Select Page

Coming Soon: 2019 Shared Asse...

Jenny Burke 12-05-2018

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December. We are particularly proud of what the [...]

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December.

We are particularly proud of what the Toolkit will bring our members this year.

Its all in the Name. Calling it a Toolkit reflects how it is used. The tools are designed to work together to follow the typical process a third party risk practitioner would use to implement a program. The Toolkit embodies a “trust, but verify” approach for conducting third party risk management assessments and uses a substantiation-based, standardized methodology.

Our Membership Roots. The Toolkit, like all our resources, was built by the collective intelligence of our diverse membership. The practitioners that came together to create the Toolkit come from different industries, perspectives and sized-companies, but they all share a passion for creating resources that will improve third party assurance.

We Heard You. The major changes in the Toolkit are all about making the tools easier to use. Here are just a few of the new features we are most excited about:

  • SIG Content Library – there is no longer a “Full SIG” but rather a Content Library that SIGs are created from. To build a questionnaire, practitioners will select a SIG Core or SIG Lite from within the SIG Management Tool and will scope it from there by industry specific content, authority document, individual questions, control categories and risk tiers. This means that your SIG will be exactly the size you need it to be.
  • SIG|SCA Integration – SCA content is now contained within the SIG, so when you scope your SIG you are also scoping your SCA for the accompanying onsite or virtual assessment to go along with the questionnaire.
  • New SIG Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling it to run more smoothly and questionnaires to be created more quickly. You now have a choice to create a SIG with all questions in one tab or with a tab for each risk domain.
  • Saved Questionnaires – Any SIG questionnaire can be saved as a template to be used or modified later, making it easy to fit existing questionnaires to new vendors.

All of our tools have also received a regulation refresh, taking into account recent national and international regulatory changes. One of the most requested new authority documents, the NIST 800-53r4 is mapped within the SIG.

Stay tuned for the tool release later this month. To make sure you are on our distribution list, or for any questions, please email us.

Fear, Uncertainty and Doubt Ma...

Tom Garrubba 11-15-2018

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD[...]

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD) to fuel their business case for budget increases, cybersecurity leaders are striving to quantify the business impact and probability of cybersecurity events while evaluating new options, including cyber insurance policies, and looking for new ways to address growing challenges, such as third-party risk management.


That’s the theme of a comprehensive CSO Online article that features insights from leading security executives and other experts, including Santa Fe Group Senior Director Mike Jordan. Mike weighs in on the growth of the cyber insurance sector. He notes that companies selling these policies have developed “a fairly good idea of what they’re willing to insure and the security measures they require you have in place in order to get a policy.” Mike’s discussion also touches on the increasingly valuable role of vendors that measure a company’s cybersecurity risks and assessment firms that conduct cybersecurity audits.


Of course, may organizations still have a ways to go when it comes to quantifying cybersecurity risks and assimilating cybersecurity programs with ERM. The article, authored by CSO Contributing Writer Maria Korolov, pinpoints several obstacles limiting progress toward those two objectives and then highlights approaches that have proven effective in clearing these hurdles.


The challenges hampering the integration of cybersecurity into overarching risk management programs include:

  • Getting lost in translation: “There’s often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion,” Korolov writes, noting that “many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies…”
  • An overly tactical focus: Cybersecurity professionals – for sound reasons – tend to focus on “very tactical technical issues,” such as patching vulnerabilities as soon as possible. While this perspective is necessary, it can be helpful to also frame and communicate security priorities in broader business terms. If a patch is needed, for example, the information security group should also estimate and communicate the potential cost – in lost business, remediation and potential regulatory fines – of leaving the vulnerability exposed.
  • Quantifying risks is difficult: According to a patch management expert cited in the article, “there is no formula for calculating how much the implementation of each control lowers your risk.” While the art and science of quantifying cybersecurity risks is advancing, organizations should prioritize risks that elude quantification.
  • Boards misunderstand cyber risk: Deloitte Partner Dan Kinsella frequently speaks to corporate boards about cybersecurity oversight. He says that some boards have yet to grasp the fluid nature of cybersecurity risks. Once a specific cybersecurity issue has been addressed, some boards tend to consider the matter closed. “That’s not the case with cyber risk.” Kinsella stresses.


Korolov includes high-level snapshots of effective cybersecurity-ERM integrations.  Several key enablers of this approach within Aetna provide a clear picture of what is needed to succeed, including:

  • Categorization: Cyber risks are treated as an operational risk within Aetna’s ERM framework.
  • Involvement: Aetna’s chief security officer (CSO) is a member of the risk committee that governs the ERM program.
  • Measurement: “Specific and quantitative” cyber risks are evaluated managed according to the daily risk score as they are assigned.
  • Mindset: Aetna’s CSO also stresses that his group risk-management activities and requirements significantly exceed what is required from a regulatory compliance standpoint.


