Select Page

Exercising Good Privacy and Co...

Tom Garrubba 02-13-2019

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study Read the full a[...]

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study

Read the full article.

Those of us in the privacy profession knew it was only a matter of time that privacy-minded organizations would eventually see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customer’s personally identifiable information are paying off.

Evidence of this came to light in the new Cisco Data Privacy Benchmark Study (January 2019) study published in late January 2019.  The study indicates that both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence that they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.

In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcer’s customer’s prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance; thus, cutting down on due diligence delays.

These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“What, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for non-compliance. In particular, they’ve taken the privacy (and the related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.

One part of the Cisco study did raise my brow however; in identifying the “Most significant challenges in getting ready for GDPR,” 42% of the nearly three-thousand respondents reported “Meeting data security requirements,” as the most important. Closer to the bottom of the priority list is Vendor Management. Given the global impacts of major third party breaches over the last three years, third party risk management (TPRM) must be much higher up on the priority list.

The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.

This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.

A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tap into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments which produces many free tools used by member and non-member organizations alike.

Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.

The impacts of third party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note.  Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third party partners pose.

Cybersecurity: 4 Board-Level T...

Jenny Burke 02-05-2019

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catheri[...]

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catherine shared her insights on current cybersecurity issues, related third party risk management challenges, and board dynamics concerning information security.

 

The article, which is slated to appear in the publication in March, will feature insights from Cathy along with leaders of cybersecurity practices in global consulting firms. Here are four high-level cybersecurity trends Catherine covered during her discussion with Consulting:

 

1. Resiliency is a primary focal point: Even companies with the most advanced cybersecurity practices are likely to get hacked. As a result organizational information security programs are focusing more on resiliency and business continuity activities. “Prevention remains critical, and companies continue to strengthen policies, improve the technologies they have in place, invest in training, and adopt best practices,” Catherine said. “But we’re just not at a point where we can stay ahead of the bad guys. When a breach occurs, companies need to have a set of incident response, crisis management and business continuity protocols in place. Boards want to know how quickly the company can handle the breach and get back up and running.”

2. Continuous monitoring is crucial: More companies are investing in improvements to continuous monitoring processes and supporting technologies. These capabilities help bolster prevention and incident-response capabilities. “We’re seeing a strong drive toward continuous monitoring so that when a breach occurs, a company can quickly identify, isolate and address it,” Catherine pointed out.

3. OT-IT convergence requires more attention: The convergence of operational technology (OT) and information technology marks an important and rapidly emerging risk-management area (it’s also a topic that features prominently in the upcoming 2019 Shared Assessments Summit). “Boards and C-suites are increasingly looking at the convergence of physical, cyber and operational security,” Catherine told Consulting. This integrated view of risk management is necessary because more adversaries are breaking physical barriers to hack into organizational information systems. As OT-IT convergence attracts more attention, companies with mature third party risk management programs are applying more scrutiny to risk management practices within fourth and fifth parties (i.e., the technology and services providers that their vendors use).

4. Cyber attackers move beyond financial motives: While the hacking of financial data remains a top concern, bad actors and other adversaries also target other data (such as intellectual property) for financial gain, to inflict reputational damage, or to sow chaos. Think of a cyberattack by a nation-state that strikes an electric grid, hospital system or the elections process in a rival country. “Many companies primarily focus on protecting financial data,” Catherine added. “But you have to take a comprehensive view of the organizational data that could potentially be targeted and then understand how that fits into the third party risk management as well as the broader context of enterprise risk management.”

Data Privacy Day 2019 – A Ne...

Linnea Solem 01-24-2019

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance o[...]

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

  • 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
  • In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
  • A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

  • Update vendor classification, scoping, and inventories for third party relationships
  • Enhance contract provisions for the protection and usage of data
  • Maintain a data inventory to manage and process data access requests
  • Broaden due diligence processes for assessing and identifying corrective actions of third parties
  • Deploy effective ongoing monitoring of vendor relationships
  • Maintain documentation of processing of the personal data
  • Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

    1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
    2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
    3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

    In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
    Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

    Personal Information is like money. Value it. Protect it.

    #PrivacyAware

    Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

2019 Shared Assessments Third ...

Jenny Burke 01-07-2019

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help b[...]

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

Shared Assessment keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool and PCI 3.2.1. That knowledge is used to update the new Toolkit, which embodies multiple Tools for a comprehensive “trust, but verify” approach for conducting third party risk management assessments, using a substantiation-based, standardized, efficient methodology.

