Select Page

Blog

2020 Shared Assessments Third ...

Jenny Burke 11-18-2019

Shared Assessments has released its updated 2020 Third Party Risk Management (TPRM) Toolkit which supports organizations in their vendor risk management efforts, regardless of size and industry. The T[...]

Shared Assessments has released its updated 2020 Third Party Risk Management (TPRM) Toolkit which supports organizations in their vendor risk management efforts, regardless of size and industry. The Toolkit elements help both Outsourcers and third party providers meet regulatory, consumer and business scrutiny within the constantly evolving cyber and other security threat landscape.

Shared Assessments keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool, ISO 2700X, GDPR, emerging CCPA regulation and PCI 3.2.1. That knowledge is used to refine the new Toolkit, which includes multiple Tools that embody a substantiation-based, standardized, efficient methodology for a comprehensive “Trust, but Verify” approach to TPRM.

The 2020 Shared Assessments TPRM Toolkit includes:

  • Standardized Information Gathering (SIG) Questionnaire Tools
  • Standardized Control Assessment (SCA) Procedure Tools
  • Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
  • Third Party Privacy Tools – NEW 

Updates to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

  • Outsourcers, service providers, licensees, assessment firms and regulators.
  • Organizations from start-ups to large, global corporations.
  • Industries including Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
  • Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and Third Party risk.

The 2020 Toolkit reflects not only updates to the changing regulatory and risk landscape; it also incorporates elements that help to our hundreds of members and tool subscribers to perform risk assessments with a high degree of assurance that are also efficient and fast. The 2020 Toolkit was built to allow that standardized excellence in content while making assessments easier to create, customize and manage. The Toolkit elements can work singly, but were built to work together to follow the typical process a Third Party risk practitioner would use to implement their program.

Standardized Information Gathering (SIG) Questionnaire Tools

The 2020 SIG has been streamlined and includes new automation that makes it easier for Outsourcers to manage SIGs, and for service providers to respond to, export and share assessment responses.

  • Multiple Questionnaire Management – Service Providers can now manage a SIG for each of their service offerings or environments. When requests from customers come in, service providers can select and further customize when necessary, the best questionnaire for that partner.
  • Collaborative Responses – Often, more than one person at an organization must work together to complete a SIG questionnaire, which can add complexity to the response process. In the most recent SIG, questions can be assigned to individuals, and responses seamlessly compiled, easing this process.
  • Issue and Remediation Management – A SIG can automatically analyze completed questionnaires against the “right answers”. A SIG Master is an answer key that allows you to store what your preferred responses for each question and rank the question’s importance into a Master Answer Key. Automated reports let you compare your SIG Master against any completed SIG to quickly determine any vendor discrepancies.
  • Exportable Responses and Configuration – The SIG can now be exported into a standardized formal called “JSON” that is recognized by various types of software and makes sharing more secure and simpler. This allows Shared Assessments’ partners to more easily integrate SIG content into their own tools and allows improved confidentiality when sharing SIG responses.

Content updates to the 2020 SIG Tools include;

  • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including CCPA and GDPR.
  • New Operational Risk Content – New content around ethical sourcing, includingmoney laundering, anti-trust, anti-bribery, call center security, payments compliance and human trafficking.
  • Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) risk controls content.
  • Mapping – The following ten mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
    • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
    • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
    • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
    • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
    • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
    • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
    • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
    • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
    • NYDFS 23 NYCRR 500 – New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
    • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

 

Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures that, when combined with the scoping features of the SIG, provide a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2020 SCA include;

  •  Single worksheet format that enables efficient extraction of data to external platforms.
  • Consolidation of optional and standard procedures into one library of test procedures.
  • Simplified report format to provide consistency in assessor documentation.

 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced TPRM professionals.

 2020 saw changes to VRMMM functionality, including;

  • Target Maturity – the flexibility to hide or display Target Maturity ratings when gathering responses to improve respondent objectivity.
  • Process Maturity – ability to assess program maturity at the individual criteria level allowing for more granular diagnosis.
  • Dynamic Risk Reporting – enhanced executive management reporting dashboard including color coded indicators for maturity gaps.

The VRMMM is an essential element for benchmarking TPRM programs in all industries, so we’ve made it free to both members and non-members. It can be download here.

 2020 Third Party Privacy Tools

New for 2020. This set of tools was originally built to meet the demands of GDPR. This year we’ve expanded the Privacy Tools to include requirements from various privacy regulations and framework updates, including CCPA.

The Third Party Privacy Tool include:

  • Privacy Tools Implementation Guide which provides users with a summary overview of the Privacy Tools and best practice guidance.
  • Privacy Tools Questionnaire based on the SIG, that focuses on 10 critical privacy risk domains.
  • The same Privacy Test Procedures found in the SCA that align to current international and state privacy changes.
  • Target Data Tracker – an updated data governance tool that enhances your ability to document and manage Third Party due diligence artifacts across the life of the relationship.
  • Target Data Tracker How-To-Guide providing step-by-step instructions for using the Third Party Privacy Tools.

 

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

Coming Soon: 2020 Shared Asses...

Jenny Burke 11-05-2019

No need to wait until Thanksgiving to be grateful, the 2020 Third Party Risk Tools are due to arrive on November 19th. Here is a preview of what you can expect in our third party risk bag of tricks[...]

No need to wait until Thanksgiving to be grateful, the 2020 Third Party Risk Tools are due to arrive on November 19th.

Here is a preview of what you can expect in our third party risk bag of tricks.

NEW Privacy Tools. Our third party risk specific 2019 privacy tool, the GDPR Toolkit was so popular that our committee expanded the scope of the tools to meet the requirements from various privacy framework viewpoints, including the CCPA. Of notable vale is the Target Data Tracker which focuses on privacy data governance obligations for identifying, tracking and documenting the use of personal information within third party relationships.

Expanded Risk Areas. Third party risk practitioners have never faced more complexity in managing their programs. Our risk control Content Library has expanded accordingly, to address governance functions around anti-trust, anti-bribery, international compliance, human trafficking risk, call center security and more.

We Heard You. The major changes in the Toolkit are all about making the tools easier to use. Here are just a few of the new features we are most excited about:

  • SCA – New scoping capabilities that deliver a menu of SCA test procedures tailored for each onsite or virtual assessment.
  • VRMMM – Now has improved maturity tracking and functionality to let managers set more granular maturity level ratings and create clearer reports. Program managers can use Target Maturity to set their targets and also hide or display the ratings to strengthen objectivity.
  • SIG Formats – The SIG is now exportable into a JavaScript object notation (JSON) file, making importing and exporting content easier and more secure.
  • SIG Functionality – New features allow better administration of the SIG, including improved management of collaborative response when more than one person must work together to complete a questionnaire. SIG questionnaires can now be used as customized templates to be used or modified later, making it easy to fit existing questionnaires to new situations.

All of our tools have also received a regulation refresh, taking into account recent national and international regulatory changes.

Stay tuned for the tool release later this month. To make sure you are on our distribution list, or for any questions, please email us.

This is Your Career on CTPRP &...

Laura Waller 10-02-2019

In the late ‘80s, the Partnership for a Drug-Free America ran an advertising campaign with a simple and powerful message. In one of the televised spots, a man cracks an egg (your brain) into a hot s[...]

In the late ‘80s, the Partnership for a Drug-Free America ran an advertising campaign with a simple and powerful message. In one of the televised spots, a man cracks an egg (your brain) into a hot skillet (drugs) where it sizzles (your brain on drugs).

If we created a public service announcement for the Shared Assessment Program’s Certified Third Party Risk Professional (CTPRP) designation, it would have a similarly powerful and straightforward hook – and a decidedly more uplifting message. As we’ve conducted interviews this year with individuals who have earned the CTPRP certification, we’ve discovered that the experience has significantly elevated their careers, expanded their professional networks and, in some cases, burnished their reputations as thought leaders.

In the spring, I wrote about the ways CTPRPs applied their third party risk management expertise and credentials to benefit their organizations. We’ve been conducting another round of CTPRP discussions this fall, and our subjects include executives and managers who work in industry as well as for third party risk assessment firms and software companies that license the Shared Assessments Third Party Risk Management Toolkit (i.e., the Standardized Information Gathering (SIG) questionnaire tools, the Standardized Control Assessment (SCA) procedure tools for onsite assessments, the Vendor Risk Management Maturity Model (VRMMM) benchmark tools and the Privacy Tools).

