This week we learned of a ransomware attack against a vendor of fund administrator SEI Investments Co. This attack exposed the personal information of investors in roughly 100 of its clients, according to The Wall Street Journal. We look at this incident through the lens of third-party risk and how a TPRM program can help prevent a Third-Party Data Breach like this.
Attackers infiltrated the corporate systems of M.J. Brunner, a service provider for SEI’s investment dashboard and online enrollment portal, according to the source. As a result, they obtained files from Brunner that contained user names and emails —and in some cases first and last names, physical addresses, and phone numbers— associated with the dashboard.
Among the funds whose investors were impacted by the attack were Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners, and Pacific Investment Management Co. SEI is a leading fund administrator and investment-management service provider that does business with hedge funds and private-equity funds. As of June 30th, SEI managed $693 billion in client assets.
A spokesperson for SEI said the company’s network wasn’t compromised and the attack didn’t exploit any vulnerabilities within its network, adding that they take the security of their clients very seriously. While that can certainly be true, the first step to working with a third-party is to ensure they take security just as seriously as you.
A Third-Party Risk Management Program would ensure the continuous assessment and mitigation of the risk that arises from third-party and subcontractor relationships. This would include asking the following questions:
The enabler for this sort of strategy is technology. With workflow automation and centralized documentation, a TPRM platform like ThirdPartyTrust will make it easier to work securely with hundreds of third-parties.
While necessary for business operation, vendors and service providers have emerged as popular targets, as successful attacks can yield access to large amounts of sensitive information or systems. In fact, regulators are growing increasingly concerned about cyber attacks against financial services companies.
The WSJ states that in March, financial-technology provider Finastra suffered an attack that forced them to temporarily take its systems offline. In late December, an attack on Finablr PLC’s foreign-exchange business Travelex shut down its website for weeks, which impacted banks that use its services.
It should also be noted that ransomware – and malware in general – is just one of the risks an organization can be affected by. Other associated risks include:
On top of that, the regulatory landscape of financial services companies is ever evolving. With state, national and international complexities, information security professionals have to stay on their toes to comply.
All of this shows why a third-party risk management (TPRM) program is key to any cybersecurity strategy. There’s no denying that third-party relationships and sharing data have become crucial to business operation, but this also means enterprises need to address a whole new set of problems.
Read More: Building a Scalable Third-Party Risk Management Program
The good news is it’s not hard to do. We believe a network approach is best suited to tackle digital supply chain risk in a streamlined and affordable way. By accessing +17,000 already existing vendor profiles and by inviting new third-parties to the network, organizations can save time in their assessment process while paving the way for further optimization. Redundancies are removed on both ends and time to completion is reduced from months to weeks.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now:
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|