For financial institutions of all asset sizes and complexity of products and services, maintaining cyber preparedness is a daunting task against increasing cyber threats, reliance on third-party vendors, and ongoing personnel changes.

ISOs are tasked with augmented duties to enhance visibility and accountability in protecting non-public information and financial transactions across all business lines. This article highlights some of the evolving complexities of the ISO role, including the heightened management of third-party relationships, improved reporting to boards and stakeholders, and thorough risk assessments of projects and third-party entities.

Third-party Risk Management

In response to the evolving reliance on trusted third-party service providers, federal bank regulatory agencies released new third-party risk management guidance in June 2023. This guidance is intended to help financial institutions manage risks associated with third-party relationships more effectively, including those involving key technology service providers like financial technology (FinTech) partners. It emphasizes risk management throughout the life cycle of third-party relationships, from planning and due diligence to contract negotiation, ongoing monitoring, and termination.

The heightened regulatory emphasis on third-party risk management requires additional time and attention to vet and oversee these relationships effectively. Institutions are increasingly adopting automated third-party management tools as a strategic solution to aid the Information Security Officer and other management personnel. These application-based tools facilitate tasks such as risk ranking, control assignment, and due diligence reviews to designated "vendor managers" within particular departments or functions. Utilizing these tools is advantageous in facilitating a consistent approach among stakeholders to manage the risk of third-party relationships.

Governance and Communication

Clearly defined IT and information security roles and responsibilities are required for every Financial Institution. Information technology is now a part of every department and function within a financial institution and integrates into every facet of operations. Effective management necessitates breaking down silos between IT and ISO roles and fostering regular and clear communication to ensure everyone is aligned on the security posture of the organization. Strategies ISOs can use include frequent updates to key internal stakeholders, leveraging external Virtual ISO (VISO) services, and adopting consistent frameworks for periodic, meaningful communication.

Strategic Initiatives Risk Assessment

The ISO also must play a role in the institution’s strategic IT planning. They should be involved early in assessing risks associated with new initiatives and third-party services, ensuring alignment with overall business goals and adequate preparation for potential cyber threats or operational disruptions.

As institutions navigate these increasingly complex regulatory and cyber landscapes, the role of the ISO has never been more critical. With the growing reliance on technology and third-party services, ISOs must rise to the challenge of safeguarding sensitive information and ensuring compliance with evolving guidelines.