These interviews have been insightful as well as enjoyable. And I want to share what we’ve been hearing from our interview subjects when they discuss how earning and maintaining their CTPRP certifications has help them on a more personal level. According to the testimonies of real-world CTPRPs, here are five sizzling career-improvement benefits you can expect to experience after getting on the CTPRP designation:

  1. You will become a sought-after third party risk expert within your organization. “Whenever colleagues ask questions related to third party risks, our business leaders tell them to seek out my opinion,” a cyber security and IT risk senior manager with an assessment firm. “It has helped solidify my credibility in the firm as well as externally.”
  2. You will be able to strengthen your leadership credentials. The CEO of a vendor with dozens of large financial services and healthcare industry client companies notes that her CTPRP designation is important in sectors that place a high value on professional certifications. “It conveys [our] commitment to privacy and security issues,” she asserts while pointing out that her decision to earn the designation also sets the right tone at the top inside her company. “I felt it was important for me to go through the certification process before I asked anybody in our organization to do it as well,” she adds.
  3. You will have more opportunities to speak and write. After earning his CTRPRP designation, a third party risk manager who specializes in information security received an invitation to speak at an event. He now presents regularly on third party risk topics at information security conferences. A risk manager who was part of the first group of professional to obtain their CTPRP has helped plan and draft two third party risk management white papers per year since earning his designation in 2015.
  4. Your network will get larger and smarter. A security compliance specialist extols the benefits of attending the past seven Shared Assessments annual summits where he sits in on workshops and taps his network of third party risk management experts. By attending these events, he’s met people “who I can go to with a question or a problem that I’m not 100 percent sure how to address,” he explains. “That issue could relate to documenting a policy for responding to customer assessments or adjusting the framework for contract reviews. I know people who are specialists in those areas from the relationships we’ve developed while working on Shared Assessments committees together. Being able to reach out to them is priceless.”
  5. You may become an integral part of your business development colleagues’ sales pitch. “To this day,” says a risk specialist with an assessment firm, “when my sales colleagues mention that we’re a Shared Assessments Assessment Firm member – boom, it automatically sparks a new conversation.”

 

You also may get promoted. A third party risk manager who specializes in incident response credits his application of CTPRP knowledge throughout his organization with helping to elevate him from senior analyst to director.

Check the current schedule to earn your CTPRP.

 

If you are a CTPRP holder, and want to speak about how this has helped your career or third party risk program, please contact Laura.

Enhancing Third Party Provider...

Eric Hess 09-30-2019

As the founder of a law firm and two cybersecurity firms, my clients often reach out to me to manage technology contracts that have cybersecurity and privacy implications. My clients span the small wi[...]

As the founder of a law firm and two cybersecurity firms, my clients often reach out to me to manage technology contracts that have cybersecurity and privacy implications. My clients span the small with minimal processes to larger firms with Chief Information Security Officers (CISO’s), a separate risk functions, and legal departments. I get a bird’s eye view into the challenges they experience aligning the contracting, security and procurement/diligence functions, as well as trying to manage a consistent framework for enforceable security and privacy obligations.

These challenges can arise due to the lack of subject matter expertise within the legal function, the pressures of expediting the contract process, and sometimes the perception that larger third party providers have the leverage. The security or procurement/diligence functions find that third party providers are generally more open about their security and privacy practices as part of a diligence versus contracting process. While there may be truth to these points, failing to contemplate enforceability for the core security and privacy diligence representations of your critical vendors potentially puts the enterprise at significant risk and runs contrary to the risk mitigation role that legal serves. Moreover, for ongoing third party provider relationships, risks are likely to increase with an expansion of products or services added through addendums and Statements of Work.

With the increasing costs of security breaches and the increasing liability of companies for the security of their extended network (i.e. their vendors) whether under GDPR (General Data Protection Regulation), financial or health regulation, or state law (such as New York Department of Financial Services or NYDFS cybersecurity regulations, California’s Consumer Privacy Act or CCPA), relying on an unenforceable assurance from your third party provider may no longer be acceptable particularly when nonpublic personal information is at stake. Moreover, having a due diligence process that addresses cybersecurity and data privacy concerns but does not integrate with the contracting process will lack the proper mechanisms for enforcement if the most critical diligence findings never make it into the contract. How enforceable is a point in time assessment or response if there is no related warranty or covenant for a third party vendor to maintain the associated controls? Moreover, if your contract actually provides for a generic “reasonable best practices” warranty for security or privacy controls, what does that exactly mean if the core controls you relied upon are not referenced in any enforceable obligation running to the third party provider?

I think most readers will readily accept that contractual commitments to cybersecurity and privacy protections are better than simply having an implied assurance that comes from third party due diligence. The issue, however, generally boils down to implementation. For this reason, organizations should contemplate adopting a framework that is adapted to their environment and would be wise to abide by some simple standards for implementation.

Identify relevant third-party risks. While you can start with a canned list of risks, you ultimately need to adopt one that is right sized and tailored to your company. This list might include vendor data breach, a loss of critical operations, fraud, IT risks, reputational risk (associated with a breach), support issues, etc. but should be more specific to your business. An existing company risk register would be helpful but in the absence of that or something similar, you may want to include in this list: a description of the risk, severity of the risk, its impact, possible response action and current status of the risk.

Identify common scenarios/variables impacting risk severity. Incorporating security and procurement concerns into the contracting process will be streamlined by a standardized framework. That framework should streamline the identification the most relevant organizational security and privacy risks as well as the severity of those risks. Examples include whether the service/product is critical to operations or whether the vendor or other third parties will gain access to, process or store non-public information. Make sure to reference any applicable policies and procedures to ensure that they are being addressed as well.

Legal, security and procurement/diligence functions develop model language. Through a collaborative process that does not have the pressure of an imminent contract behind it, the legal, security and procurement/diligence functions should determine the most important contractual terms that align with the risks by severity of risk. To simplify adoption, these terms should be incorporated into a flexible “Data Privacy & Security Exhibit” which can then be incorporated by reference into agreements, statements of work, service level agreements and addenda as appropriate.

In addition to specific protective provisions, the exhibit should contemplate, in accordance with the variables identified above, the necessity of:

  • A contract audit process for strategic suppliers;
  • Mitigating action required of the third party provider to address any unique risks identified during the diligence process (e.g., assessment techniques, cybersecurity insurance requirements and coverage amounts);
  • Incident management responsibilities;
  • Corrective action/remediation obligations;
  • High availability and disaster recovery requirements;
  • Qualitative and quantitative metrics (e.g. KPI’s, SLA’s); and
  • Applicable data security rules and regulations (e.g. FINRA, SEC, CFTC, NYDFS cybersecurity regulations, HIPAA) and data privacy regulations (e.g. GDPR, CCPA)

Make sure to contemplate compliance enforcement and remedies for breaches of the foregoing.

Get buy-in from the stakeholders. Sometimes easier said than done, it is a good idea to advise those who will be impacted by this process early on. Arguably, awareness of the current state of cybersecurity threats and privacy regulation should facilitate this process. As part of coordinating with the stakeholders, make sure that the exception process is also addressed such as, for example, when the business has already determined that a particular third party provider must be used. Irrespective of the pressures in such situations, it remains important that the process for identifying the risks and variables associated with that risk still occurs (even if not contemporaneous) and is documented.

Ensure that the security and diligence consistently identify relevant risk factors for the legal function. Your process should contemplate a workflow for ensuring that the appropriate inputs are provided to the legal function so the appropriate provisions for those risks and variables are incorporated into the data privacy and security exhibit for a third party provider.

Monitoring. The process for third party risk management enforcement should also contemplate:

Change Management.

  • Ensure that all new services or products that are subsequently implemented under a prior agreement are required to be incorporated into such agreement pursuant to a mutual written agreement of the parties so that new risks can be addressed.
  • Ensure that newly identified risks or closure of old risks is reflected in your list of identified third party risks as relevant, as well as noted in the applicable provider’s file to address upon renewal.

Compliance. The importance of conducting ongoing risk assessments of your third party providers is beyond the scope of this blog, but irrespective of your process your company is going to need to evaluate periodically whether your providers are meeting their contractual commitments with respect to information security and data privacy. While self-attestations can provide some assurance, you can also leverage external reports provided by audit firms and third party assessors (such SOC, SSAE, SIG or other reputable assessment frameworks). You may also contemplate using tools that leverage basic external intelligence to determine whether your providers are experiencing security threats or events that are not otherwise being disclosed to you. Lastly and most importantly, if your provider triggers any alerts as part of your own security monitoring process, you have a duty to investigate.