Korolov’s reporting also emphasizes that third party risks further complicate the already difficult challenge of measuring the probability and potential bottom-line impact of breaches. Fortunately, progress is being made – as Mike asserts: “Measuring cyber security risk,” he tells CSO, is “becoming less art, and more science.”

European Invasion? Congression...

Tom Garrubba 11-13-2018

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?   These possibilities were on the minds o[...]

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?
These possibilities were on the minds of participants in recent Congressional hearings concerning data privacy. The European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) have captured the attention of technology company executives and legislative leaders. Tech executives appear concerned that other states could follow California’s lead by enacting their own laws concerning consumer data privacy protections. Congressional leaders appear interested in understanding the impacts of GDPR and CCPA on U.S.-based companies — and in potentially applying these learnings to future legislative actions concerning data privacy and security. (Three such bills currently exist in Congress.)
In late September, U.S. Sen. John Thune (R-S.D.), who chairs the Senate Committee on Commerce, Science, and Transportation, held a hearing with executives of leading technology companies. Thune indicated that the hearing was designed to provide “leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.”
During the discussion, Amazon Vice President and Associate General Counsel Andrew DeVore urged Congress to consider “possible unintended consequences of the CCPA approach” while noting that the law’s speedy passage “left little opportunity for thoughtful review, resulting in some provisions that ultimately do not promote best practices in privacy.” DeVore pointed to the CCPA’s definition of “personal information” as an example, explaining that it “goes beyond information that actually identifies a person to include any information that ‘could be linked with a person,’ which arguably is all information.” The result, he concluded, “is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy protective practices like encouraging companies to  handle data in a way that  is not directly linked to a consumer’s identity.”
A few weeks later, Sen. Thune convened another hearing, this one attended by privacy advocates who also spoke about the types of consumer protections Congress should consider in future legislation.
In a carefully researched written testimony, the Center for Democracy & Technology President and CEO Nuala O’Connor argued for federal privacy legislation that “will shift the balance of power and autonomy back to individual consumers, while providing a more certain and stable regulatory landscape that can accelerate innovation in the future.” After pinpointing why “the existing patchwork of privacy laws in the United States has not served Americans well,” O’Connor described how a national data privacy law “should create an explicit and targeted baseline level of privacy protection for
Individuals” by addressing four areas:

  • Enshrining basic individual rights with respect to personal information;
  • Prohibiting unfair data processing;
  • Deterring discriminatory activity; and
  • Establishing meaningful enforcement mechanisms.

As businesses, consumer privacy advocates and legislators continue to discuss, and disagree on, data privacy rules, it appears that some common ground – in the form of a growing desire for federal legislation – has quietly been reached. In a speech at an EU privacy conference in October, Apple CEO Tim Cook asserted that the U.S. should follow the EU’s lead by enacting its own comprehensive federal data privacy law.
We’ll keep you posted as these discussions progress; until then, a large number of companies across multiple industries will be dreaming of Californication, or perhaps tossing and turning about the work they need to do to establish and sustain compliance with GDPR and the CCPA.

How To Win (More) Third Party ...

Jenny Burke 11-07-2018

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.” While third [...]

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.”

While third party risk management (TPRM) leaders would do well to heed that (founding) fatherly wisdom, they should also keep in mind that a number of emerging best practices have proven successful in boosting the means TPRM groups have at their disposal. Shared Assessments is currently analyzing research concerning how organizations are addressing heightened regulatory expectations related to TPRM requirements. The Vendor Risk Management Benchmark Study, in its fifth year, has just wrapped up and the research report expected to release in February 2019. Coupled with this annual research is a special project now underway sponsored by the Best Practices Awareness Group and the Regulatory Compliance Audit Awareness Group. One component of this research, which is being spearheaded by subject matter experts in both groups, examines the successful approaches TPRM leaders have deployed to fortify their case for more resources during annual budgeting activities.

While the research remains in process, it has already identified the importance of tightly linking vendor risk management objectives with an organization’s strategic business goals. That coupling of appropriate risk management capability with an enhanced ability to achieve strategic business goals significantly increases the likelihood of successfully procuring additional TPRM resources.

In many companies, for example, the failure to meet regulatory requirements may result in reputational damage. In a company that considers its brand a strategic asset, third party risk management leaders should show how specific vendor risk management gaps would potentially limit the company’s ability to protect its brand. A business case that supports that business-centered point is more likely to result in a favorable budgeting decision compared to a business case that centers only on the risk of a regulatory compliance failure.

This is just one of a number of other approaches TPRM leaders are marshalling in the ongoing battle for more funding. I’ll keep you posted on when in early 2019 a paper highlighting this research is available.

Going Back 2 Cali: The Golden...

Tom Garrubba 10-26-2018

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of co[...]

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of companies.