The 2019 Third Party Risk Management Toolkit includes:

  • 2019 Standardized Information Gathering (SIG) Questionnaire Tools
  • 2019 Standardized Control Assessment (SCA) Procedure Tools
  • 2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
  • 2019 General Data Protection Regulation (GDPR) Privacy Tools

Changes to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

  • Outsourcers, service providers, licensees, assessment firms and regulators.
  • Organizations from start-ups to large, global corporations.
  • Industries such as Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
  • Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and third party risk.

The updates for 2019 are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform vendor risk assessments that provide assurance but are also efficient and fast. The 2019 Toolkit was built to allow that standardize excellence in content but also to make assessments easier to create, customize and manage. The Toolkit is also built to work together to follow the typical process a third party risk practitioner would use to implement their program.

2019 Standardized Information Gathering (SIG) Questionnaire Tools

The 2019 SIG has undergone a major functionality and content reorganization. The SIG now functions as a questionnaire management tool that allows you to build, customize, analyze and store questionnaires.

  • Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling questionnaires to be created more quickly. You can now create a SIG with questions all on one tab, or with a tab for each risk domain.
  • Content Library – There is no longer a “Full” SIG, but rather a database of member-vetted questions called the Content Library. The Content Library includes the SIG Core and the SIG Lite questions, but also houses industry-specific questions. You can even add custom questions to be treated and scored as any other included question.
  • Custom Scoping – Custom Scoping allows you to create the questionnaires you need without losing the benefits of standardizations by drawing from the Content Library. You now have three ways to edit a questionnaire – by control domain, by external requirement or by control category and subcategory.
  • Saved Questionnaires – A SIG questionnaire can now be saved as a template to be modified later, making it easy to create questionnaires for new vendors.
  • SCA Integration and Scoping – the 2019 SIG is now integrated with the Standardized Control Assessment (SCA) Procedure Tools for onsite and virtual assessments. You can now take a completed SIG and automatically create a SCA.

Content updates to the 2019 SIG Tools include;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) content.
  • Mapping – The following nine mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
    • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
    • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
    • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
    • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
    • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
    • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
    • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
    • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
    • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

 

2019 Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures. When combined with the scoping features of the SIG, the 2019 SCA is a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2019 SCA include;

  •  Updated Guidance Documentation – The main SCA document includes new reference material that helps users complete assessments faster and with better understanding about the controls being assessed.
  • SCA Report Template – SCA reporting template is now in spreadsheet format, making it easier to document findings while onsite, copy and paste data and use on a mobile device.
  • Executive Summary Template – A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management without all the detail of the full report.
  • SIG Integration and Automatic SCA Scoping – Using the SIG with its embedded SCA content, automatic customization is available to make SCA assessment procedures match just the SCA questions that were scoped and answered by the Assessee in a SIG.
  • SCA Assessment Standards for Distributable Reports – Due to the requirements within the SCA Standards for distributable reports, the outsourcer can be assured that the procedures in an SCA will be performed consistently, regardless of which certified organization performs it.
  • Content Updates
    • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
    • SIG Alignment- The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
    • GDPR Privacy Tools Alignment- The GDPR Toolkit aligns completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.

2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced third party risk management professionals.

 2019 saw significant updates to the VRMMM content, including;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Inclusion of recent guidance regarding Third Party Risk Management from:
    • The American Institute of Certified Public Accountants (AICPA) which sets guidelines for public auditing principles.
    • The Office of the Comptroller of Currency (OCC) which audits the safety and soundness of U.S. banks.
    • New York Department of Financial Services Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the state of New York (NYDFS 23 NYCRR 500), which is a cybersecurity regulation mandated for any financial services company doing business in the U.S. state of New York.
    • Privacy requirements including the European Union General Data Protection Regulation (GDPR).

The VRMMM is important to third party risk, and we made it free to members and non-members. It can be download here.

 

2019 GDPR Privacy Tools

The GDPR Privacy Tools help meet the requirements imposed on how Controllers (i.e., outsourcers) must appoint and monitor Data Processors (i.e., third parties/vendors) as a part of GDPR.

Enhancements to the 2019 GDPR Privacy Tools include;

  • The GDPR Tool kit was originally released prior to the GDPR compliance deadline of May 25, 2018. The focus and narrative were on preparation for the upcoming deadline. Now that the deadline has passed, the leading practices incorporated in the tools have been updated based on the experiences of dozens of Shared Assessments member companies.
  • The template tools were enhanced to better allow tracking of issues over time.