Consistent Reporting.  Most companies have (or should have) a process in place for ensuring that there is a process around contract renewals to consider new threats and risks that are logged in the third party provider’s file along with any developing concerns. For example, the tightening of applicable data privacy regulations might necessitate new commitments when a contract with a processor of personal information is up for renewal. Failure to identify such changes before renewal could jeopardize a company’s compliance. Similarly and perhaps more importantly, if a third party provider has experienced new and relevant risk events, contractual provisions around enforcement may need to be strengthened.

Update the Exhibit. Consistent reporting will allow you to make determinations around both the master data security and privacy exhibit template as well as the exhibit applicable to any third party provider. The emergence of new information respecting the third party provider or your organization should also trigger such changes. Examples include data privacy law requirements (such as GDPR, CCPA, etc), new cyber security and malware threats, data breaches, changes in cyber security trends, etc.

Managing pushback. Despite all our well-intentioned efforts to protect enterprise value by managing risk, at some point there may be pushback from the business even if they have previously bought into the process. In such situations it is, as noted above, important to still document the risks and relevant variables impacting the severity of that risk from the framework you have previously created. Additionally, a decision will need to be made with regards to such risks. There are four potential responses: (i) avoid – refuse to accept the risk; (ii) control or mitigate – change how your company is consuming the third party provider service or product or take additional measures to reduce your company’s exposure to the identified risks; (iii) accept/retain – as noted above, ensure that the agreed to sign-offs are retained and document the acceptance of that risk in the third party provider’s file; and (iv) transfer/share – this involves outsourcing risk to a third party, typically an insurance carrier. Note that when documenting the acceptance of risk the security due diligence results should be included as a possible mitigating factor.

Cybersecurity and privacy regulation have become as critical to address in technology related contracts as confidentiality provisions…but can be significantly more complex. The complexity of regulations and the potential exposures that companies face through their extended networks makes it more important than ever to ensure that third party providers are abiding by their security and privacy obligations. The Data Privacy and Security Exhibit as well as its surrounding process will help to ensure that your third party providers are held accountable for taking the requisite measures to preserve your enterprise value.

The Value of Virtual Assessmen...

Eric Krell 09-11-2019

A risk-based determination of whether - and how - to conduct remote assessments of vendors Expert Contributors:  Angela Dogan and Andrew Hout Given how much time and money virtual assessment of[...]

A risk-based determination of whether – and how – to conduct remote assessments of vendors

Expert Contributors:  Angela Dogan and Andrew Hout

Given how much time and money virtual assessment of vendors can save companies and their third party risk management programs, it may be surprising to learn that cost and convenience should have little, if anything to do, with determining whether a risk assessment should be performed in person or remotely.

While virtual assessments can deliver major travel and expense (T&E) reductions and labor cost-savings, the magnitude of risk a vendor relationship poses to the organization should be the foremost factor that third party risk managers weigh when determining which vendors can be monitored via virtual risk assessments.

For this reason, virtual assessments are rarely, if ever, applied to critical vendors. It is also crucial to recognize that a supplier’s assigned risk level often fluctuates over time. Vendors that receive a virtual assessment today may require an on-site assessment six months from now due to a change in the risk a vendor may pose or changes to the importance of the relationship to the outsourcer.

In practice, remote assessments are virtually identical to traditional on-site risk assessments – only with conference calls, email, screen-sharing, file-sharing and, in some cases, videoconferencing replacing face-to-face discussions as the primary modes of interaction. As such, the interpersonal aspects of these assessments may require a bit more attention and consideration than is the case for on-site assessments. The success and smooth execution of virtual assessments hinge on mutual trust between the outsourcer and vendor.

Although our discussion here focuses on the value, determination and execution of virtual assessments, it is important to keep in mind that assessments represent the “Verify” component of the “Trust, but Verify” model that Shared Assessments views as crucial to a comprehensive third party risk management program. As is the case with on-site assessments, the value of a virtual assessment also depends on the third party risk management decisions and activities that occur before and after the assessment takes place.

 

A Risk-Based Decision

Organizations with leading third party risk management programs rely on a standard methodology as well as advanced tools and supporting technology to ensure that their assessments – regardless of whether they are conducted in-person or virtually – are scoped to meet their organization’s unique needs.

Today, the most advanced third party risk management practitioners design and deploy assessments that gather and evaluate more than a dozen of their vendors’ critical risk domains, including information technology, cybersecurity, privacy, resiliency and data security risks. A longstanding misconception regarding virtual assessments is that their effectiveness is limited when  validating physical security controls. Advances in digital video surveillance have equipped assessors with the evidence they need to validate physical security controls in many situations.

A range of technological advancements as well as growing comfort with virtual working arrangements have significantly increased interest in virtual assessments in recent years. When we first began conducting virtual assessments of third parties at the turn of this century, our interactions often involved conference calls, document exchanges, the sharing of photographs and working through a long list of questions centered on validating specific policies and procedures. While recent advances in videoconferencing, video surveillance, collaboration software, third-party risk standards and tools, and related developments have eased the information exchanges at the heart of a remote assessment, the use of validation questions and the criteria for determining whether a virtual assessment can be conducted in lieu of an on-site assessment have remained unchanged. These evaluations should always focus squarely on the risk factors that contribute to the risk tiers that are developed during the process of categorizing the organizations’ vendors.

Companies with formal third party risk management programs typically organize vendors into several risk-based tiers, ranging from the most risk-critical relationships (e.g., Tier 1 suppliers) to comparatively lower-risk relationships (Tier 2 and Tier 3 suppliers). Tier 3 and Tier 2 suppliers are generally considered the most suitable candidates for virtual assessments. While there are occasional exceptions, Tier 1 vendors are rarely a fit for an initial assessment being a remote assessment.

When a vendor’s risk level is deemed appropriate for a virtual assessment, the benefits to the outsourcer can be significant. Our experience shows that a virtual assessment can reduce the time it takes to complete an on-site assessment by 54 percent while reducing the cost of an on-site assessment by 72 percent. These savings stem from eliminating the T&E costs and labor time, which includes travel – and layovers – between different vendor sites) associated with visiting a vendor’s location. For larger companies with hundreds or even thousands of vendors, these cost reductions can add up to substantial savings.

As appealing as these cost-savings can be, they absolutely should not replace the vendor’s risk rating as the overriding factor used to determine when to deploy virtual assessments.

 

Practical Steps & Qualitative Considerations

Virtual assessments adhere to very much the same process that on-site assessments follow. And, as is the case with on-site reviews, assessment teams should be ready to adapt when unexpected obstacles arise. This elevates the importance of the qualitative dynamics that should be considered in addition to the more tangible components of the virtual assessment.

While virtual assessment protocols vary by organizations, they typically include the following activities:

  • Sending out the Initial Communication: The lead assessor typically sends an email that notifies the vendor that it is time for an assessment. This communication explains that the assessment will be conducted virtually and lays out the key steps that will follow, including the timing of a subsequent pre-assessment call, any exchange of documents before the assessment, the creation and sharing of an agenda and the initial scheduling of a date for the assessment. If assessors want the vendor’s team to complete a questionnaire prior to the assessment, they will include that as an attachment or as a link to the Web-based portal where the questionnaire can be completed.
  • Holding the Pre-Assessment Call: This pivotal interaction should establish a spirit of collaboration, flesh out and address any confusion and/or concerns (especially among vendors participating in a virtual assessment for the first time), discuss and settle any points of contention or discomfort, finalize a date and time for the subsequent assessment and, ultimately, clearly align expectations. It is important for the vendor’s team to understand that they can and should ask questions about the assessment and help determine the agenda. The call is an excellent time for assessors to educate and inform vendors who lack experience with virtual assessments. The pre-assessment call should also cover all policy and procedure documentation that the assessor wants to see prior to the assessment date. These document requests often spark conversations about vendor policies concerning the sharing of proprietary documentation with external partners. Assessment teams should be prepared to explain how they will transfer, store and delete any vendor documents in a secure manner. During pre-assessment calls, assessors should convey the need for screen-sharing capabilities so that the two parties can agree on which application (e.g., Webex or GoToMeeting). These calls typically last at least 15- 30 minutes; however, more time may be necessary when vendors have not previously conducted remote assessments.
  • Setting the Agenda: The agenda for the assessment meeting lays out the vendor’s critical risk domains that the assessor will review (e.g., those related to IT, cybersecurity, privacy, resiliency and data security and other risks), who will be in the room during the call and how long the assessment call will last. A typical virtual assessment requires four to six hours to complete; however, some virtual assessments can be completed within two hours when a significant amount of requested documentation is shared prior to the call.
  • Conducting the Assessment: The virtual assessment mirrors the structure and flow of an on-site assessment. The assessor works through the agenda on the phone, asking the vendor’s team to share artifacts via the screen-sharing tool. Most of these requests are for the validation of processes – evidence that the vendor has executed specific tasks in accordance with its policies and procedures. While assessment teams request policy and procedure documents prior to the meeting, they normally want to review the validation documents in real-time, during the virtual assessment. Once the meeting concludes, the assessor adheres to the same protocols that follow a traditional on-site assessment. This includes documenting the assessment’s findings, identifying issues that need to be addressed and laying out remediation plans. In addition to thinking quickly on their feet, assessors should also foster a collaborative mindset. Assessment teams should establish and reinforce trust throughout the process, starting with the initial email communication. It is easier to catch flies – and risk-management lapses – with honey than vinegar.

