific sector and best practices that apply to the unique aspects and classifications of digital assets. When integrating or formally partnering with cryptocurrency companies, even when a well-developed risk management program is already in place, if the cryptocurrency company does not have its own set of policies and controls, its third-party risks may be inherited by the organization entering into a partnership agreement with it.
Business risks typically rooted in formal relationships with third parties include:
- Information security and data leak risk: Cyberattacks by formal third parties (or their third parties), as well as deliberate disclosure of private information by a third-party employee.
- Financial crime and consumer protection risk: Bad actors attempt money laundering, fraud schemes, and identity theft that expose users, businesses, and the financial system.
- Risk of technological efficiency and effectiveness: > Failures, failures or delays in production or development of technological infrastructure caused by a failure of a third party.
- Strategic and reputational risk: Possibility that the strategic objectives of the supplier no longer correspond to those of the company, or that a major reputational event at the supplier impacts the company.
- Operational resilience risk: Failure of critical customer infrastructure resulting in loss of revenue and reputational damage.
- Risk of regulatory non-compliance: Failure to comply with regulatory requirements due to failure of performance of an approved third party. Also includes compliance with third-party regulatory expectations.
Elements of a Successful Program
Third-party risk management is by nature a moving target that must adapt to changes in the business. Designing and implementing a program that is effective, compliant and provides the right level of rigor requires a dedicated approach and strategy. When implementing or improving a program, key corrective actions to consider include:
Evaluate officially approved suppliers
- Conduct regular third-party risk assessments to ensure baseline security standards are met, in accordance with specific industry best practices.
- Evaluate compliance practices.
- Review incident response plans to determine detection, containment and remediation capabilities.
- Evaluate access controls and data processing measures to identify how sensitive information is protected.
Refine the integration
- Refine enhanced due diligence processes to address key risk exposures.
- Reduce the backlog of pending integration requests.
- Identify cases suitable for “accelerated” integration.
- Refine evaluations and contract negotiations.
Manage inventory
- Classify the vendor and other non-vendor third parties that have been approved as formal affiliates in a custom taxonomy.
- Refine the metadata.
- Monitor and track data in a structured process.
- Adapt inventory reports to their objectives and with the right granularity.
Administer the program
- Refine process workflow documentation to meet audit expectations.
- Respond to specific regulatory comments and articulate the program.
- Evaluate the quality and integrity controls of the procurement function.
- Integrate with other risk programs (e.g. enterprise risk management, operational risk management, model risk, etc.)
Conclusion
While partnerships between traditional financial institutions and cryptocurrency and digital asset companies offer clear business benefits, there are unique nuances that must be addressed through appropriate due diligence and oversight.
However, by following a process that involves identifying risks, remediating operating models and governance processes, aligning with industry standards for digital assets, and managing regulatory reviews, risk management can be strengthened to mitigate threats while aligning with the institution’s overall business strategy.