Download this free tool.

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

Coming Soon: 2019 Shared Asse...

Jenny Burke 12-05-2018

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December. We are particularly proud of what the [...]

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December.

We are particularly proud of what the Toolkit will bring our members this year.

Its all in the Name. Calling it a Toolkit reflects how it is used. The tools are designed to work together to follow the typical process a third party risk practitioner would use to implement a program. The Toolkit embodies a “trust, but verify” approach for conducting third party risk management assessments and uses a substantiation-based, standardized methodology.

Our Membership Roots. The Toolkit, like all our resources, was built by the collective intelligence of our diverse membership. The practitioners that came together to create the Toolkit come from different industries, perspectives and sized-companies, but they all share a passion for creating resources that will improve third party assurance.

We Heard You. The major changes in the Toolkit are all about making the tools easier to use. Here are just a few of the new features we are most excited about:

  • SIG Content Library – there is no longer a “Full SIG” but rather a Content Library that SIGs are created from. To build a questionnaire, practitioners will select a SIG Core or SIG Lite from within the SIG Management Tool and will scope it from there by industry specific content, authority document, individual questions, control categories and risk tiers. This means that your SIG will be exactly the size you need it to be.
  • SIG|SCA Integration – SCA content is now contained within the SIG, so when you scope your SIG you are also scoping your SCA for the accompanying onsite or virtual assessment to go along with the questionnaire.
  • New SIG Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling it to run more smoothly and questionnaires to be created more quickly. You now have a choice to create a SIG with all questions in one tab or with a tab for each risk domain.
  • Saved Questionnaires – Any SIG questionnaire can be saved as a template to be used or modified later, making it easy to fit existing questionnaires to new vendors.

All of our tools have also received a regulation refresh, taking into account recent national and international regulatory changes. One of the most requested new authority documents, the NIST 800-53r4 is mapped within the SIG.

Stay tuned for the tool release later this month. To make sure you are on our distribution list, or for any questions, please email us.

Fear, Uncertainty and Doubt Ma...

Tom Garrubba 11-15-2018

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD[...]

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD) to fuel their business case for budget increases, cybersecurity leaders are striving to quantify the business impact and probability of cybersecurity events while evaluating new options, including cyber insurance policies, and looking for new ways to address growing challenges, such as third-party risk management.

 

That’s the theme of a comprehensive CSO Online article that features insights from leading security executives and other experts, including Santa Fe Group Senior Director Mike Jordan. Mike weighs in on the growth of the cyber insurance sector. He notes that companies selling these policies have developed “a fairly good idea of what they’re willing to insure and the security measures they require you have in place in order to get a policy.” Mike’s discussion also touches on the increasingly valuable role of vendors that measure a company’s cybersecurity risks and assessment firms that conduct cybersecurity audits.

 

Of course, may organizations still have a ways to go when it comes to quantifying cybersecurity risks and assimilating cybersecurity programs with ERM. The article, authored by CSO Contributing Writer Maria Korolov, pinpoints several obstacles limiting progress toward those two objectives and then highlights approaches that have proven effective in clearing these hurdles.

 

The challenges hampering the integration of cybersecurity into overarching risk management programs include:

  • Getting lost in translation: “There’s often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion,” Korolov writes, noting that “many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies…”
  • An overly tactical focus: Cybersecurity professionals – for sound reasons – tend to focus on “very tactical technical issues,” such as patching vulnerabilities as soon as possible. While this perspective is necessary, it can be helpful to also frame and communicate security priorities in broader business terms. If a patch is needed, for example, the information security group should also estimate and communicate the potential cost – in lost business, remediation and potential regulatory fines – of leaving the vulnerability exposed.
  • Quantifying risks is difficult: According to a patch management expert cited in the article, “there is no formula for calculating how much the implementation of each control lowers your risk.” While the art and science of quantifying cybersecurity risks is advancing, organizations should prioritize risks that elude quantification.
  • Boards misunderstand cyber risk: Deloitte Partner Dan Kinsella frequently speaks to corporate boards about cybersecurity oversight. He says that some boards have yet to grasp the fluid nature of cybersecurity risks. Once a specific cybersecurity issue has been addressed, some boards tend to consider the matter closed. “That’s not the case with cyber risk.” Kinsella stresses.

 

Korolov includes high-level snapshots of effective cybersecurity-ERM integrations.  Several key enablers of this approach within Aetna provide a clear picture of what is needed to succeed, including:

  • Categorization: Cyber risks are treated as an operational risk within Aetna’s ERM framework.
  • Involvement: Aetna’s chief security officer (CSO) is a member of the risk committee that governs the ERM program.
  • Measurement: “Specific and quantitative” cyber risks are evaluated managed according to the daily risk score as they are assigned.
  • Mindset: Aetna’s CSO also stresses that his group risk-management activities and requirements significantly exceed what is required from a regulatory compliance standpoint.

 

Korolov’s reporting also emphasizes that third party risks further complicate the already difficult challenge of measuring the probability and potential bottom-line impact of breaches. Fortunately, progress is being made – as Mike asserts: “Measuring cyber security risk,” he tells CSO, is “becoming less art, and more science.”

European Invasion? Congression...

Tom Garrubba 11-13-2018

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?   These possibilities were on the minds o[...]

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?
 
These possibilities were on the minds of participants in recent Congressional hearings concerning data privacy. The European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) have captured the attention of technology company executives and legislative leaders. Tech executives appear concerned that other states could follow California’s lead by enacting their own laws concerning consumer data privacy protections. Congressional leaders appear interested in understanding the impacts of GDPR and CCPA on U.S.-based companies — and in potentially applying these learnings to future legislative actions concerning data privacy and security. (Three such bills currently exist in Congress.)
 
In late September, U.S. Sen. John Thune (R-S.D.), who chairs the Senate Committee on Commerce, Science, and Transportation, held a hearing with executives of leading technology companies. Thune indicated that the hearing was designed to provide “leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.”
 
During the discussion, Amazon Vice President and Associate General Counsel Andrew DeVore urged Congress to consider “possible unintended consequences of the CCPA approach” while noting that the law’s speedy passage “left little opportunity for thoughtful review, resulting in some provisions that ultimately do not promote best practices in privacy.” DeVore pointed to the CCPA’s definition of “personal information” as an example, explaining that it “goes beyond information that actually identifies a person to include any information that ‘could be linked with a person,’ which arguably is all information.” The result, he concluded, “is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy protective practices like encouraging companies to  handle data in a way that  is not directly linked to a consumer’s identity.”
 
A few weeks later, Sen. Thune convened another hearing, this one attended by privacy advocates who also spoke about the types of consumer protections Congress should consider in future legislation.
 
In a carefully researched written testimony, the Center for Democracy & Technology President and CEO Nuala O’Connor argued for federal privacy legislation that “will shift the balance of power and autonomy back to individual consumers, while providing a more certain and stable regulatory landscape that can accelerate innovation in the future.” After pinpointing why “the existing patchwork of privacy laws in the United States has not served Americans well,” O’Connor described how a national data privacy law “should create an explicit and targeted baseline level of privacy protection for
 
Individuals” by addressing four areas:

  • Enshrining basic individual rights with respect to personal information;
  • Prohibiting unfair data processing;
  • Deterring discriminatory activity; and
  • Establishing meaningful enforcement mechanisms.

As businesses, consumer privacy advocates and legislators continue to discuss, and disagree on, data privacy rules, it appears that some common ground – in the form of a growing desire for federal legislation – has quietly been reached. In a speech at an EU privacy conference in October, Apple CEO Tim Cook asserted that the U.S. should follow the EU’s lead by enacting its own comprehensive federal data privacy law.
 
We’ll keep you posted as these discussions progress; until then, a large number of companies across multiple industries will be dreaming of Californication, or perhaps tossing and turning about the work they need to do to establish and sustain compliance with GDPR and the CCPA.

How To Win (More) Third Party ...

Jenny Burke 11-07-2018

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.” While third [...]

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.”

While third party risk management (TPRM) leaders would do well to heed that (founding) fatherly wisdom, they should also keep in mind that a number of emerging best practices have proven successful in boosting the means TPRM groups have at their disposal. Shared Assessments is currently analyzing research concerning how organizations are addressing heightened regulatory expectations related to TPRM requirements. The Vendor Risk Management Benchmark Study, in its fifth year, has just wrapped up and the research report expected to release in February 2019. Coupled with this annual research is a special project now underway sponsored by the Best Practices Awareness Group and the Regulatory Compliance Audit Awareness Group. One component of this research, which is being spearheaded by subject matter experts in both groups, examines the successful approaches TPRM leaders have deployed to fortify their case for more resources during annual budgeting activities.