In late September, California enacted what some are referring to as the country’s first “Internet of Things (IoT) security law.” The new law  requires makers of connected devices (those assigned an IP or Bluetooth address) to have in place “reasonable” security features. This vague qualifier is (somewhat) fleshed out in the law’s description of security feature that are:

  • Appropriate to the nature and function of the device;
  • Appropriate to the information it may collect, contain, or transmit; and
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.


The law states that its requirements are not enforceable by a private right of action, which would prevent class action lawsuits from arising following a major data breach of a connected device. However, the law is enforceable by the California Attorney General as well as government attorneys at the city, county and district level. “As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts….” according to a Davis Wright Tremain LLP bulletin on the new law.


These requirements are currently scheduled to take effect Jan. 1, 2020 – the same day that the state begins enforcing the sweeping California Consumer Privacy Act of 2018 (CCPA). Approved – swiftly – in June, the CCPA is notable for a number of reasons including:

  • The law’s definition of “personal information” is broad: Personal information includes a consumer’s Internet browsing history, personal identifiers, geolocation data, psychometric data, biometric data and “inferences drawn” from any of that customer data, according to the bill.
  • The CCPA extends a wide collection of companies: While the law applies to the world’s largest technology companies, any business that processes personal data of California residents will have to comply. This includes Internet service providers, data brokers, retailers and other companies that meet any of the following criteria: 1) gross annual revenue north of $25 million; 2) receiving or sharing personal information of more than 50,000 consumers (or households or devices); or 3) earning more than half of annual revenue from the sale of personal data.
  • The law affects third party risk management: The law requires companies to update service level agreements (SLAs) with third party data processors, among other crucial vendor risk management considerations.
  • The CCPA’s quick passage is noteworthy: The law materialized rapidly in June after the sponsors of a ballot initiative containing similar requirements agreed to withdraw their initiative on the condition that the California state legislature approve a replacement law (one that can be amended to address compliance problems prior to its enactment). California legislators did just that – introducing a comprehensive law that was signed into law by Governor Jerry Brown six days later. Although the conditions that drove the law’s prompt passage are unique, the public’s desire for data privacy regulations and the speed with which these laws can potentially be introduced shows that the early warning systems companies use to detect, shape and prepare for legal and regulatory changes may need updating.


It’s also notable that the law’s language allows for it to be amended. Any changes that do occur appear likely to be made to clarify compliance requirements. Given that a PwC survey finds that only 52 percent of U.S. companies that will need to comply with the CCPA expect to be compliant by Jan. 2020, organizations should immediately begin assessing and addressing their compliance needs.


The Clock is Ticking …It’s...

Linnea Solem 09-19-2018

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take [...]

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take focused time during Q3/Q4 to evaluate their strategic plans; monitor the evolving risk environment; assess cyber-security threats; and identify programs to be enhanced in the coming fiscal year. Lines of business are focused on business cases for new products/services, while risk teams are working to mature governance to address new compliance obligations with limited resources.

✔ What Regulatory Landscape Changes are changing expectations?
✔ What third party risk focus areas are “hot topics?”
✔ Where does third party risk fit into those competing priorities?
✔ How can self-assessment tools be used for peer benchmarking?

And this season the 5th annual Third Party Risk Management Benchmark Survey, based on the expanded 2019 Shared Assessments Vendor Risk Management Maturity Model, is here to help put an early spotlight on additional areas of practice maturity emerging in response to a number of market changes.

Market Changes

  • New Regulations: Heightened expectations have been triggered for third party oversight and vendor management. GDPR is now enforceable, extending obligations to data processors and vendors. The OCC’s supplemental examination procedures to its “Third-Party Relationships: Risk Management Guidance” are raising expectations for risk management, due diligence and governance. Covered entities impacted by NY DFS 500, are facing the clock as the countdown to March 2019 is fast approaching. In fact, the complexity of certifying or providing assurance on third party risk program effectiveness is difficult to measure and quantify.
  • High-Profile Data Breaches: Recent events have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third party risk management and ongoing risk assessments.
  • Updated Standards: NIST standards are expanding to include risk management and privacy. External audit standards for SOC reports have been updated by the AICPA. The updated Trust Services Criteria will now contain 9 Vendor Risk Management common controls for 2019 engagements.

It’s all about taking “Trust, but Verify” to the next level with enhanced controls, validation, testing, and governance. While each new regulation or standard is focused on a particular jurisdiction or market vertical, the themes for third party risk management have more similarities than differences.

Hot Topics for Vendor Risk Management:
✔ Subcontractors/Nth Party Management
✔ Continuous Monitoring Program Activities
✔ Vendor Inventories
✔ Vendor Contract Modernization
✔ Risk Posture/Methodologies/Approvals

Adapting a vendor risk management program impacted by both internal and external drivers can feel daunting without a roadmap to help mature or expand the program components. Organizations of all sizes may need to develop business cases to get resources, either people or investments to expand third party governance programs.