In the end, it is vital to keep in mind that third party risk management programs and the virtual assessments that strengthen these capabilities are designed to make important relationships with external partners even more valuable.

What ‘Virtual’ Mea...

Eric Krell 09-10-2019

The word virtual’s various meanings include “near enough” and “not physically existing.” When it comes to performing virtual assessments, outsourcers and third parties should keep both defin[...]

The word virtual’s various meanings include “near enough” and “not physically existing.” When it comes to performing virtual assessments, outsourcers and third parties should keep both definitions top of mind.

For all practical purposes, virtual assessments are the same as onsite assessments, excluding the assessment team’s physical presence on the vendor’s premises. This means that remote reviews mirror the processes, information exchanges and discussions that occur during traditional assessments. This also means that the interpersonal skills required to sustain the effectiveness, efficiency and cooperative nature of assessment interactions are perhaps even more important on virtual assessments.

“It’s all about the soft sills, regardless of whether you’re working onsite or conducting a remote assessment,” says The Santa Fe Group Vice President Tool Development and Implementation Andy Hout, who began conducting onsite and virtual assessments in the financial services industry two decades ago.  “As an assessor, when I requested documentation during a virtual assessment, I would explain exactly what I would do with that documentation, including how I would securely store it and how long I would retain it. I would discuss that upfront for governance purposes, but also to establish trust. You need to cultivate trust on any assessment, but on a remote assessment, you want to establish a little bit more trust.”

Lynx Technology Partners Director of Vendor Risk & Compliance Services Angela Dogan, a Shared Assessments member, agrees. In a forthcoming article on virtual assessments she co-authored with Hout, Dogan explains why the pre-assessment call that takes place prior to the virtual assessment represents a crucial opportunity for assessors to build trust, align expectations with vendor team, and set a cooperative tone for the ensuing assessment meeting.

Hout and Dogan also facilitated a Shared Assessments Member Forum Call on virtual assessments earlier this month, during which they shared their insights gained from conducting virtual assessments along with this description:

A virtual third party assessment is a form of due diligence that replaces certain onsite evaluations with similar or alternative processes accomplished remotely in real-time. A virtual assessment may be used in circumstances when an outsourcer is denied onsite access and can also be used to reduce travel and expenses. In virtual onsite assessments, web-enabled participants can provide, review and verify required control artifacts from a Third Party’s environment.

The importance of clear communications, aligned expectations, cooperation and mutual trust on all assessments makes sense given how frequently (and costly) human fallibility figures in major risk management lapses.

Capital One’s recent data breach, which exposed the personal information of more than 100 million credit card customers, was attributed to a hacker who worked for one of Capital One’s primary cloud service providers. The cybersecurity breakdown was also attributed to a high turnover rate in Capital One’s cybersecurity unit, according to The Wall Street Journal. In their new book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, co-authors Richard A. Clarke and former Director for Cybersecurity on the National Security Council at the White House Robert Knake zero in on the risks posed by individual employees who never fail to click on links in phishing emails. For years, former-hacker-turned-cybersecurity-consultant Kevin Mitnick has thrived by advising companies and countries to fortify their “human firewalls” through training and awareness. “You can have the best technology in the world,” Mitnick said in a recent interview, “but if I can call or email or somehow communicate with a target in your company, I can usually bypass all of that technology by manipulating the target.”

The human element is equally important to address during all third party assessments, whether they take place on site or virtually. While assessors should deploy the best assessment methodologies and processes in the world, they should also be aware of the softer skills they need to optimize the value of these tools.

Are We Heading Back to School ...

Linnea Solem

Seasons change and priorities change as we exit the dog days of summer and head into back to school timelines and waning days remaining of legislative sessions. This past month Shared Assessments Prog[...]

Seasons change and priorities change as we exit the dog days of summer and head into back to school timelines and waning days remaining of legislative sessions. This past month Shared Assessments Program Advisory Board Members and Steering Committee Members facilitated three separate educational events on privacy and third party risk in today’s dynamic landscape.  Adam Stone and I kicked off the privacy dialog at an IAPP KnowledgeNet event; Brad Keller and I led a dialog at the August monthly forum call, and Norm Maley and wrapped up the month with a discussion on the BrightTALK channel on privacy developments.

So what did we hear? What did we learn? What do we need to study?

A common message is that when you combine privacy fines and enforcement actions with murky timelines for compliance to CCPA, risk professionals are confused on how to prioritize and focus their readiness efforts. Too much noise, chatter and confusion on privacy changes creates have put us into a bit of a state of analysis paralysis and confusion.

Here’s a quick recap of the top three “privacy hot topics” that shaped our discussions with attendees:

#1 Predicting CCPA enforcement timelines:

You’d think understanding when a state regulation comes into effect would be easy right? Wrong. There are subtle nuances to understanding the difference between the regulation being in effect and enforced.  Here’s my crib sheet notes to summarize the key dates.

  • The law goes into effect Jan. 1, 2020 and will be enforced no later than July 2020
  • There up to 7 amendments to CCPA currently in motion within the CA state legislature by Sept. 13th, giving the Governor up to October 13th to sign or veto the amendments.
  • The state AG has committed to publishing final rules in “Fall 2019” which given the rulemaking processing to allow 45 days for comment period, put us out to likely May 2020 as the earliest for full enforcement

The tricky question here – is that not all requirements under CCPA are dependent on the AG final rules. The right of private right of action is a good example. Plus the “look-back” obligations for responding to consumer data access rights goes back 12 months to Jan. 2019.

So how do you explain this to the C-Suite in your organization? Understanding CCPA and Planning for readiness address the “What” your organization has to know or study to be ready for being examined. The AG rules will provide the clarity on the “How” so you can prepare for the enforcement approach.

Bottom line – CCPA foundational readiness efforts for transparency of data use, sharing of data with third parties, and notices need to be past their midterms. The final AG guidance is simply the final exam after a year of privacy school.

# 2 Understanding changes to Privacy frameworks

While fines and enforcement are making media headlines, the common theme is figuring out privacy beyond just security controls in today’s digital landscape. Today’s digital disruption is bringing privacy obligations under new use cases and terminology, vs. focusing only on data protection.

ISO released its first International Standards for Privacy Information Management which specifies the requirements for establishing, implementing, maintaining, and continually improving a privacy-specific information security management system.  NIST is on track to release the final version of its NIST Privacy Framework for comments and finalization by end of the year.   The NAI has updated and released its self-regulatory requirements in an updated 2020 Code of Conduct for member companies. Changes are focused on the new products and technology used in digital advertising with updated obligations for companies’ data collection and use for digital advertising. Even the AICPA standards for SOC reports this year now include both privacy obligations and vendor/business partner risk management into the common control structure.

If industry acronyms and standards feel overwhelming, don’t worry, you are not alone. While each are focused on different areas of privacy definition, they all leverage common foundations for Fair Information Practices concepts and Generally Accepted Privacy Principles components.  The frameworks and tools are mechanisms for both self-assessment and reviewing the maturity of your privacy program.

