Cybersecurity risk: It’s third parties, cry if you want to...
Euromoney, is part of the Delinian Group, Delinian Limited, 4 Bouverie Street, London, EC4Y 8AX, Registered in England & Wales, Company number 00954730
Copyright © Delinian Limited and its affiliated companies 2023
Accessibility | Terms of Use | Privacy Policy | Modern Slavery Statement

Cybersecurity risk: It’s third parties, cry if you want to...

With the most complex of supply chains, banks face an almost impossible task in dealing with third-party cybersecurity risk. But one group of counterparties poses a particular problem – law firms that have been slow to react to cyber crime


You’ve got board support and the biggest cybersecurity budget. You’ve got best-practice policies and procedures in place, hired the right people, built state-of-the-art threat intel and other systems, you test continuously and you have created a cybersecurity culture throughout your organization. That’s great. But you still have a problem that is largely beyond your control and that can render all that useless.


One of the most publicized hacks (and the one mentioned by almost all the CISOs below) is the 2013 attack on US retailer Target and its payment system that affected more than 41 million of the company’s customer payment card accounts. The initial intrusion into its systems was traced back to network credentials stolen from a heating and air conditioning (HVAC) subcontractor that had access to the network for legitimate reasons. 

Aside from the immediate stock price fall, the reputational damage and the firing of the chief executive, the breach prompted a series of lawsuits that were only finally resolved in 2017 when Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia.