Community banks need to step up third-party practices: survey

Community and mid-size banks lack due diligence and robust contract negotiations with their third-party vendors, which are necessary self-protection in the event of a vendor’s data breach, a survey by law firm Jones Walker published Tuesday revealed.

Banks need to ensure third-party vendors are employing the same level of data security measures that banks themselves follow, and spend more on thorough due diligence, both upfront and ongoing, to verify third-party vendors have adequate data protection measures, Rob Carothers, a partner on the firm's banking and financial services industry team told Banking Dive.

Banks do a good job of securing their internal systems and procedures for data security, he said. However, when banks partner with third-party vendors, like fintechs or other service providers, and share sensitive customer information with them, banks’ data is exposed, he said.

“Both sides need to recognize that it's a partnership,” Tom Walker, a partner on the firm's banking and financial services industry team, said. “The community banks and the fintechs need to realize that it's an obligation of both of theirs to work together to satisfy the banks and regulators, as well as just the basic cybersecurity responsibilities in order to protect customers information. And I think the quicker they realize that ... the easier it will be for them to work together to take care of some of these vulnerabilities.”

The survey found that 99% of community and mid-size banks rely entirely or partly on third-party vendor services to address their cybersecurity needs, while only 71% of those lenders hold third parties accountable for contractual, legal or regulatory liability, and 23% require vendors to cover the costs if there's a data breach.

Since the regulatory obligation ultimately rests with the bank, regulators will be looking at the bank to ensure that “whatever partnerships they put in place, they are pulling the thread all the way through with respect to the regulatory obligations, and making sure what they are responsible for, they're also holding their vendors accountable for,” said Lara Sevener, a partner and co-leader of the firm's technology industry team. Sevener has more than 20 years of experience advising clients on technology-related transactions as a lawyer and in-house counsel.

Due to rapid innovation and competition in financial services, banks sometimes work with vendors that might have a different level of experience or maturity than the bank itself does, Sevener added.

Cybersecurity is a key concern when moving toward digital transformation, the three survey authors pointed out during an interview Wednesday afternoon.

Reasons, types of gaps

Since community banks are smaller in scale and tend to have fewer resources than larger banks, employees at smaller lenders often wear many hats and might struggle with giving cybersecurity and third-party risk management sufficient attention, Walker pointed out.

Regulators have increased their scrutiny of banks’ third-party relationships and issued more detailed guidance in June 2023. “For community banks who have not had those resources in the past, they're probably still catching up a little bit on what the expectations are,” Walker said. He served as executive vice president and director of a community bank in Forest, Mississippi.

According to the lenders surveyed, the top three perceived threat actors were insiders, which included current or former employees or contractors clicking on something; organized cybercrime groups; and solo threat actors or hackers, which included vandalism.

The most crucial thing the research identified was the importance of performing due diligence and, more specifically, information security due diligence, Sevener noted. Banks need to consider the technical, organizational, physical, and administrative controls that need to be in place to address security requirements with third-party vendors, she said.

Banks should be able to test those controls and audit them over the lifetime of the relationship with that vendor, to ensure that the vendor is upholding its end of the bargain and maintaining the required security standards, she added.

However, one point that stood out for Carothers while reviewing contract negotiations was indemnification provisions with the vendors. He highlighted that the contract often lacks clarity on when a data breach occurs if the vendor is held responsible and reimburses the bank for out-of-pocket costs and expenses resulting from the breach, which the vendor's actions or negligence might cause. Some other “bigger ticket items” he noticed as contract gaps were a lack of prompt breach notification and vendor cooperation when a breach occurs. Carothers advises banks and other financial institutions on a wide range of regulatory matters, including data breaches.

Emerging threats, cyber resilience

Sevener emphasized the importance of cyber resilience and highlighted the need to approach cybersecurity from a holistic viewpoint. Artificial intelligence plays a dual role in cybersecurity: On one hand, AI can be used to protect against threats; on the other, it can be used to create new threats, Sevener noted. However, human error remains a major vulnerability, she emphasized, adding that it involves mistakes like clicking on suspicious links, often when people are in a hurry.

Threats are evolving as security measures evolve, according to Sevener. One significant threat is ransomware, which makes its way through exposed vulnerabilities; when many organizations use the same technology or tool, a single mistake can lead to bigger implications. Having a proper plan to preserve key business operations and lock down critical systems during such incidents is crucial, she said.

“Strong contracts are a key piece. Education is a key piece. Monitoring evolving and newly emerging threats is a key piece,” Sevener said. Banks “have to use all of the arrows in [their] quiver in order to maintain a secure environment.”