Vendor Risk Management Maturity Model
The Shared Assessments Program Vendor Risk Management Maturity Model (VRMMM) was developed by its members to provide a roadmap for structuring, operating, and measuring each component of an organization’s Vendor Risk Management Program. Combining best practices, thought leadership, and hands-on vendor risk management, the Program Tool provides a framework for each element of an effective vendor risk management program. The VRMMM self-assessment enables an organization to evaluate the maturity of their current third party risk program based on a ranking of core program attributes:

VRMMM Framework

    • 1.0 Program Governance


    • 2.0 Policies, Standards & Procedures


    • 3.0 Contract Development, Adherence & Management


    • 4.0 Vendor Risk Assessment Process


    • 5.0 Skills & Expertise


    • 6.0 Communications & Information Sharing


    • 7.0 Tools, Measurements & Analysis


    8.0 Monitoring & Review

VRMMM based self-assessments enable a critical focus on third party risk management process maturity, a key input to help prioritize resource allocations in any organization’s annual vendor risk management structuring, enhancement or expansion plans.

The 2019 version of the VRMMM has been expanded to incorporate recent regulatory changes and key topics such as vendor inventories, fourth party management, continuous monitoring, risk posture, and contract modernization. The current Benchmark Survey, open from September 20th until October 16th can give you a significant head start on that self-assessment.

The Power of the 2018 Benchmarking Survey
This year’s Benchmark Study is the first to be based on NEXT year’s Vendor Risk Management Maturity Model (VRMMM), not the current 2018 iteration. The study will release in early 2019 – shortly after the 2019 VRMMM Program Tool becomes available – allowing risk managers to immediately gauge their own practice maturity against industry peers by using survey results compared to the newly expanded 2019 Vendor Risk Management Maturity Model (VRMMM).

The survey results will provide critical data for practitioners to understand where their own program may lag, and to prioritize where additional resources might be utilized most effectively.
Catherine Allen, CEO of The Santa Fe Group and Shared Assessments program stated, “The Vendor Risk Management Benchmark Study is a remarkably powerful tool that risk managers routinely use to understand the relative strengths and weaknesses of their programs. This year’s survey update drills down into continuous monitoring, privacy, data management, and a broad range of additional practices to make the insights even more valuable to third party risk professionals.”

“Paul Kooney, a Managing Director in the Security and Privacy practice at global consulting firm Protiviti, notes “Protiviti is excited to team with the Shared Assessments Program to provide one of the most comprehensive benchmark reports providing insights about the overall state of third party risk management practice maturity. Data from this year’s study will be considerably more useful, not just because of the survey’s significantly expanded scope, but because it will provide a current perspective on almost eighty new criteria added to the 2019 VRMMM.”

As always, it’s very important that your organization take the time to thoughtfully complete the Benchmark Survey. Your participation benefits the third party risk management community as a whole by enabling an accurate and updated understanding of the true state of vendor risk management practice maturity. Please join your peers and complete the 2018 questionnaire, open from September 20thth through October 16th at:[rnid_value]&study=[study_value]

Third Parties, Contracts and B...

Tom Garrubba 09-18-2018

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “ea[...]

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “early” Van Halen, I snickered to myself recalling the legend of the “Brown M&M’s” in their contract that was often joked about amongst musicians and DJ’s. Later that evening as I returned to my hotel room I did some research into the background of the “Brown M&M’s” story and quickly realized the importance of it with regards to contracts and dealing with third parties.


As many of you will surely know, Van Halen has been one of rock’s premier acts since the 1970’s. However, they were also one of the first bands to take on the road such a massive stage show consisting of, according to the band’s lead David Lee Roth, “Eight Hundred and fifty par lamp lights to illuminate the stage”. Due to the size of such a light set they struggled in the band’s early touring years to get the massive rig into many of the older arenas, as their loading dock doors were ill prepared to handle such a massive spectacle. Additionally, “there were many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through”. On top of all that, set up and tear-down times would “grossly exceed” the local union’s overtime, largely because of the time it took for the crew to set up and take down the production – all of which added to the cost of touring.


Roth noted that in most cases, the promotor wouldn’t fully read the contract and would therefore fail to take note of the various structural requirements required and understand the issues (such as loading bearing stress, electrical amperage, etc.) that could cause serious damage to the band, the crew, and even to the audience.


According to Roth, to help ensure compliance to the contract, they stuck in a clause in the technical section of the contract, requiring a bowl of M&M’s to be placed backstage but not to contain any “brown M&M’s”. Now this would normally be characterized as silly “rock star-like demands” being placed on the promotor and venue, but it was actually a rather clever test of whether or not the promotor and other notable parties had thoroughly reviewed and honored the contract fully, including how  the items it contained addressing safety concerns. Roth added that if a bowl of M&M’s was missing backstage, or if brown ones were present, then he and other band or crew members could safely assume that other items in the contract were not reviewed, glossed-over, or worse – completely ignored. The band members and crew would then be within their rights to have the venue inspect the work, ask that it be redone, and – per the terms inscribed in the contract – even force the promotor to forfeit the entire show at full pay. Their concern for safety was real as not only had equipment been damaged, but according to Roth, several members of their road crew were severely injured due to poor preparation and lack of appropriate safety measures on the part of the venue.


