A security breach that left 24 million mortgage documents unprotected on a server is reawakening concerns about so-called supply chain vendor risk.
Banks and other firms must assess the risk posed by third-party vendors they work with, ensuring their standards are up to snuff. But what happens when the vendor's vendor poses a threat? Though it's a longstanding issue, it continues to be a significant problem.
“This isn’t anything new,” said Rich Baich, chief information security officer at Wells Fargo. “For many years, this has been an area of focus and concern in the public and private sector. You can call it third-party or fourth-party risk, you can call it supply chain risk, it all remains the same thing: Other people who have your data, through contracts and other documents, are they protecting it at the right level? And what happens when they sub it out?”
In the incident, which took place in late January, an independent security researcher found a server full of mortgage documents at a New York-based company called OpticsML that was not password protected. OpticsML conducts optical character recognition on documents to extract and digitize the data they contain. It had done so on behalf of Ascension, a data and analytics company that works with banks.
Banks whose mortgage documents were found on the unprotected server, like Citigroup and Wells Fargo, said they had no connection to OpticsML or Ascension. The documents were there because of companies that bought the mortgages from the banks. In some sense, it wasn't even fourth-party risk, but fifth party.
"Vendors and their subcontractors are often the weakest links in how banks process their customers' information," said Sean Sposito, security industry analyst at Javelin Strategy & Research. "The problem is complex. It boils down to, as an organization, who do we trust and do we trust the people they trust?"
According to BitSight, a company that provides security ratings for 160,000 companies, this kind of risk, which it dubs supply chain risk, is a growing problem. One in five financial institution vendors has at least one outdated desktop operating system like Windows XP on their network; this increases the likelihood of a security breach.
Banks fare much better in BitSight’s ratings. The mean rating for financial institutions is 30 points higher than the mean of their vendors. The financial sector is the highest performing of the 27 sectors BitSight follows, and it always has been.
Supply chain risk “is a growing area of interest and concern from a regulatory standpoint but also from a risk management standpoint,” said Jake Olcott, vice president of BitSight. “It's on the minds of organizations.”
The risk is hard to handle because vendors don’t disclose their vendors and cybersecurity threats continually evolve.
What banks are doing about it
Wells Fargo, American Express, Bank of America, JPMorgan Chase and Bank of New York Mellon are all members of TruSight, a consortium that assesses third parties through a best practices questionnaire.
“Rather than having every financial institution go out and do their own diligence, one would do it and they all would accept it,” Baich said. “It’s that idea of not everybody having to do their own.”
Wells Fargo and others also use BitSight's cybersecurity rating services to keep an eye on their vendors.
Another option for banks is to build contractual obligations into third-party vendor agreements that demand vendors’ vendors manage security properly. These are sometimes called flow-down provisions, Olcott said.
“The problem with that is, how do you validate that, how do you check that? Does that mitigate the risk?”
BitSight monitors vendors’ security practices by watching an externally observable data set. It looks for outdated systems, unpatched systems, outdated browsers and IP addresses with vulnerabilities on them.
“You put all those things together and you start to paint a picture of what an organization looks like and then measure that over time and see if things are getting better or worse and why,” Olcott said.
What more could be done
Baich says there’s room for some entity to publicly rate vendors on their security practices the way Morningstar rates mutual funds.
There are organizations, like Security Scorecard and BitSight, that check on vendors’ security practices, he acknowledged. But they don’t issue Morningstar-like reports.
“Nobody is publishing a list we can go to and look at those ratings, because those ratings will drive the behavior,” Baich said.
This might be done by the government, he suggested, just as federal agencies produce the OFAC list of countries and entities with which banks cannot do business.
Editor at Large Penny Crosman welcomes feedback at
