Risk & Fraud

Can Outsourcing Increase Your Operational Risk?

By: Gene Fredriksen, Security Strategy Consultant

Ransomware attacks are in the news daily. This malicious software is becoming an increasing threat to financial services, as the number of managed service providers (MSPs) falling victim to ransomware attacks is mounting. Unfortunately, as with other types of malware, we can count on these hackers to continuously morph and change their strategies to try to steal important financial information.

These cyber criminals are highly organized, and ransomware attacks have become easier for them to execute on widespread territory. A recent example is that 20 local governments in Texas were hit by ransomware in just one day. Historically, ransomware encrypts a victim’s files immediately when it infects a network. The infection of 20 organizations in one day indicates that capabilities now exist for remotely activating the ransomware.

Moreover, investigators have reported that all of the Texas government organizations had one thing in common: an MSP. The error was that they placed critical parts of their business operations in the hands of the MSPs, which made those MSPs a very attractive target to the ransomware operators.

Managing Your Cybersecurity When Outsourcing

Similar to government organizations, many credit unions have limited IT resources of their own, and MSPs have become a viable option to run IT functions at a reasonable cost. Don’t get me wrong, MSPs are an effective tool for credit unions, and there are many excellent providers that deliver great results. However, just like the many services and tools we all use for business, it is up to us to manage the risks of outsourcing and protect our valuable member information.

The next time you review your outsourcing strategies, take stock of what types of information you are placing with a provider. Also, evaluate the controls the provider has in place to ensure they meet your internal standards and any regulatory mandates.

The National Credit Union Administration (NCUA) advises that credit unions should weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house. They state that credit unions should complete a risk assessment prior to engaging in a third-party relationship to evaluate what internal functions, if any, can be safely and soundly transferred to a provider. The initial assessment for a third party relationship should consider all seven risk areas: Credit, Interest Rate, Liquidity, Transaction, Compliance, Strategic and Reputation, as well as the following specific considerations:

  • Expectations for Outsourced Functions – Credit unions should clearly define the nature and scope of their needs. Which needs will the third party meet? Will the third party be responsible for desired results? To what extent?
  • Staff Expertise – Is credit union staff qualified to manage and monitor the third party relationship? How much reliance on the third party will be necessary?
  • Criticality – How important is the activity to be outsourced? Is the activity mission critical? What other alternatives exist?
  • Risk-Reward or Cost-Benefit Relationship – Does the potential benefit of the arrangement outweigh the potential risks or costs? Will this change over time?
  • Insurance – Will the arrangement create additional liabilities? Is credit union insurance coverage sufficient to cover the potentially increased liabilities? Will the third party carry “key man” insurance or other insurance to protect the credit union?
  • Impact on Membership – How will officials gauge the positive or negative impacts of the arrangement on credit union members? How will they manage member expectations?
  • Exit Strategy – Is there a reasonable way out of the relationship if it becomes necessary to change course in the future? Is there another party that can provide any services officials deem critical?

NCUA’s Letter to Credit Unions 2007-13 (and its enclosed Supervisory Letter 07-01) is the primary source of vendor management guidance for credit unions. In that letter, NCUA sets out three major concepts that should be addressed in evaluating third party arrangements: Risk Assessment and Planning; Due Diligence; and Risk Measurement, Monitoring and Control. In the past, NCUA has identified due diligence (contract issues and legal review in particular) as a potential problem area for some credit unions.

As one of my favorite mentors told me: “You can outsource your computer operations, but you can’t abdicate your responsibility to protect your information.” That is certainly good advice that has become one of my core security values. We live in a world of constantly changing services, tools, threats and hacker capabilities. If we don’t pay constant attention to where our data is and how it is protected, we run the danger of becoming complacent, thus an easy hacker target.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO, the principal cybersecurity consultant with PureIT CUSO, and has also held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

He served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.