A great example he provided to drive home this wisdom was when Van Halen was playing at a university in the mid-west (his autobiography purports it as a gymnasium in Pueblo, Colorado, while an online interview with Roth purports it to be in New Mexico) Roth noted “the university took the contract rather casually”, adding further “they had one of these new rubberized bouncy basketball floorings in their arena. They hadn’t read the contract, and weren’t sure, really, about the weight of this production; this thing weighed like the business end of a 747.” He added that they found some brown M&M’s in the candy jar and Roth “went into full Shakespearean ‘What is this before me?’… and promptly trashed the dressing room, dumped the buffet, kicked a hole in the door…” causing approximately twelve thousand dollars’ worth of damage. He stated that they “didn’t bother to look at the weight requirements or anything (in the contract) and this sank through their new flooring and did eighty thousand dollars’ worth of damage to the arena floor. The whole thing had to be replaced.” Clearly, this could have been avoided if it were not to the ineffective or non-review of the physical requirements needed to hold such a concert.


On top of the structural damage – that had to be replaced – the press blamed Van Halen for the incident. “…It came out in the press that I discovered brown M&M’s and did eighty-five thousand dollars’ worth of damage to the backstage area”.


Can similar events happen to you? You bet. You may not have to deal with moving around massive light and sound fixtures from one town to the next, but how truly confident are you that your vendors really understand what you is required of them? Have you built conditions, service-level bench marks, touch-points, and penalties into the contracts? Are they understood and agreed to by all before it becomes fully executed? Part of employing sound principles of contract review is reviewing all documents with all affected parties (both vendor and business line) and making sure that they not only understand the terms laid out in the contract but that they can fulfil all stated obligations.


The final takeaway of this piece is to remind you of the importance of going over the details – you know, those small things which can lead to bigger problems. It’s a good idea to employ the advice from legendary UCLA basketball coach John Wooden who used to say “It’s the little details that are vital. Little things make big things happen.”


So, with that, do you prefer plain or peanut?

It’s Not You. It’s...

Jenny Burke

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone be[...]

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone better. Or perhaps there’s been an unforgivable breach of contract.

Naturally we’re talking about an organization’s partnership with a third-party provider and the importance of mitigating third-party risk. There’s a distinct lifecycle to every business relationship—new relationships, existing and evergreen relationships, renewals and terminations.

Managing third-party contracts can be a delicate matter throughout this lifecycle. When it comes to terminating these contracts, the need to have a well-defined strategy already in place is paramount. A contingency plan built upon established business standards and best practices can help avoid damages, alleviate any reputational risks, and help facilitate a smooth exit.

There are four basic types of termination:

  • Normal: The business relationship is no longer necessary or appropriate
  • Cause: There is irreparable violation of contract terms
  • Convenience: Either you or the vendor has a better arrangement/opportunity
  • Regulatory/supervisory: The vendor cannot live up to regulatory expectations

“Third Party Contract Development, Adherence & Management,” © 2018 The Santa Fe Group, Shared Assessments Program


It’s crucial to ensure that the predetermined terms of the contract are acceptably fulfilled in the final stages of the third-party vendor relationship. This includes any ongoing services with the departing vendor; recovery of work product and intellectual property; data recovery and security; and a seamless transition to the new provider, if applicable.

More specific best practices will need to be implemented if the contract was terminated for cause. For example, was the provider appropriately rated? Did internal controls or assessment methods fail? Was Pen (penetration) testing conducted and evaluated by credentialed testers? These questions can help safeguard third-party business relationships and guide future contract negotiation processes.

In business, as in one’s personal life, it always helps to have an exit strategy, based on open communication and shared expectations agreed upon from the very beginning.

And, you should probably get that in writing.


A brief chat with Tom Garrubba, Senior Director/CISO of Shared Assessment, The Santa Fe Group

In your experience, what are some of the core reasons that a third-party contract is terminated for cause (i.e. fraud or misrepresentation)? What are some examples?

In most cases [the third party] is just not able to achieve what fits into the agreement. Basic cause is when vendors overpromise and underdeliver. Or if they’re falling way behind and start grossly misrepresenting what they said they could do. We need to monitor the contracts. You should be getting something back from the vendor for not living up to contract expectations.

I was in a situation at my previous employer where we had a vendor that did something kind of crafty. A company can turn to a vendor and say, we don’t really have much of an increase in budget next year so we need you guys to hold on to your fees. So this vendor took its offshore support and shifted it from India to China because it’s much lower cost.