While the research remains in process, it has already identified the importance of tightly linking vendor risk management objectives with an organization’s strategic business goals. That coupling of appropriate risk management capability with an enhanced ability to achieve strategic business goals significantly increases the likelihood of successfully procuring additional TPRM resources.

In many companies, for example, the failure to meet regulatory requirements may result in reputational damage. In a company that considers its brand a strategic asset, third party risk management leaders should show how specific vendor risk management gaps would potentially limit the company’s ability to protect its brand. A business case that supports that business-centered point is more likely to result in a favorable budgeting decision compared to a business case that centers only on the risk of a regulatory compliance failure.

This is just one of a number of other approaches TPRM leaders are marshalling in the ongoing battle for more funding. I’ll keep you posted on when in early 2019 a paper highlighting this research is available.

Going Back 2 Cali: The Golden...

Tom Garrubba 10-26-2018

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of co[...]

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of companies.

In late September, California enacted what some are referring to as the country’s first “Internet of Things (IoT) security law.” The new law  requires makers of connected devices (those assigned an IP or Bluetooth address) to have in place “reasonable” security features. This vague qualifier is (somewhat) fleshed out in the law’s description of security feature that are:

  • Appropriate to the nature and function of the device;
  • Appropriate to the information it may collect, contain, or transmit; and
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

 

The law states that its requirements are not enforceable by a private right of action, which would prevent class action lawsuits from arising following a major data breach of a connected device. However, the law is enforceable by the California Attorney General as well as government attorneys at the city, county and district level. “As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts….” according to a Davis Wright Tremain LLP bulletin on the new law.

 

These requirements are currently scheduled to take effect Jan. 1, 2020 – the same day that the state begins enforcing the sweeping California Consumer Privacy Act of 2018 (CCPA). Approved – swiftly – in June, the CCPA is notable for a number of reasons including:

  • The law’s definition of “personal information” is broad: Personal information includes a consumer’s Internet browsing history, personal identifiers, geolocation data, psychometric data, biometric data and “inferences drawn” from any of that customer data, according to the bill.
  • The CCPA extends a wide collection of companies: While the law applies to the world’s largest technology companies, any business that processes personal data of California residents will have to comply. This includes Internet service providers, data brokers, retailers and other companies that meet any of the following criteria: 1) gross annual revenue north of $25 million; 2) receiving or sharing personal information of more than 50,000 consumers (or households or devices); or 3) earning more than half of annual revenue from the sale of personal data.
  • The law affects third party risk management: The law requires companies to update service level agreements (SLAs) with third party data processors, among other crucial vendor risk management considerations.
  • The CCPA’s quick passage is noteworthy: The law materialized rapidly in June after the sponsors of a ballot initiative containing similar requirements agreed to withdraw their initiative on the condition that the California state legislature approve a replacement law (one that can be amended to address compliance problems prior to its enactment). California legislators did just that – introducing a comprehensive law that was signed into law by Governor Jerry Brown six days later. Although the conditions that drove the law’s prompt passage are unique, the public’s desire for data privacy regulations and the speed with which these laws can potentially be introduced shows that the early warning systems companies use to detect, shape and prepare for legal and regulatory changes may need updating.

 

It’s also notable that the law’s language allows for it to be amended. Any changes that do occur appear likely to be made to clarify compliance requirements. Given that a PwC survey finds that only 52 percent of U.S. companies that will need to comply with the CCPA expect to be compliant by Jan. 2020, organizations should immediately begin assessing and addressing their compliance needs.

 

The Clock is Ticking …It’s...

Linnea Solem 09-19-2018

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take [...]

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take focused time during Q3/Q4 to evaluate their strategic plans; monitor the evolving risk environment; assess cyber-security threats; and identify programs to be enhanced in the coming fiscal year. Lines of business are focused on business cases for new products/services, while risk teams are working to mature governance to address new compliance obligations with limited resources.

✔ What Regulatory Landscape Changes are changing expectations?
✔ What third party risk focus areas are “hot topics?”
✔ Where does third party risk fit into those competing priorities?
✔ How can self-assessment tools be used for peer benchmarking?

And this season the 5th annual Third Party Risk Management Benchmark Survey, based on the expanded 2019 Shared Assessments Vendor Risk Management Maturity Model, is here to help put an early spotlight on additional areas of practice maturity emerging in response to a number of market changes.

