Financial Services Industry Call to Action
Creating True Efficiencies through Standardization, Cooperation and Public-Private Partnerships Focused on Critical Third Party Risk Management Issues
For the third consecutive year, financial services ranked in the top three industries affected by security incidents.1 Larger institutions, which typically have more mature risk management programs, are more likely to detect information security, privacy, cyber, insider and other significant threats. However, when institutions reach the $20B level, the 2015 Vendor Risk Management Benchmark Study reveals a significant drop in maturity ratings across all governance components for their vendor risk programs. This same drop is evidenced for this group in the development and implementation of vendor risk policies, standards and procedures.2 This is indicative of the effect of organization size and complexity, which lends itself to greater friction against good risk management hygiene, especially in the area of third party risk management. A proactive stance is clearly required to establish best practices for more mature risk management programs industry-wide.
Since its founding in 2005, Shared Assessments has been dedicated to improving security enterprise-wide by building common evaluation criteria assessments and standardized practices across all areas of operations, from risk management and information security policy to asset management, physical and environmental security. Organizations have the opportunity now to build on recent efforts, such as the Shared Assessments Collaborative Onsite Assessments Project and the AICPA’s Service Organization Control (SOC) Reports, to collectively raise the bar and establish effective industry- wide risk management solutions.3,4
The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels. Toward this end, the Shared Assessments Program is urging all financial services institutions to:
- Become more involved in cooperative relationships.
- Adopt standardized, consistent, robust third party risk management methodologies.
- Work collaboratively to perform onsite assessments and leverage the results.
2015 Data Breach Investigations Report. Verizon. 2015. ↩
2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program & Protiviti Examine the Maturity of Vendor Risk Management. Shared Assessments & Protiviti, Inc. June 2015. ↩
Shared Assessments Program: Case Study – Shared Assessment AUP Project: A Collaborative Approach to Onsite Assessment. Shared Assessments. May 2015. ↩
SSAE-16 Service Organization Control Reports. American Institute of CPAs (AICPA). 2016. http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/Pages/SORHome.aspx ↩