How This Global Financial Trading Network Replaced Point-In-Time Security Assessments
Liquidnet, a global institutional trading network serving over 800 of the world’s top asset managers, managing a total number of $15 trillion in assets uses SecurityScorecard for Third-Party Risk Management (TPRM). Here’s how financial institutions can learn from their approach to TPRM.
Liquidnet – A small company with big responsibilities
Liquidnet is a global leader in large block trading, providing opportunities in 44 markets across five continents, with an average trade size of $1.4M in principle. As a broker-dealer regulated by the US SEC, FINRA, and a number of regulators outside of the US, Liquidnet places a high priority on protecting sensitive information. Liquidnet’s customers trust the organization with highly confidential information and it’s up to Liquidnet and Al Berg, Chief Security and Risk Officer, to ensure that the company is keeping its data and its customers data secure.
Al Berg is a seasoned security veteran, currently in charge of information security, physical security, and enterprise risk management for all of Liquidnet’s global operations. Prior to joining Liquidnet in 2004, he worked at the technology arm of NYSE and AMEX where he oversaw technical security assessments and developed security policies and procedures.
Despite Liquidnet’s small size as a company, their impact in the financial industry is massive, and they need to account for the security of their customers, clients, and employees. However, third-party risk management proved to be difficult for Al and his team. They initially relied on questionnaires and third-party assessments but found that the reports were hard to validate independently and only assessed third-parties from a single-point in time. Coupled with the fact that assessments are often self-reported and was costly in terms of time and effort, Al wanted to find a way to improve his third-party risk management program.
Utilizing on-demand security visibility to continuously monitor third-parties
Al turned to SecurityScorecard to solve his TPRM challenges. Having already tried to set-up an internal scoring system within his department, Al found that SecurityScorecard’s security rating platform presented information in an easy to understand format. The platform also automated many of the duties that were already being performed by Al’s department, saving time and effort for his team. By providing critical and actionable information on Liquidnet’s third-parties such as the overall security health of their internet presence, malware profile, and unpatched software, SecurityScorecard gave Liquidnet a quantitative approach to third-party risk management that was necessary for a risk-first approach to TPRM.
With a continuous risk monitoring platform, Al and his team now have up-to-date information that is available on-demand for any of Liquidnet’s third-parties. This information also supplemented and validated the annual reviews and other third-party assessments performed, giving Al and his team the capability to measure third-party risk from a ‘trust, but verify’ approach. More importantly, because the platform can assess any number of vendors, Al could rely on SecurityScorecard to be a scalable tool that can assess prospective and future third-parties as Liquidnet grows.
Why Third-Parties Need to Be Top of Mind for Financial Organizations
In January 2016, the Financial Industry Regulatory Authority (FINRA) released their Regulatory and Examinations letter, highlighting an increased focus on ‘Information and Cybersecurity’ in regards to third-party management. Below is an excerpt of their letter (emphasis ours).
“FINRA will review firms’ approaches to cybersecurity risk management, and depending on a firm’s business and risk profile, we will examine one or more of the following Topics: governance, risk assessment, technical controls, incident response, third-party management, data loss prevention and staff training”
FINRA isn’t the only financial authority that is increasing their focus on cybersecurity and third-party risk. Earlier this year, as a response to the amount of hacking incidents affecting financial institutions globally, the New York Department of Financial Services (DFS), under the direction of Governor Andrew Cuomo, has proposed new rules and regulations for New York-licensed financial services companies that specifically address cybersecurity within those organizations.
Within the 12-page proposed requirements, a section has been dedicated to third-parties, titled ‘Third-Party Information Security Policy’. In it, the proposed regulations state that organizations shall at the minimum, address third-party identification and risk assessments for third-parties with access to information systems, perform due diligence, periodic assessments, and ‘continued adequacy’ of the third-parties cybersecurity practices, and assure that ‘minimum cybersecurity practices’ must be met in order to continue business with that financial organization.
These regulations are the first of their kind in regards to their focus on third-parties and information security. Because they may be used as a guideline for future regulations, financial institutions should be proactive in setting up a strong third-party management program to get ahead of regulatory standards to avoid potential fines while also ensuring that third-party risk is mitigated. As third-party cybersecurity continues to be an important topic of discussion for the finance industry, financial institutions can learn from Liquidnet’s example and improve their TPRM program to get ahead of regulators while also protecting their data from third-party risk.
To learn more about how Liquidnet has operationalized SecurityScorecard to improve their third-party risk management program, download the Liquidnet case study below.