Over 60% of organisations have suffered a data breach through a third party
This begs the question: What are suppliers to the financial industry doing to keep themselves – and the financial institutions they supply – safe?
Our report shows what more than 200 vendors supplying the financial industry have reported what practises they've implemented when it comes to physical security, cyber security, third-party risk management, cyber resilience and data protection.
A benchmark of security controls across six specific domains to use against your own suppliers.
A list of twelve common weaknesses in the security posture of suppliers, providing CISOs and other security professionals with a list of controls to focus on.
A set of practical recommendations for how to gain real cyber security benefits through your supplier engagement, moving away from the common tick-box third party risk management approach.
Methodology
The data presented within this report is based on an anonymised aggregation of information provided by suppliers using the Risk Ledger platform to showcase their security controls to their clients and customers. When a supplier joins Risk Ledger, they complete a security profile consisting of 211 control questions spread across twelve risk and security domains:
- IT Operations
- Software Development
- Network and Cloud Security
- Supply chain management
- HR Security
- Physical Security
- Data Protection
- Security Governance
- Security Certifications
- Business Resilience
- Financial Risk
- Environmental Social and Governance (ESG).
The full Risk Ledger framework, with the exact questions and guidance provided to suppliers, can be found at https://riskledger.com/resources/framework.
This report focuses only on the cyber security aspects. There will be future reports also covering Business Resilience, Data Protection, Financial Risk and ESG.
There were 2525 suppliers included within this analysis with geographical representation as follows (among the 6% ‘Other’, there are an additional 47 countries represented):
Not every supplier has answered every control question. When a supplier completes their profile on Risk Ledger, the framework dynamically adjusts the questions being asked depending on foregoing answers provided, removing questions which are not relevant for them. So, for example, if the supplier does not develop any applications or systems that collect, process, or store data on behalf of clients, they will not have to answer the control questions within the Software Development domain. For each control presented in this report, the data only relates to suppliers for which the control question was relevant.
Not all controls are included in this report. This report focussed on key control areas known to be most interesting and beneficial to the readers.
The data was pulled from the Risk Ledger platform in late March 2023.
Organisations using Risk Ledger for their supply chain risk management are able to analyse information across all controls and apply their own policies to give contextual risk for their organisation. They can see live assessment data in supplier-owned profiles, do continuous monitoring of the security posture of their suppliers, but from inside out, send and receive updates about controls instantaneously, and since Risk Ledger's network model means that suppliers and clients are always connected via the platform, they can therefore also collaborate more easily on remediation and other tasks.