They did it on the backend. They’re still supporting your system but now the cost went from $100/hour to $60/hour and they never told the business unit. They didn’t break the contract per se but what they did was kind of unethical, doing something and not telling us about it. You can’t say at that point, I’m taking my ball and going home. But they were banned from all new projects and not allowed to bid on upcoming projects.


How can a business protect itself to mitigate the inherent risks of working with third-party providers?

Get everything in the contract. Organizations I’ve had conversations with are not very good at it – they’re working in a silo. Sometimes they don’t want to focus on risk because they want to get things up and running.

Expect the Unexpected: 5 Keys ...

Tom Garrubba 08-31-2018

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surpris[...]

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surprises. The regulation’s global jurisdictional reach, EU-specific definition of “sensitive data,” steep penalties, hefty compliance costs, and applicability to customers as well as employees startled more than a few privacy and compliance teams.

Now, as more organizations pivot from achieving compliance to strengthening and refining their GDPR programs, another unexpected – and critical– facet of the regulation must be addressed: the extent to which GDPR elevates third party risk.

Conforming to GDPR requires a methodical approach, and one that should be carefully integrated into a company’s existing third party risk management (TPRM) program. The success of this integration hinges on five crucial considerations. Before weighing those keys to success, it is important to understand how GDPR – and the regulation’s Article 28 requirements in particular – places new requirements on vendors and affects third-party relationships.

The Regulation and Third Party Risk

At its core, GDPR poses numerous new requirements regarding how companies, regardless of their industry or location, manage the personal information of European “data subjects” (i.e. customers and employees). While Google, Facebook and other U.S.-based technology giants must adhere to GDPR, so too must the small Denver-based restaurant chain that attracts European tourists, the fin-tech start-up with an office in Bruges and thousands of other companies.

Complying with GDPR requires organizations to make some fundamental process changes concerning breach notifications, a European citizen’s “right to be forgotten,” the anonymization of personal data and other practices affected by components of the new regulation.

GDPR replaces the EU’s Data Protective Directive, which had been the basis for EU laws that govern data privacy. It is important to note that an EU regulation is legally binding in each Member State whereas EU directives identify results each Member State are required to achieve through national laws that each state can develop on its own. Many of the ways that GDPR differs from the previous directive ultimately require vendor risk management capabilities to be updated and enhanced. These changes include:

  • The extension of legal obligations to service providers (which the regulation refers to as “data processors”);
  • A broader definition, or “higher classification,” of personal data (“sensitive data”) that must be protected;
  • New operational requirements for data processing;
  • Severe consequences for violations, including a maximum fine amounting to the greater of €20 million or 4 percent of global revenue; and
  • A new set of requirements for third party data processors, as laid out in GDPR Article 28.

GDPR also introduces new terminology. Three of the most important phrases include:

  • Processing: Any operations or set of operations – automated or manual — performed on personal data, including collection, recording, organization, structure, storage, adaption, alteration, retrieval, consultation, use, disclosure and more;
  • Data Controller: The entity (i.e. a company) that determines the purposes, conditions and means of the processing of personal data;
  • Data Processor: An entity (i.e. a vendor) that processes personal data on behalf of the controller.

This represents a brief summary of the regulation, which comprises 11 chapters and a total of 99 articles, or subtopics. Of course, managers responsible for GDPR compliance should read through the entire regulation. Article 28 requires closer scrutiny for companies and, even more so, for vendors that qualify as “processors” and must comply with new rules presented in that section (See “Getting a Read on Article 28”).

Integrating GDPR

Conforming to GDPR requires a comprehensive, multi-step process that works in conjunction with an organization’s existing vendor risk management program. (A tool to evaluate this type of program against best practices is available here:

At a high level, organizations should begin with scoping to identity critical vendor relationships that are involved in GDPR compliance. Once these vendors have been identified, organizations should:

  • Understand which GDPR regulations apply to the vendor;
  • Assess the third party’s GDPR readiness;
  • Assess the third party’s overall security posture;
  • Track how the vendor retains, accesses and transfers sensitive data;
  • Address contract provisions to ensure they reflect GDPR requirements;
  • Define key compliance artifacts for due diligence response; and
  • Conduct testing of key privacy controls.