#3 Addressing differences in State Privacy Regulations

While California has the reputation to lead the way in privacy state regulations, other states including NY, MN, CO, NV and even Vermont have put their own stamp on privacy priorities. There are over 15 states with some level of privacy legislative activities, and over 7 have shifted the requirements on the definition of personal data.  The Shared Assessments Q1 Blog provided the history and baseline facts about CCPA as the primary or study material.

Creating a checkerboard approach to privacy regulations can be inefficient and resource intensive, as we know given now a decade plus of state-by-state breach notification regulations. A common misperception is relying on exemptions or preemption as the sole compliance readiness approach. Even banking organization’s that have had programs in place for GLBA safeguards are not totally immune as aspects of CCPA apply to them.  While states may take different approaches and timelines, responding requires an organization to assess, define, and deploy changes to procedures, standards and business processes.

CCPA, Privacy Frameworks, and State regulations are bringing privacy compliance and third party risk together from multiple perspectives.  While the timelines are confusing, the best approach is to do your homework – be prepared by assessing the current state of how you address privacy risk.

  • Identify the business processes that are impacted by changes to privacy regulations.
  • Track which third parties’ access, process, store, or retain any classification of privacy data
  • Prioritize your approach by reviewing your vendor inventory to identify the sub-set of third-party relationships that hat require stronger privacy oversight.
  • Plan your approach and what resources you will need to implement changes on a quarter by quarter basis over the next 18 months.
  • Create your elevator pitch to your C-Suite on what changes to privacy regulations mean to your organization and be able to convey in simple terms what you need for success.

The pace of privacy changes through either legislation or enforcement action is not going to slow down in the coming month. Risk professionals need to prioritize and plan to create repeatable processes and building blocks that can be leveraged across multiple drivers.  Privacy pros and third party risk professional are becoming study buddies to address assessing all of these developments in the curriculum of privacy.

Shared Assessments’ TPRM...

Gary Roboff 08-09-2019

The July 2019 Shared Assessments Member Forum introduced the first sections of the Program’s Third Party Risk Management (TPRM) Framework. The Framework is a new member resource designed to provide [...]

The July 2019 Shared Assessments Member Forum introduced the first sections of the Program’s Third Party Risk Management (TPRM) Framework. The Framework is a new member resource designed to provide TPRM guidance to risk professionals across the experience spectrum. The first module of the Framework focuses on risk basics and provides a foundational grounding about broadly applicable risk management concepts. This module goes on to introduce readers to a range of important TPRM practices, such as maintaining vendor inventories, differentiating critical vendors and basic resiliency techniques, such as testing ability to recover from an unplanned service interruption.

As part of the presentation, we polled Forum attendees on four subjects, and the results were instructive. Without a coherent perspective on risk limits, outsourcers may well find they have taken on more risk than is prudent or the board expects. To test the notion that even when boards develop complete risk appetite statements, they often fail to socialize risk appetite in a way that can be useful when making decisions about third party risk at the business unit level we asked: “is your organization’s risk appetite widely understood and applied and deployed?” Sure enough, more than 40% of attendees reported a negative response.

Is your organization’s risk appetite widely understood and applied throughout your organization?

58%  Yes

42%  No

The second polling question was designed to test whether attendees had a vendor inventory that is accessible across their organization. The results of that polling question were surprising – more than 43% said that even this most basic TPRM requirement was not available. Without a widely available vendor inventory, outsourcers have a much harder time protecting against concentration risk, the exposure that comes from too much centralization of third party resources into a single vendor. If a vendor that poses multiple points of exposure fails, consequences may be felt across a number of important functions without management recognizing the extent to which concentration risk is a major point of vulnerability for the organization.

 

Does your organization have a complete vendor inventory accessible enterprise-wide?

57%  Yes

43%  No

The third polling question was designed to test another basic but critical requirement – that outsourcers clearly differentiate those vendors that have the potential to expose the outsourcer to the highest levels of risk. The polling results in this instance were heartening – almost 95% of responses said they regularly differentiated critical vendors; a task that allows outsourcers to better match the degree and type of due diligence activities to the amount of risk a critical vendor may present.

Do you differentiate critical vendors in your inventory?

95%    Yes

5%    No

 

The final poll was designed to provide insight into the extent to which attendees’ test their organizations’ ability to restore services after an interruption. Vendor testing is a subject that Shared Assessments explores in our , conducted annually in partnership with Protiviti. The results of this informal poll tracked nicely with Benchmark Survey findings – about 75% of the Forum participants test regularly.

Have you tested your ability to quickly restore all critical services?

75%   Yes

25%    No

 

Whether you are a practitioner new to the field of third party risk management or a long time veteran, we think you’ll find the new Shared Assessments TPRM Framework a uniquely valuable resource. You can download the first two sections at (https://sharedassessments.org/framework/). The next Framework module, which focuses on periodic assessments and continuous monitoring, will be made available soon. Watch for the upcoming release notice.

Mapping: Connecting the Dots ...

Jeremy Byellin 08-07-2019

The world of third party risk (TPR) is a big place. It encompasses numerous industries, is governed by a variety of laws and regulations, and reaches around the globe.  Given this substantial diversi[...]

The world of third party risk (TPR) is a big place. It encompasses numerous industries, is governed by a variety of laws and regulations, and reaches around the globe.  Given this substantial diversity in the TPR ecosystem, establishing standards that appeal to the many needs and interests may be a daunting task.

Nevertheless, the Shared Assessments Program was designed to do just that: bring together a wide range of TPR viewpoints to collaborate on common standards in the industry.

Shared Assessments employs multiple vehicles to reach this destination, with “mapping” being among them.  For those unfamiliar with the term, mapping is the process of charting a law, regulation, rule, or standard to another to illustrate their level of alignment with one another.

Shared Assessments devotes considerable resources to mapping many important third party risk standards to its Standardized Information Gathering (SIG) Questionnaire and Standardized Control Assessment (SCA).

Why?  Shared Assessments has labored for years to ensure that the SIG and SCA can be standards in the TPR industry, and mapping has played a vital role not only in helping the SIG and SCA reach the level of “industry standard,” but also in maintaining that title into the future.

The benefits of mapping are diverse.  The process provides valuable information about the similarities and differences between two authorities.  Thus, through mapping, Shared Assessments can identify common requirements and themes that are present throughout a variety of authority documents, and craft appropriate content for the SIG and SCA that may be used by as many of the diverse interests in the TPR world as possible.

Through identifying and analyzing gaps between a standard and the SIG or SCA, mapping may help detect potential shortcomings in the SIG and SCA that may lead to the creation of additional content in future tool releases.

Finally, due to the enormous diversity in the TPR industry, and because the SIG and SCA are meant to be used by as many interests in that industry as possible, the tools may not get as detailed on certain requirements or issues as other TPR authority documents.

Mapping artifacts address this concern by specifically identifying the level of alignment between each requirement within a law, regulation, or standard to each SIG question or to each SCA control.  These mapping artifacts allow users of the tools to distinguish those areas that may require greater scrutiny to remain compliant with applicable laws and regulations.

In other words, mapping illustrates those regions of the TPR landscape for which the tools lack the intensive detail sometimes required by legal mandates.  Indeed, mapping itself offers a greater insight into how the tools fit into the world of third-party risk, and how they can evolve with and adapt to future shifts in the geography.

Good Responses to Bad Contract...

Brad Keller 07-10-2019

Most third party risk managers eventually deal with bad vendor contracts. In most cases, these  contracts – which lack important provisions or no longer conform to regulatory requirements or organi[...]

Most third party risk managers eventually deal with bad vendor contracts. In most cases, these  contracts – which lack important provisions or no longer conform to regulatory requirements or organizational guidelines – pose significant risks to the organization. Many of  these risks can be mitigated, be doing so requires a well-defined process, a robust third party risk management capability and the right mindset.

 

It’s important to note that poorly drafted or outdated vendor contracts exist in most organizations.  It’s not a reflection on the company, but a painful reality of the lack of coordination between risk management and contracting groups. In the past, I conducted  comprehensive reviews of vendor contracts at major financial institutions. These reviews routinely unearthed numerous contracts that were out of alignment with current corporate standards, regulations and/or best practices. As veteran IT writer John Edwards asserts in a new CIO article, “Like death, taxes and network downtime, bad contracts are a fact of life for most IT leaders.”

