I’ve been grappling the past couple of weeks over the definition of a third party. Typically, we would say that a third party is an organization with whom you have entered into a contract to provide your organization a product or service. In this sense the credit bureau, Equifax, is a third party to Financial Institutions (FIs) because the credit bureau is providing consumer credit scores to the FIs so they can make decisions on whether to extend credit to consumers. And while most every FI regularly reports to credit bureaus on the status of their customer’s loan repayments (on time, past due, amount of credit extended, opening a new account, etc.), I would venture to guess that not many FIs seriously contemplated the broader threat they posed. Similarly, all publicly traded companies were supplying confidential financial information to the SEC but probably didn’t seriously consider the threats that extended beyond the simple delivery of financial information.
The significant risk emerging from these two scenarios is not that the FI’s customer information supplied to Equifax was breached or that the publicly traded company’s financial information was breached. Rather, that if a credit bureau was breached, the probability and impact increased of future loan charge-offs from fraudulent loans and depositor reimbursements from unauthorized account takeover. And, in the case of the SEC, the real risk was not the unauthorized access of financial information but the effect of front-running on stock prices.
Are these examples of a new third party risk management paradigm, black swans, or just a call for more comprehensive third party risk assessment? Both of these examples present information security risk but in the case of the credit bureau, it presents greater future credit and fraud risk; and in the case of the SEC presents greater stock price risk. If risk managers are to anticipate these kinds of risk, they need to apply broad brush scenario analysis to understand the breadth and magnitude of risk. Perhaps no longer is a simple questionnaire good enough to scope the range of risks to be considered when evaluating a third party. As these examples illustrate, information security risk can be much more than unauthorized access to customer and company information. It is the related business risk that emerges from the unauthorized access. Let me know what you think.