With recent cyber headlines like the SolarWinds breach, every credit union is evaluating its supply chain for risks. This task is both daunting and essential. Any extension of the central business that attaches to your credit union’s processing systems can be the target of an attack. This includes areas in processing, mortgage, commercial, and online services.
If you are not aware of the issue, SolarWinds experienced a compromise early in 2020. The attackers gained the SolarWinds network and compromised code on the server that sends updates to its customers. According to SolarWinds’ statement, updates to its product released between March and June of 2020 were affected. Among other things, these malicious updates allowed attackers to enable/disable security tools, change configurations, and load unauthorized patches (or prevent patches from being applied).
The SolarWinds compromise exemplifies the exposures of supply-chain risk. This massive attack was a wake-up call, hitting at one of the core foundations of our cybersecurity efforts. In the past, we have trusted the integrity of supplier patches and updates. Historically, upon notification that a security update was available, we would take those patches, assume they were good, and rapidly push them to the environment. This issue has challenged our view of the integrity of even these core updates to systems. Credit unions now need to spend time testing that the patches they are getting are good.
These events like the Solarwinds breach have increased the focus on managing third-party software and service suppliers. But that alone is not enough. Cybersecurity is now tasked to police the suppliers of our suppliers, (known as the fourth party).
To start, Credit Unions must ask the following questions about their vendor risk management efforts:
- Does the credit union have a master list of its suppliers, and are they prioritized based on their access to the core business?
- Does the credit union know what sensitive data or connections it has from external organizations?
- Do any third-party suppliers have suppliers, and, what do your vendors know about their own supply chain? This is known as fourth-party risk.
An auditor will not expect you to do a risk analysis on every supplier to a supplier. You can, and should, however, ask questions of your critical suppliers to understand how they review their suppliers.
Baseline auditing questions for your critical suppliers:
- What critical services do the fourth party suppliers provide, and how?
- Do the fourth parties have access to the supplier’s sensitive data?
- Do the fourth parties have access to your sensitive data?
- If the fourth party experienced a breach, could it lead back to your data?
- What are their security response and business continuity plan should a breach occur?
- Where are your fourth party vendors located? This last point is significant. Information risks can change depending on the location of the supplier.
Finally, leverage contracts as a control for high-risk fourth-party suppliers.
Contracts ensure that your critical services are not outsourced without your knowledge. Items to incorporate during contract negotiations:
- Specify the services dedicated to your vendors that cannot be outsourced or subcontracted.
- Insert contract language that requires a notification when a new supplier partners with your vendors.
As stated earlier, it is not realistic to do all vendors at once. Trying to boil the ocean almost guarantees problems. Start with your most critical vendors, and review vendors as they enter your operational environment.
By creating questionnaires from the areas above, you can incorporate fourth-party data into your vendor risk management process. Additional security goals include Penetration Tests and onsite Assessments which pinpoint and validate fourth-party risk insights. A best practice is to strive for a continuous monitoring program as part of your ongoing vendor risk management. If done well, adding fourth-party suppliers will be an easy add as part of the process.
In summary, get out ahead of this issue, and remember, bad actors are getting smarter. SolarWinds was not a unique outlier but rather a signal that attackers are evolving their blueprint. Diligent oversight and increased program management helps credit unions compensate for these increased cyber risks.
Not sure how healthy your fourth party risk analysis is? Our team of partners are standing by to help!
About the Author: Gene Fredriksen has over 30 of years Information Security Technology experience, with all areas of Audit and Security. Not only a published author and policy advisor, but Gene also served as former PSCU Chief Security Strategist. Gene will be speaking live on June 16th during the 2021 NCUL Annual Meeting & Convention on Critical Board DR and Cybersecurity Training: Building a Comprehensive Business Continuity Program