Cybersecurity risk: It’s third parties, cry if you want to...
With the most complex of supply chains, banks face an almost impossible task in dealing with third-party cybersecurity risk. But one group of counterparties poses a particular problem – law firms that have been slow to react to cyber crime
You’ve got board support and the biggest cybersecurity budget. You’ve got best-practice policies and procedures in place, hired the right people, built state-of-the-art threat intel and other systems, you test continuously and you have created a cybersecurity culture throughout your organization. That’s great. But you still have a problem that is largely beyond your control and that can render all that useless.
One of the most publicized hacks (and the one mentioned by almost all the CISOs below) is the 2013 attack on US retailer Target and its payment system that affected more than 41 million of the company’s customer payment card accounts. The initial intrusion into its systems was traced back to network credentials stolen from a heating and air conditioning (HVAC) subcontractor that had access to the network for legitimate reasons.
Aside from the immediate stock price fall, the reputational damage and the firing of the chief executive, the breach prompted a series of lawsuits that were only finally resolved in 2017 when Target agreed to pay $18.5 million to settle claims by 47 states and the District of Columbia.