 

John was kind enough to reach out to me for some insights while researching his article, “7 Tips for Getting Out of a Bad Vendor Contract.” The overall guidance and specific steps John presents in his piece are right on the mark, and I encourage you to give it a read. While addressing the interview questions John put to me, I reviewed several considerations that are important for third party risk managers to keep in mind when dealing with unacceptable contracts, including:

  • Risk and value are crucial to assess: When determining what is problematic about a vendor contract, it is important to first gain a high-level understanding of the risk the organization faces if the contract is not revised. It is similarly important to determine the value of the vendor relationship to the organization. By understanding the magnitude of risk and the value of the relationship, third party risk managers will have a better sense of how aggressively they should push for changes to the contract.
  • Modifications can be made at any time: Contracts can be modified even when they are not up for renewal. Changes in regulatory requirements, industry standards and technology are the most frequent reasons driving the need for adjustments. You can always approach a vendor and lay out reasons for altering the contract.
  • Contract modifications can be costly and time-consuming for both parties: The better the relationship is, the more likely the vendor will be to engage in a meaningful discussion about changing the contract. That’s important because contract modifications can be a costly and laborious endeavor for both the organization and the third party. When you clearly convey your business rationale for the change, your vendor is more likely to collaborate with you on a solution. That said, you also should be prepared to offer concessions given that the changes may create additional costs for the vendor. It is also helpful to develop and agree on a timeline to implement the operational changes needed to comply with the terms of the revised contract.
  • Be prepared for termination: In cases where the vendor is unwilling to modify the contract (and where the organization is unwilling to accept the attendant risk), termination may be the only option. Terminating a vendor relationship works most effectively when defined processes are in place for managing any transfer of data (or other assets), validating vendor compliance with termination requirements, and selecting a replacement vendor.

 

Ideally, terminations can be avoided when bad contracts are uncovered. This positive outcome is more likely to occur when a vendor views your organization as a critical business partner and is willing to work with you to find a solution acceptable to both parties.

6 Ways the CTPRP Designation B...

Laura Waller 05-21-2019

The Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments Program validates expertise while providing professional credibility, recognition and marketability in third[...]

The Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments Program validates expertise while providing professional credibility, recognition and marketability in third party risk. Two years after the initial program launch, we created the Associate CTPRP designation to  provide an opportunity for individuals newer to third party risk management to leverage the course and exam for training purposes. They are able to earn the Associate CTPRP designation (thus demonstrating a proficiency in third party risk management) and apply for the CTPRP certification once they’ve earned the requisite five years of experience.

This year, we’ve been holding interviews with individuals who have earned the CTPRP certification to find out how the credential has benefitted their organizations and their careers. Our discussions have been illuminating – and varied. Our CTPRP interview subjects range from self-described “third party risk management nerds” to chief executive officers (CEOs).

As we’ve listened to CTPRPs describe how they’ve leveraged the certification (and access to the network of experts it provides) to strengthen their companies’ third party risk management capabilities, we’ve heard benefits we expected to hear (e.g., improvements to the rigor, scope and efficiency of third party risk management programs)   and learned about unexpected advantages (e.g., using the CTPRP to strengthen staff retention).

We’re in the process of publishing those discussions in a new Q&A series. In the meantime, here are some highlights from the interviews. The following list reflects some of the ways in which Certified Third Party Risk Professionals say that earning, and retaining, the designation has helped their organizations:

1. Less guess work, more efficiency: A third party risk manager reports that his company’s use of risk scoring and risk tiers helped it manage a large group of vendors more effectively. “We’re able to focus our lean resources on the areas of highest risk, which strengthens our due diligence in an efficient manner,” he explains. “Until you start doing that, you’re just shooting randomly and hoping that you address the high-risk vendors – and that’s just guess work.

2. More structure, less scrambling: Leveraging the certification and the Shared Assessments network, a third party risk manager designed a better framework to respond to requests from all client companies. He says the framework “enables us to be far more nimble and effective when we respond to tailored requests. We can be sensitive to those unique information requests without launching an all-out fire drill.”

3. Deeper scrutiny of more vendors: In some cases, the CTPRP experience shows leaders of mature third party risk management programs how they can make further refinements. A CTPRP who manages third party risk from an information security perspective says his experience earning the designation showed him how his company could “significantly increase the number of vendors that are in scope.” That change helped his team identify more problem areas along with new ways to address those issues. “We’ve also expanded our enterprise TPRM program to additional areas of the [company] and worked to include more types of third parties in scope”. He adds, “Many of those changes were made as a result of the training I received in the CTPRP coursework.”

4. Effective communications promote TPR best practices holistically: A manager of third party risk says his certification experience helped him recalibrate how he communicates about vendor risks with business partners. When business partners ask him if he can “approve” a new vendor, he treats it as an education opportunity by explaining that his role is to conduct research and then share it with them so that they can make an informed decision about how to proceed. “I’ve learned how important it is for me to market third party risk management best practices throughout the organization,” he notes. “The education and communications pieces are a huge part of what we do as third party risk management professionals.”

5. Retention and staff development benefits: A CEO who holds the CTPRP designation says the certification has provided staff development and retention benefits. “I’m a big believer in organically grooming staff members to move up the ranks to more meaningful and challenging roles,” she explains. “The CTPRP and the continuing education have helped our people advance their careers while advancing the company’s capabilities.”

6. More business: The same CEO also notes that the certification helps convey her firm’s commitment to privacy and security issues to client companies and prospects. “I know that the certifications we have as a firm, and as individuals, really make a difference,” she adds. “I can think of three situations where our involvement with Shared Assessments and the CTPRP certification were helpful factors in securing major new customers.”

Bottom-line improvements and other organizational benefits are only one part of the CTPRP’s value proposition. “It’s really changed the direction of my career,” says a third party risk manager responsible for information security. “Inside the company, I’m a primary advocate for analyzing third parties. Outside the company, I’ve been speaking about third party risk at information security conferences.”

Check the current schedule to earn your CTPRP.

If you are a CTPRP holder, and want to speak about how this has helped your career or third party risk program, please contact Laura. laura@santa-fe-group.com

Happy One Year GDPR Enforcemen...

Tom Garrubba

It’s hard to believe it’s been one year since the GDPR enforcement took effect (May 25, 2018). For many, the honeymoon (or “honeydo”) hasn’t quite worn off yet, as organizations are  still [...]

It’s hard to believe it’s been one year since the GDPR enforcement took effect (May 25, 2018). For many, the honeymoon (or “honeydo”) hasn’t quite worn off yet, as organizations are  still trying to ensure they meet some level of conformity to the most encompassing privacy regulation to date. There are also those who will continue to roll the dice.

Initially, many small and mid-sized US-based organizations believed that GDPR would not apply to them; having a small European presence of either customers or employees. But upon further study they realized this was more than just a compliance activity. Organizations discovered that they needed to revise and refine their entire enterprise strategy around privacy with a better understanding as to where their data was moving both within the organization as well as outbound to processors.

Last week I was across the pond meeting with senior level operational risk professionals from Europe and I wanted to get feedback from the front lines. I was taken aback from some things I’ve heard.

Firstly, many companies are still wrestling with GDPR implementation, which has proven to be time and resource intensive. Some expected their budgets and staffing to increase to address compliance, but sadly, neither have occurred.

Secondly, for many of these companies, GDPR compliance has slowed their digital transformation toward more efficient use of data within their organization. The main reason for this is that organizations continue to be either unsure or uncomfortable as to what can be shared internally and externally; growing deeply concerned with failing to conform to GDPR and other regulations.

Thirdly, some have indicated that GDPR is “yesterday’s news” and that they are moving on to addressing other more pressing concerns. I did not receive any indication as to whether this may be due to their present comfort with conforming to the regulation or that they feel they have no need to pursue such activities further.

Finally, there are firms that have not done anything and do not plan to – until they see stronger evidence of penalties being used in the enforcement process.

The common theme appears to be: if you are a mature organization then you’ve most likely took the time and built “privacy by design” into your risk structure. These organizations have generally found the right people, developed appropriate privacy processes, procedure and , linkages and are able to track all points of customer data internally and externally. On the converse, this causes headaches for many of these companies as they are now afraid of sharing any customer data internally and/or externally, thus impacting their ability to target potential market opportunities out of fear of potential fines and reputation damage due to GDPR compliance missteps.

So, now that you are coming through your GDPR hangover, anyone up for a round of CCPA?

Now Available: 2019 Vendor Ris...

Gary Roboff 05-08-2019

“My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.” -Lewis Carol, Alice in Wonderland   As they [...]

