This week we learned of a ransomware attack against a vendor of fund administrator SEI Investments Co. This attack exposed the personal information of investors in roughly 100 of its clients, according to The Wall Street Journal. We look at this incident through the lens of third-party risk and how a TPRM program can help prevent a Third-Party Data Breach like this.
The Attack
Attackers infiltrated the corporate systems of M.J. Brunner, a service provider for SEI’s investment dashboard and online enrollment portal, according to the source. As a result, they obtained files from Brunner that contained user names and emails —and in some cases first and last names, physical addresses, and phone numbers— associated with the dashboard.
Among the funds whose investors were impacted by the attack were Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners, and Pacific Investment Management Co. SEI is a leading fund administrator and investment-management service provider that does business with hedge funds and private-equity funds. As of June 30th, SEI managed $693 billion in client assets.
Minimizing the Third-Party Data Breach Vector
A spokesperson for SEI said the company’s network wasn’t compromised and the attack didn’t exploit any vulnerabilities within its network, adding that they take the security of their clients very seriously. While that can certainly be true, the first step to working with a third-party is to ensure they take security just as seriously as you.
A Third-Party Risk Management Program would ensure the continuous assessment and mitigation of the risk that arises from third-party and subcontractor relationships. This would include asking the following questions:
- Who are your third-parties and which of them have access to sensitive data?
- How are you going to categorize your third-parties?
- How would you rank your third-parties?
- What is the criteria/requirement for each one of those categories?
- Who will be involved in the workflow: business owners, legal, procurement..?
The enabler for this sort of strategy is technology. With workflow automation and centralized documentation, a TPRM platform like ThirdPartyTrust will make it easier to work securely with hundreds of third-parties.
While necessary for business operation, vendors and service providers have emerged as popular targets, as successful attacks can yield access to large amounts of sensitive information or systems. In fact, regulators are growing increasingly concerned about cyber attacks against financial services companies.
The WSJ states that in March, financial-technology provider Finastra suffered an attack that forced them to temporarily take its systems offline. In late December, an attack on Finablr PLC’s foreign-exchange business Travelex shut down its website for weeks, which impacted banks that use its services.
It should also be noted that ransomware – and malware in general – is just one of the risks an organization can be affected by. Other associated risks include:
- Not being able to confirm if third-parties have had a data breach or cyber attack involving their sensitive and confidential information – In this case, the breached vendor told SEI about the attack in late May, but weeks passed before SEI knew its clients’ information had been leaked, according to the source.
- Not being able to determine the number of third-parties with access to confidential information and how many of these are sharing this data with one or more vendors.
- A lack of confidence in third-parties’ data safeguards, security policies and procedures and if their security posture is sufficient to respond to a data breach or cyber attack.
On top of that, the regulatory landscape of financial services companies is ever evolving. With state, national and international complexities, information security professionals have to stay on their toes to comply.
All of this shows why a third-party risk management (TPRM) program is key to any cybersecurity strategy. There’s no denying that third-party relationships and sharing data have become crucial to business operation, but this also means enterprises need to address a whole new set of problems.
Read More: Building a Scalable Third-Party Risk Management Program
The good news is it’s not hard to do. We believe a network approach is best suited to tackle digital supply chain risk in a streamlined and affordable way. By accessing +10,000 already existing vendor profiles and by inviting new third-parties to the network, organizations can save time in their assessment process while paving the way for further optimization. Redundancies are removed on both ends and time to completion is reduced from months to weeks.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now:
