17 May 17, 2024
Recently Santander, the EU’s second largest bank by market value and a very large global bank, was in the news reporting that a supplier hosted database containing employee data (present and some past) and some customer data was accessed by an unauthorized party. That’s not really surprising considering the prevalence of cyber attacks, but it does underscore the need for the discipline and diligence around your third parties and their cyber security. The lines are blurry when it comes to responsibility. Santander put the notice out vs. the third party (the third party may have as well, although that’s not easily seen.)
Basically Santander, acting on behalf of the customers and employees, gave data to a third party for some purpose. Now they are responsibly taking steps to alert and protect those customers. We’re not sure about the employees yet, but I’m sure that’ll come up.
That’s a lesson for us all. To the customer that gives us their data, “we” are the custodians of that data. They neither know nor really should care that there are third and nth parties that access and use that data. The huge amounts of disclosures should tell them, but not many read and understand all that. What they care about is the trust in the people they give their money and data to. They trust that we only give the information to trusted and secure third and nth parties.
If you’re not looking at third party risk management as a business enablement and differentiator, drop me a comment on linked in. I’d love to hear why not and see your side of it. https://www.linkedin.com/in/amulnick
Of note, there was also some talk about the ECB’s cyber stress test here. It’s not clear if they included third parties, but that should be added in my opinion. And how long before it comes to your industry and region?
#thatthirdpartyguy #thirdpartysecurity #cybersecurity