Financial institutions rely on numerous third-party providers to support their operations and deliver essential services. However, these partnerships can introduce additional cybersecurity risks, especially when vulnerabilities like the MOVEit vulnerability are discovered. Let’s explore what financial institutions should do to mitigate the MOVEit vulnerability when it exists at a third-party provider and safeguard their data and operations.
- Identify Affected Third-Party Providers: The first step is to identify the third-party providers that utilize the vulnerable version of MOVEit. Financial institutions should maintain an inventory of their service providers and assess which ones are affected by the vulnerability. Collaborate closely with these providers to ensure a coordinated response to address the issue.
- Establish Communication Channels: Establish clear and effective communication channels with the affected third-party providers. Promptly inform them about the MOVEit vulnerability and the potential risks it poses to your institution's data and operations. Request detailed information on their mitigation plans and the timeline for applying patches and updates.
- Request Remediation Plans: Engage in discussions with the third-party providers to understand their remediation plans. Inquire about the steps they are taking to address the vulnerability, such as applying patches, updating software versions, or implementing alternative secure file transfer solutions. Evaluate the effectiveness and timeliness of their plans and prioritize providers who demonstrate proactive and comprehensive measures.
- Assess Risk Mitigation Efforts: Evaluate the risk mitigation efforts of the third-party providers. Seek assurances that they are actively monitoring their systems, conducting vulnerability scans, and implementing intrusion detection measures to detect and respond to potential attacks. Request evidence of ongoing security audits and certifications to validate their commitment to maintaining a robust security posture.
- Review Contracts and Service Level Agreements (SLAs): Review existing contracts and SLAs with the affected third-party providers. Ensure that cybersecurity provisions, incident response protocols, and liability clauses adequately address the MOVEit vulnerability and similar risks. If necessary, update contracts to reflect the current threat landscape and to establish clear expectations regarding vulnerability management and mitigation efforts.
- Enhance Oversight and Monitoring: Strengthen oversight and monitoring of third-party providers to ensure compliance with security standards and adherence to vulnerability remediation efforts. Regularly review audits, security assessments, and penetration testing exercises to verify the effectiveness of their security controls.
When the MOVEit vulnerability exists at a third-party provider, financial institutions must take proactive steps to mitigate the risks and ensure the security of their data and operations. Remember to document all remediation efforts of third-party providers for future reference. Vigilance and collaboration are key in safeguarding the integrity of financial services in an increasingly interconnected ecosystem.
Bedel Security exclusively helps financial institutions develop and improve their cybersecurity program including managing third-party providers. We would be happy to chat about how we can help your program. Send us an email at support@bedelsecurity.com to start a conversation.