“My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”

-Lewis Carol, Alice in Wonderland

 

As they assess today’s complex  risk and regulatory environments, third party risk management (TPRM) practitioners may feel has if they’ve tumbled through the looking glass. Given the constantly changing and sometimes strange world of third party risk, most organizations must work diligently just to sustain the current performance and sophistication of their TPRM programs.

That’s one of a number of key insights from the 2019 Vendor Risk Management Benchmark Study, which is based on survey research and analyses jointly conducted by Protiviti and The Shared Assessment Program. The report’s findings indicate that:

  • The correlation between high levels of board engagement and programs with fully mature  TPRM practices is very high. That relationship has been demonstrated using a second set of metrics in this year’s report;
  • Most vendor risk management programs in all industries face difficulties keeping up with the pace of change in the external environment; and
  • Resource constraints in the face of higher risk management costs represent a pervasive challenge.

This marks the fifth year that the Shared Assessments Program and Protiviti have collaborated on this research, which is based on the Shared Assessment Program’s proprietary Vendor Risk Management Maturity Model (VRMMM). For 2019 the program updated the VRMM with numerous enhancements, including the addition of 81 new detailed criteria. These additions made it possible for us to develop benchmarking capabilities in eleven new focus areas, including aspects of continuous monitoring, fourth party risk management, resource availability and optimization, privacy, virtual assessments, geolocation risks and more.

 

In addition to the three findings I mentioned above, our 2019 report also reveals that:

  • Cyberattack disruptions are increasing, and it is taking organizations longer to fix the issues that led to a successful strike. Approximately 67 percent more of respondents to this year’s survey reported that their organizations experienced a significant disruption from a cyberattack or hacking incident compared to respondents who reported similar disruptions in our previous survey. What’s more, the percentage of organizations that fixed the issues that led to a successful cyberattack within one month declined by 17 percent from last year’s findings to this year’s results. Last year, only 28 percent of respondents reported that these fixes took from three months to one year to identify complete; this year, 37 percent of respondents reported that fixing the issues that lead to a significant cyberattack required three months to one year.
  • More organizations are likely to move away from high-risk third-party relationships. Fifty-five percent of respondents report that their organizations are extremely likely or somewhat likely to move or exit risky vendor relationships, a 2 percent increase compared to last year’s survey. This tendency is likely driven by increasing TPRM resource constraints including the inability of some outsourcers to effectively utilize continuous monitoring capabilities to better gauge and control fourth party related risks in their programs.

 

The report, which is available at no cost, is packed with information and insights related to all areas of vendor risk management. Reading through the results will help TPRM leaders and their teams get a firmer grasp of how their program compares to others in the same industry. Together with  the Vendor Risk Management Maturity Model, on which the benchmark survey is based , the Benchmark Study is the perfect tool to determine and steer TPRM  programs toward a custom maturity level that’s appropriate for every organization irrespective of the industry in which it operates.

The Realities of Raising Fraud...

Shared Assessments 04-29-2019

Authored by: Emily Irving, VP Third Party Risk, BlackRock and Shared Assessments Steering Committee Vice Chair and Bob Jones, Senior Advisor, The Santa Fe Group If you could print $200 million on y[...]

Authored by: Emily Irving, VP Third Party Risk, BlackRock and Shared Assessments Steering Committee Vice Chair and Bob Jones, Senior Advisor, The Santa Fe Group

If you could print $200 million on your home printer each year, how would it affect the world economy? If all humans could avoid physical contact with each other for two weeks, would the common cold be eradicated? If every person on earth aimed a laser pointer at the moon, would the moon change color?

Author and former NASA roboticist Randall Munroe poses these and other peculiar questions in his best-selling book “What If?” for an extremely practical reason. By providing serious scientific answers to these hypotheticals, Munroe takes readers on a journey that inspires them to think more creatively about real-world challenges, expands their awareness of what’s possible, and sharpens their problem-solving skills.

Third party risk management (TPRM) leaders ought to embark on a similar journey. A valuable way to do so is by collaborating with an inherently skeptical group of professionals who have mastered the art of asking hypothetical questions: anti-fraud experts. Fraud examiners, fraud prevention specialists and other anti-fraud professionals routinely pose TPRM-relevant questions such as:

  • Why don’t wire transfers to our vendor contain a recipient’s name?
  • What if an employee’s home address appears as a vendor address in our accounts payable (A/P) database?
  • Why is our Phoenix office being repainted for the fifth time this year?
  • Why are vendors with high bids winning the competitive bidding processes?
  • Why are we approving so many change control requests from that vendor?
  • What if a third party executive has close ties with a former government official in a country known for corruption?

It turns out that fraud is a major source of third party risk; it also turns out that third parties are a major source of corporate fraud.

To date, 90 percent of Foreign Corrupt Practices Act (FCPA) enforcement actions since the law came into force in 1977 have involved third party intermediaries, according to ongoing research conducted by Stanford Law School and Sullivan and Cromwell LLP. The interrelated nature of fraud and third party risk management behooves TPRM teams and corporate fraud-prevention experts to work together and continually communicate. In many instances, however, collaboration between organization TPRM and fraud prevention ranges from subpar to non-existent.

Building and improving this relationship begins with recognition of the value that anti-fraud expertise can add throughout various TPRM phases. Equipped with that understanding, TPRM leaders and professionals can consider subsequent steps to launch and advance ongoing collaborations among anti-fraud teams and TPRM groups.

 

The Value of Skepticism

The decades-old concept of the fraud triangle remains relevant today because it has proven so effective in preventing, deterring, detecting and investigating corporate fraud. According to this framework, fraud occurs when three conditions exist:

  1. A non-sharable problem;
  2. An opportunity for trust violation; and
  3. A set of rationalizations used to justify the fraud.

The criminologist credited with originating the Fraud Triangle concept indicated that all three elements must be present for a fraud to occur, according to a Fraud Magazine article titled “Iconic Fraud Triangle Endures.” The author of that piece, W. Steve Albrecht, also emphasizes that “The triangle metaphor continues to be extremely useful in helping anyone better understand fraud.” Albrecht served as the first president of the Association of Certified Fraud Examiners (ACFE), the world’s largest anti-fraud organization and premier provider of anti-fraud training and education.

Fraud awareness adds value throughout the TPRM lifecycle, including the following phases:

  • Due diligence and onboarding: Spotting atypical behavior, sniffing out inconsistencies and continually asking “Does this make sense?” are primary responsibilities of anti-fraud professionals. These experts frequently access databases in a secure, compliant and discreet manner while conducting their detective work. For example, when a company is considering hiring a vendor, the anti-fraud team might ping that vendor’s various addresses against organizational databases containing employee addresses. While a match would not automatically disqualify the prospective vendor or trigger disciplinary action against the employee, it would certainly result in a rigorous examination along with some some pointed questions.
  • Monitoring: Anti-fraud professionals typically monitor whistleblower hotline claims and follow up on those issues. They also deploy link analysis to identify relationships among various types of fraud investigations. This link analysis can be harnessed to monitor data traffic for any related suspicious activity. Given that fraud examiners tend to be the first responders to fraud claims, the information they glean from these events can provide early or even advance warning of information security breaches.
  • Incident response: Some industry regulations mandate the anti-fraud team’s participation in incident response activities. In the financial services industry, for example, companies must report suspected crimes – those that may have been committed against them or those in which they may have been used as a conduit – to the U.S. Treasury’s Financial Crimes Enforcement Network within 30 days of detection. The investigations expertise and interviewing skills that anti-fraud professionals possess not only aid the incident response effort but also can produce valuable insights that TPRM teams can use to improve their processes.

 

Getting Started

Anti-fraud experts bring a heavy dose of skepticism to all of their work. They also tend to be well-versed in running what-if scenarios as well as in the psychology and motivations that contribute to fraudulent behaviors. These competencies and exercises can help TPRM managers probe their existing processes and capabilities for weak points that they might otherwise overlook.

However, finding these experts requires some detective work in many mid-sized to large organizations. In some companies, the anti-fraud team resides in a larger corporate security group; in others, it may be part of the internal audit function, the enterprise risk management function, or the general counsel’s office. Large enterprises may favor a decentralized approach where a number of anti-fraud teams operate in a matrix structure. Additionally, these teams often operate under different names in different companies. Banks may house anti-fraud professionals in financial intelligence units while retailers refer to these groups as loss prevention. Insurance companies often have special investigations units.