Follow the Data and other Drivers of Success

While a methodical approach to GDPR compliance is crucial, there are several other considerations and practices that have proven helpful in adapting third party risk management programs to meet GDPR requirements. Most of the following perspectives and activities also help strengthen third party risk management programs:

  1. Distinguish processes from procedures: One of the most frustrating – yet, most valuable – aspects of vendor risk management involves the reconciliation of relevant business processes (i.e. how they are executed in practice) to procedures (i.e. documentation that identifies how processes should be performed). When I help an organization address GDPR or TPRM more broadly, my first question zeros in on how things work in practice: Walk me through your processes. My goal is to find out how processes are performed before I look at how that same process is documented in a formal procedure. There are often discrepancies for a number of reasons. For example, procedures frequently have not been updated to reflect process and technology changes. These gaps must be identified and eliminated. After all, procedures represent the record that enforcement teams use to hold your organizational accountable.
  2. Follow the data – and the 80/20 rule: Given how data-driven most organizations have become, keeping a lid on GDPR compliance costs hinges on identifying which systems, applications and data pose the greatest risks. Once compliance teams have evaluated the technical and administrative controls supporting the (roughly) 20 percent of systems that contain 80 percent of GDPR risk, they can expand and refine their scrutiny.
  3. Consider the total cost of non-compliance: In some cases, organizations – especially small- to mid-sized companies contending with resource limitations—may elect to assume some third-party risks rather than spending heavily to protect certain data. This assumption of risk is typically based on the calculation that the cost of the risk materializing would be less than the cost of mitigating it. When this approach is being considered, risk and compliance teams should be sure to include the potential for reputational risk in their calculations. The reputation risks that arise following a major data breach vary by company; these risks are difficult to estimate, but they can be severe. One company’s shareholders and customers may shrug off a cyberattack. Another company, even one in the same industry, may see its share price plummet and its CEO marched before a Congressional hearing (before being sacked by the board) following a similar incident.
  4. Define third parties broadly: GDPR Article 28 makes it clear that an organization’s data-related risk management activities extend beyond its four walls to vendors that process sensitive data. Risk and compliance teams should keep in mind that the types of vendors that process sensitive data extend beyond technology companies. Law firms and consulting firms, for example, routinely have access to organizational data.
  5. Vendors continuously evolve — so should conforming to GDPR: Achieving GDPR compliance is not the same as sustaining GDPR compliance. The same external disruptions and internal changes creating gaps between your own business processes and written producers are occurring within your data processors and other critical vendors. It’s perfectly fine to give the neighbor’s 12-year-old son your house key so he can feed your cat when you take a vacation. It may not be so prudent to continue to entrust that young man with access to your house after he’s arrested for burglary a few years later. The most effective GDPR programs, as well as the best TPRM programs, contain some form of ongoing monitoring of changing vendor processes and vulnerabilities.

A systematic approach to GDPR compliance and its careful integration into a formal TPRM program, combined with an awareness of effective compliance practices, can help companies sidestep the confusion and misperceptions that accompany sweeping regulatory changes. This holds true for GDPR, which despite how it has been reported in many news outlets, is actually not “new” at all. The regulation’s lengthy text has been available to read and assess for more than two years; May 25 marked the first day that the EU could begin enforcing it.

SOC it 2 Me … One More Time...

Linnea Solem 06-25-2018

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to[...]

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to be in place. This is the third year in a row I’ve written about changes in external audit reporting standards that impact service provider controls and executing external assurance engagements. Each year the changes drive maturity, transparency and stronger governance into the process, but also create confusion and need for knowledge. So, let’s dust off the boxing gloves and understand the new assessment protocols that will be in place once we jump back into the audit boxing ring.

Acronyms, Terminology & Methodology – Alphabet Soup
Heavyweight sports fans know terms like Knockout (KO), Clinch. Down & Out. Fall Through the Ropes. Sucker Punch. Throw in the Towel. Prizefighter auditors and assurance practitioners understand terms like AICPA, Attestation. SOC, SSAE18, TSC, CSOC, Carve-outs. Subservice organizations. Qualified Opinion. Information security and IT professionals rely on frameworks like COSO, NIST, and COBIT.

While the terms are quite different the work effort to simply navigate audit standard changes easily creates emotional comparisons to a few of those boxing terms, especially for the non-accountant. Let’s level set on a few of the key concepts that are changing within SOC engagements, but from a more sports fan or business user point of view.

The American Institute of Certified Public Accountants (AICPA) is the national professional organization that sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profits, and governments. They have updated their standards and protocols for audit engagements to align with the 2013 Committee of Sponsoring Organizations (COSO) framework which was designed to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. COSO frameworks are traditionally part of the SOX compliance program for financial accounting of public companies.

The changes in the SOC audit reporting will be effective for audit periods ending on or after December 15th, 2018 . That means the changes will be effective for all engagements in 2019, triggering readiness, migration, and process changes in 2018. During this transition, for audit engagements executed in 2018, a company can choose to early adopt the new criteria structure or continue with the current Trust Services Principles.

