What is SYSC 8 and Mitigating Third-Party Security Risk
Technological advancements in the financial sector have made life easier for everyone, but convenience often comes at a price. Cybercriminals are constantly looking for opportunities for exploitation. Businesses in the financial sector are prime targets for data breaches and other damaging cyberattacks.
Cybercriminals that target financial businesses are usually looking to steal financial information they can use for identity theft. Ransomware attacks are also common in the financial sector to extort money. However, once in a while, cyberattacks are motivated by revenge and seek to destroy a business.
Since many cyberattacks occur when a third-party vendor is breached, financial firms that outsource tasks are at great risk for falling victim to a cyberattack. To mitigate this potential risk, financial firms in the UK are required to follow a set of rules as part of the Senior Management Arrangements, Systems and Controls sourcebook, called SYSC 8.
What are the SYSC 8 regulations?
The SYSC 8 regulations come from Chapter 8 of the FCA (Financial Conduct Authority) Handbook. This particular chapter is the implementation of outsourcing requirements as outlined in the 2014 and 2016 Directives.
Although the UK repealed Directive 2004/39/EC, another directive was enacted in June 2016 governing all firms within the market of financial instruments. The 2016 directive, referred to as the Capital Requirements Directive, applies to all financial firms that outsource functions. Only a select type of FSA-regulated firms can treat SYSC 8 regulations as guidance, rather than regulation.
What do the SYSC 8 regulations require?
The SYSC 8 regulations require covered firms to:
- Perform due diligence with all potential suppliers
- Adhere to specific regulations concerning outsourcing contract terms
- Adhere to specific regulations that may require a firm to supervise outsourced functions and take ownership of risk mitigation
- Follow specific regulations for outsourcing portfolio management under certain conditions
What are the consequences for SYSC 8 violations?
Fines are the most common consequence for SYSC 8 violations. For example, In May 2019, Raphaels Bank was fined £775,100 by the FCA and £1,112,152 by the PRA for failing to securely manage outsourcing functions between April 2014 and December 2016. Raphaels’ outsourcing of certain functions led to a breach that exposed customers to avoidable harm.
Financial firms are responsible for all third-party actions
Raphaels was held legally responsible for the oversights of their third-party vendor. In this particular case, Raphaels was using third-party vendors to authorize and process credit card transactions. Using third-party vendors is common practice and necessary in this day and age. However, Raphaels failed to perform a proper assessment on those third-party vendors to ensure they had processes in place to continue secure operations in case of any sort of disruption.
Unfortunately, a disruptive event occurred on December 24, 2015, causing all authorization and processing services to fail for more than eight hours. During this disruption, 3,367 cardholders couldn’t use their cards. It affected more than just retail purchases. Workers who relied on prepaid cards to get paid by their employers were unable to access their funds. Since the incident occurred on Christmas Eve, the disruption was even greater than it would have been at any other time.
During the investigation following the incident, major administrative flaws were discovered that led to the oversights that caused the incident. Obviously, a technology failure can’t always be prevented, but the disruption would have been brief if Raphaels had performed their due diligence, and contracted with a different vendor that had the proper backup systems in place. Instead, Raphaels didn’t even know their vendor didn’t have a contingency plan, and thousands of customers suffered.
How to prevent SYSC 8 violations
Like all other security guidelines, the best way to prevent a violation is to fully understand your responsibilities and implement the right strategies to comply with the demands of the regulation. The implementation component tends to be the biggest challenge for most businesses.
Here are some tips to get started:
1. Vet your vendors before working with them
The regulation requires that you ensure your third-party vendors are able to provide the services they say they are providing. When a vendor claims to provide a specific service, or a certain level of security, ascertain that their claim is backed up by evidence. Never just take their word for it.
2. Designate an individual to oversee third-party compliance
You will need in-house expertise to manage the risks associated with outsourcing. To mitigate and resolve the risks, you must designate someone who understands the risks and knows what controls must be implemented to achieve the organization’s security goal.
3. Be willing to terminate a vendor relationship
If you discover a vendor is non-compliant and is not taking the necessary steps to become compliant, don’t be afraid to sever that vendor relationship. There is no room for attachment to a specific vendor at any cost—most definitely not the cost of non-compliance.
Panorays can help
The Panorays platform works with your vendors so that you can be assured that they adhere to regulations and standards such as SYSC 8, GDPR and NYDFS, among others. That way, you’ll always be ready for external audits.
And with hundreds, if not thousands, of vendors requiring compliance with various regulations, Panorays continuously monitors and evaluates your suppliers, and you receive live alerts about any security changes or breaches to your third parties. Schedule a free Panorays demo today!