Cybersecurity and Fraud Protection
Global Supplier Security Programs Reinforce Cyber Defenses
Cyber criminals are becoming more sophisticated in their attacks, and increasingly are targeting third-party suppliers as an entry point to commit fraud on businesses. Here’s how JPMorgan Chase & Co. is fighting back, and what your business can do to help protect itself.
In the digital world, just a few keystrokes connect clients, companies and suppliers around the globe. But that same easy access means criminals only need a few keystrokes to launch cyberattacks, and increasingly they are targeting third-party suppliers as an entry point.
As a result, JPMorgan Chase & Co. has established a dynamic oversight program for managing third-party supplier relationships and is working with industry groups to establish best practices to help streamline the onboarding process for companies and suppliers.
“Cyber criminals continually evolve the types of cyberattacks they unleash against companies—whether they are large corporations or small businesses—to gain access to sensitive client and employee information,” said JF Legault, Global Head of Cybersecurity Operations. “It’s critical that we work with our suppliers, in the same way we work with our colleagues within the firm, to establish safeguards against cyber schemes.”
“Coordinating cybersecurity for third-party suppliers and reinforcing defenses to reduce exposure are priorities for the firm,” Legault said.
The firm’s Global Supplier Services (GSS) oversees more than 6,000 suppliers—including 2,300 in Commercial Banking—that provide more than 17,000 different services. The firm’s Corporate Third-Party Oversight (CTPO) program governs the processes for hiring and monitoring all suppliers, and outlines the standards used to hold suppliers accountable for services.
Requiring suppliers to meet established standards helps to protect them from cyber breaches that could impact the firm, as well as operational failures, regulatory sanctions and reputational damage.
“There is a high degree of interdependency, and we count on our partnerships with suppliers to protect the firm and our clients,” said Jim Connell, Head of CTPO. “The goal of CTPO is to make sure every supplier follows our rigorous standards and best practices. We require suppliers to apply safeguards for personal data and other sensitive information. We also scrutinize their supply chains.”
The comprehensive, systematic monitoring and inspection process is designed to prevent security gaps and protect sensitive information. The firm evaluates up to 500 distinct cybersecurity controls, and if a gap in a supplier’s systems or processes is identified, those gaps must be corrected to prevent loss or theft of data. In 2017, GSS identified more than 7,100 potential cybersecurity issues that suppliers corrected to meet the firm’s security standards.
The risk management process and protocols remain in place even after a contract expires. For example, if a supplier engages with the firm’s clients, there is an additional level of regulatory compliance that requires the supplier to delete or redact personal information, such as the last four digits of a client’s Social Security number, from the supplier’s system.
In addition, the firm is working with industry groups to streamline the onboarding process for suppliers through a new company called TruSightTM.
“We are collaborating with three other leading financial institutions to transform third-party risk management,” said Ken Litton, the firm’s Chief Procurement Officer and the Head of GSS. “Through TruSight, we are combining best practices for security, and we are streamlining the process for firms to conduct supplier risk assessments. Then we are sharing that assessment information with multiple financial institutions.”
Best Practices to Protect Against Fraud
- Create a cyber team to continually attack systems using the same techniques criminals use.
- Establish baseline training, as well as mandatory education and awareness programs that focus on the specific actions employees must take to protect their organizations.
- Run simulations and drills to assess security capabilities. Have security teams use table-top exercises and live scenarios to test the processes often.
- Use email technology, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), to validate the identity of email senders.
- Complete our firm’s cybersecurity awareness and fraud prevention training.