Report Changes and Updated Naming Conventions
The methodology standards set out in the SSAE18 framework will now apply to all SOC2/SOC3 reports. Those changes include the requirements to clarify control ownership when there are subcontractors or sub-service organizations in scope for the system being assessed. With the remapping effort to the COSO framework, additional terminology changes for SOC audit reports have been defined:

  • SOC: Was Service & Organizational Control and now is System & Organizational Control.
  • SSAE: Statements on Standards for Attestation Engagements.
  • TSPC and TSC: Trust Services Principles & Criteria (TSPC) are being renamed Trust Services Criteria(TSC)
  • Principles & Categories: Principles will now be called categories, but they still focus on security, availability, processing integrity, confidentiality, and privacy of a system.
  • Risks/Controls: Within the report structure and protocol, the assessor will now use terminology of “points of focus” for the specific control topic area being reviewed.

A SOC2 report must include the Security Category, with all the Common Criteria, and may include the additional categories. Each category will have their own unique criteria to be met as part of the audit. These changes expanded the number of common control criteria and streamlined some of the additional criteria in the Trust Services Categories.

Changes to the Criteria for Audit Engagements

It is important for all organizations to prepare for the new requirements to build out process maturity in conjunction with this year’s audit engagement. The requirements will apply to service providers who use a SOC report to provide assurance to their clients; but also, will trigger changes to the processes a service provider uses to get assurance from its fourth parties.

Implications for Service Providers
External assurance audit reports are a mechanism to provide independent assurance and testing of controls. Each service provider defines the type of audit engagement needed to meet their client contractual obligations based on the systems and services that are outsourced. With the growing focus on cyber security and enterprise risk management, many of the changes in common controls have broadened beyond traditional IT controls or public company financial controls. The shift to include risk management functions and programs will trigger the need for additional control owners, compliance documentation, processes to be tested, and includes operational risk management programs.

There are eight new common criteria related to the alignment with COSO principles:

  • Board oversight
  • Use of information to support internal control
  • Sufficiency and clarity of the entity’s objectives
  • Identification and assessment of changes
  • Controls deployed through formal policies and procedures
  • Procedures to identify new vulnerabilities
  • Business disruption risk mitigation
  • Vendor and business risk management

Third party risk management functions may be implicated in many of these criteria but the focus on Vendor and Business Risk Management as a common control in scope for all engagements shows the growing attention to third party risk. The inclusion will provide a deeper dive into the third-party risk management program structure, implementation, governance and risk reporting. The third-party risk management program elements that will be assessed, audited, and tested include:

  • Requirements for Vendor and Business Partner Engagements
  • Vendor and Business Partner Risks
  • Responsibility and Accountability for Managing Vendors and Business Partners.
  • Communication Protocols for Vendors and Business Partners.
  • Exception Handling Procedures from Vendors and Business Partners.
  • Vendor and Business Partner Performance.
  • Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments.
  • Procedures for Terminating Vendor and Business Partner Relationships.
  • Process to obtains Confidentiality Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Confidentiality Commitments of Vendors and Business Partners.
  • Process to obtains Privacy Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Privacy Commitments of Vendors and Business Partners.

Each of these operational processes are part of the implementation of a third-party risk management program structure. However, to make the controls auditable and testable will require not only compliance documentation but artifacts and testing of the controls, to provide evidence to auditors of the implementation of the third -party governance program requirements. Multiple regulatory drivers are triggering changes to mature the third- party risk governance process. Creating an external assurance maturity calendar, requires taking a long view, embedding into readiness this year for what is tested next year.

Business Readiness
While it can be easy to feel like throwing in the towel, the reality is the SOC boxing matches will continue, and evolve as new scoring mechanisms are defined. Here are six readiness steps to tackle, one per month to avoid feeling on the ropes or down for the count while you prepare for an audit of your third-party risk governance program.

    1. Policies: Review and create a comparison of the Vendor and Risk Management criteria to your Third-Party Policies and Procedures. Plan for need for additional compliance documentation, process maps.
    2. 2. Employee Knowledge: Prepare employees who manage controls, by sending out a self-assessment of their understanding of the roles, accountabilities and governance for third party risk. Update control owners, assess internal expertise and identify gaps
      3. Technology: Conduct an assessment with your current GRC tools to prepare for any IT or configuration changes
      4. Benchmark: Refresh benchmarking the maturity of your Third-Party Program to the Vendor Risk Management Maturity Model
      5. Risk Reporting: Review existing scorecards, dashboards and management reporting on third party risk governance and identify changes to meet the new common criteria.
      6. Process Refinement: Embed security, confidentiality, and privacy commitment processes into a common third party continuous monitoring process.

    Yes, audit standard changes can feel daunting, and complex. However, just like there are weight levels in boxing to make the fights fair, assessing a third-party program is also risk based. Focus on the critical activities, critical services, critical controls, and third-party relationships, most of these requirements are not dramatically new, they are simply driving maturity into the third-party risk governance program that have been in place for financial controls.

    Linnea Solem is a former Shared Assessments Program Steering Committee Chairperson, and current Advisory Board Member. She is the President and Founder of Solem Risk Partners, LLC a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management.