Market Changes

  • New Regulations: Heightened expectations have been triggered for third party oversight and vendor management. GDPR is now enforceable, extending obligations to data processors and vendors. The OCC’s supplemental examination procedures to its “Third-Party Relationships: Risk Management Guidance” are raising expectations for risk management, due diligence and governance. Covered entities impacted by NY DFS 500, are facing the clock as the countdown to March 2019 is fast approaching. In fact, the complexity of certifying or providing assurance on third party risk program effectiveness is difficult to measure and quantify.
  • High-Profile Data Breaches: Recent events have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third party risk management and ongoing risk assessments.
  • Updated Standards: NIST standards are expanding to include risk management and privacy. External audit standards for SOC reports have been updated by the AICPA. The updated Trust Services Criteria will now contain 9 Vendor Risk Management common controls for 2019 engagements.

It’s all about taking “Trust, but Verify” to the next level with enhanced controls, validation, testing, and governance. While each new regulation or standard is focused on a particular jurisdiction or market vertical, the themes for third party risk management have more similarities than differences.

Hot Topics for Vendor Risk Management:
✔ Subcontractors/Nth Party Management
✔ Continuous Monitoring Program Activities
✔ Vendor Inventories
✔ Vendor Contract Modernization
✔ Risk Posture/Methodologies/Approvals

Adapting a vendor risk management program impacted by both internal and external drivers can feel daunting without a roadmap to help mature or expand the program components. Organizations of all sizes may need to develop business cases to get resources, either people or investments to expand third party governance programs.

Vendor Risk Management Maturity Model
The Shared Assessments Program Vendor Risk Management Maturity Model (VRMMM) was developed by its members to provide a roadmap for structuring, operating, and measuring each component of an organization’s Vendor Risk Management Program. Combining best practices, thought leadership, and hands-on vendor risk management, the Program Tool provides a framework for each element of an effective vendor risk management program. The VRMMM self-assessment enables an organization to evaluate the maturity of their current third party risk program based on a ranking of core program attributes:

VRMMM Framework

    • 1.0 Program Governance

 

    • 2.0 Policies, Standards & Procedures

 

    • 3.0 Contract Development, Adherence & Management

 

    • 4.0 Vendor Risk Assessment Process

 

    • 5.0 Skills & Expertise

 

    • 6.0 Communications & Information Sharing

 

    • 7.0 Tools, Measurements & Analysis

 

    8.0 Monitoring & Review

VRMMM based self-assessments enable a critical focus on third party risk management process maturity, a key input to help prioritize resource allocations in any organization’s annual vendor risk management structuring, enhancement or expansion plans.

The 2019 version of the VRMMM has been expanded to incorporate recent regulatory changes and key topics such as vendor inventories, fourth party management, continuous monitoring, risk posture, and contract modernization. The current Benchmark Survey, open from September 20th until October 16th can give you a significant head start on that self-assessment.

The Power of the 2018 Benchmarking Survey
This year’s Benchmark Study is the first to be based on NEXT year’s Vendor Risk Management Maturity Model (VRMMM), not the current 2018 iteration. The study will release in early 2019 – shortly after the 2019 VRMMM Program Tool becomes available – allowing risk managers to immediately gauge their own practice maturity against industry peers by using survey results compared to the newly expanded 2019 Vendor Risk Management Maturity Model (VRMMM).

The survey results will provide critical data for practitioners to understand where their own program may lag, and to prioritize where additional resources might be utilized most effectively.
Catherine Allen, CEO of The Santa Fe Group and Shared Assessments program stated, “The Vendor Risk Management Benchmark Study is a remarkably powerful tool that risk managers routinely use to understand the relative strengths and weaknesses of their programs. This year’s survey update drills down into continuous monitoring, privacy, data management, and a broad range of additional practices to make the insights even more valuable to third party risk professionals.”

“Paul Kooney, a Managing Director in the Security and Privacy practice at global consulting firm Protiviti, notes “Protiviti is excited to team with the Shared Assessments Program to provide one of the most comprehensive benchmark reports providing insights about the overall state of third party risk management practice maturity. Data from this year’s study will be considerably more useful, not just because of the survey’s significantly expanded scope, but because it will provide a current perspective on almost eighty new criteria added to the 2019 VRMMM.”

As always, it’s very important that your organization take the time to thoughtfully complete the Benchmark Survey. Your participation benefits the third party risk management community as a whole by enabling an accurate and updated understanding of the true state of vendor risk management practice maturity. Please join your peers and complete the 2018 questionnaire, open from September 20thth through October 16th at: https://www.research.net/r/B7LCCTV?rnid=[rnid_value]&study=[study_value]