Once TPRM leaders uncover where anti-fraud resources are located in their organization, they can get started on establishing and nurturing these collaborations. On that count, the following steps and considerations can help:

  • Recognize the unique value of the anti-fraud mindset: TPRM leaders and professionals should keep in mind that anti-fraud experts bring a unique perspective, training and set of techniques to the table. These capabilities can significantly enhance the efficacy of TPRM programs.
  • Adjust if anti-fraud resources are minimal: Some companies, including many small to mid-sized organizations, do not have a dedicated anti-fraud team. In some cases, individuals who possess this expertise – former members of local, state and federal law enforcement or the military, and/or professionals who have earned the ACFE designation – may work in other areas of the business (e.g., facilities management) and can be asked to collaborate with third party risk managers. The internal audit function as well as external anti-fraud experts can also be enlisted to provide anti-fraud support.
  • Look for opportunities to collaborate: Anti-fraud experts can start their partnership with TPRM colleagues simply by sharing anecdotes about fraudulent activity they’ve witnessed or learned about through professional channels. Keep in mind that this relationship can be mutually instructive. Many anti-fraud programs will benefit from learning how to adapt portions of TPRM frameworks and methodologies to their work. The due diligence and onboarding of vendors represents a good area to begin reevaluating together. As gatekeepers of these vendor relationships, TPRM managers can ask anti-fraud colleagues what types of screening approaches and questions they would put to prospective third parties.
  • Include other stakeholders: As TPRM programs begin to work with anti-fraud experts it is important to expand these collaborations to include other parts of the organization that are ripe for fraud and/or third-party risk, such as procurement, A/P, human resources, and information security.

Once TPRM and anti-fraud groups establish a relationship, they should look for ways to integrate anti-fraud considerations and activities into TPRM processes and programs in a permanent way. Doing so can help prevent disturbing and costly hypotheticals – no matter how absurd they may sound – from becoming reality.

 

Sources

What if: https://what-if.xkcd.com/

Stanford Study: http://fcpa.stanford.edu/chart-intermediary.html

Fraud Triangle: http://www.dkcpas.com/content/client/7fa6b31cca001f1ab32e5d2a03a5b153/uploads/iconic-fraud-triangl.pdf

 

And the Shared Assessments Awa...

Jenny Burke 04-25-2019

At this year’s Shared Assessments Summit Reception and Awards Ceremony, VIPs were recognized for their investment, time and effort in addressing and mitigating third party risk through the Shared As[...]

At this year’s Shared Assessments Summit Reception and Awards Ceremony, VIPs were recognized for their investment, time and effort in addressing and mitigating third party risk through the Shared Assessments Program.

“Shared Assessments would not be the organization it is today without our incredible membership and the leaders that provide their time and unyielding dedication,” said Catherine Allen, CEO and Chairman of The Santa Fe Group.

In just the past year, the program has grown significantly in scope and scale with almost 300 member companies across industries. Without the active participation and expertise of its members, Shared Assessments would not have the impact it now has on risk management, security, data breaches and the pivotal role of the CISO in the corporate boardroom.

The annual Lifetime Achievement Award is given to honor those who have made significant contributions and impact in the fields of information security , cybersecurity, risk management and third party risk. This year’s award went to Steve Katz, the first CISO in the financial services sector. Steve has been a pioneer in Information Security, but more importantly has focused on mentoring and developing others in the field

The Founder’s Award, which is given to a member for providing their unparalleled dedication and leadership to the program, was presented to Ken Peterson, Founder and CEO at Churchill & Harriman. Ken has been with Shared Assessments since its inception. He has served on both the Steering Committee and Advisory Board and was instrumental in coordinating the Shared Assessments/Churchill & Harriman Healthcare Forum in 2015.

The Shared Assessments Evangelist Award recognizes deeply involved and enthusiastic members for their tireless efforts in promoting Shared Assessments to partners, prospects, associates and colleagues. This year that prestigious award went to Angela Dogan, Ron Bradley, John Bree and Nasser Fattah.

  • Angela Dogan, Director of Vendor Risk & Compliance Services at Lynx Technology Partners, has been a vocal proponent and evangelist of Shared Assessments even before she became a member. As Chair of the Standardized Control Assessment (SCA) Committee, Angela has successfully pushed assessment firms to adopt and use the procedures.
  • Ron Bradley’s long history with Shared Assessments reaches back to the beginning of the program and his keen insights on the first Standardized Information Gathering (SIG) questionnaire. A member of the Steering Committee with a strong background in banking, operational technology and consumer goods, Ron has steered the direction of the Consumer Goods Vertical Strategy Group and the SIG Committee.
  • John Bree, SVP and Partner of the Neo Group, leverages his global risk management experience to support and promote Shared Assessments across the board. As a member of the Steering Committee, he brings his financial industry expertise to the program through extensive committee work, presentations and research contributions.
  • Nasser Fattah, Managing Director at Bank of Tokyo-Mitsubishi UFJ, has been a longtime Shared Assessments and Steering Committee member. He has expanded his contribution this year by serving as Co-Chair of the Financial Institutions Vertical Strategy Group and volunteering as a guest speaker.

The Leadership in Education and Development (LEAD) Award recognizes a person making an ongoing commitment to third party risk training and development. The award went to Linnea Solem, CEO and Founder of the management consulting firm Solem Risk Partners. Linnea’s experience on the Advisory Board and Privacy Committee and depth of knowledge in governance, privacy, security and compliance has helped guide the policies of the Shared Assessments Education Program.

David O’Connor, Manager of Information Security at Iron Mountain, received the Innovator Award for his overall guidance and insight along with his vast experience responding to assessment requests. David has also provided critical input and feedback into the functionality of the SIG tool from the unique perspective of a service provider.

The Cornerstone Award recognizes lasting contributions to the Shared Assessments Program, and was given to Jonathan Dambrot, CEO, Co-Founder and Board Member of Prevalent. Jonathan has been a leader in third party risk for many years, lending his strategic vision to the program. He chaired the Steering Committee and has recently joined the Shared Assessments Advisory Board. Jonathan has also set up a scholarship program for cybersecurity.

This year’s MVP award was given to Bob Maley, CSO at NormShield and Co-Chair of the Continuous Monitoring Working Group. Bob is also a Steering Committee member and leads the Taxonomy Subcommittee which categorizes specific vulnerabilities and events that can be monitored by both solution providers and outsourcers.

Glen Sgambati, Customer & Industry Relations Executive of Early Warning, received the Steering Committee Chair Award after serving multiple terms. Glen has been an active member and participant of the Shared Assessments Program since its inception. Outside of his expertise in third party risk management, Glen is a leader in areas such as fraud, product management, crisis management, enterprise risk and relationship management and sales.

The following were recognized as Committee Chairs:

  • Brenda Ferraro, Senior Director of Networks, Prevalent, Inc.
  • Ron Bradley, Senior Manager, Information Security, Reynolds American, Inc.
  • John Bree, SVP & Partner, Neo Group, Inc.
  • Michelle Clement, Head ERM, Third Party Risk, BlackRock
  • Angela Dogan, Director of Vendor Risk & Compliance Services, Lynx Technology Partners
  • Nasser Fattah, Managing Director, Bank of Tokyo-Mitsubishi UFJ
  • Dannielle Goulet, Director, Information Security, The Hartford
  • Priyanka Gram, VP Operational Risk, Neuberger Berman
  • John Ingold, VP, Head of Third Party Risk, T. Rowe Price
  • Emily Irving, VP, Third Party Risk, BlackRock
  • Brad Keller, SVP, The Santa Fe Group
  • Bob Maley, Chief Security Officer, NormShield Cybersecurity
  • Tony Manly, Director of Vendor Management, MERSCORP Holdings, Inc.
  • Tony Mastrolembo, Credit Risk Management Expert
  • Derek Morford, Business Information Security Officer, Allstate
  • Paul Poh, Managing Partner, Radical Security
  • Randy Sabbagh, Solutions Architect, Charles Schwab
  • Glen Sgambati, Customer & Industry Relations Executive, Early Warning
  • Linnea Solem, CEO & Founder, Solem Risk Partners, LLC
  • Caree Wagner, Managing Director, Corporate Operational Risk Management, BNY Mellon

Shared Assessments recently created the new Operational Technology Risk Management Working Group to be chaired by Mike Riecica, Project Leader at Rockwell Automation and Octavio Flores, Corporate Cyber Strategy and Information Security Director at Procter & Gamble.

If you are interested in learning more about participating in Committees as a part of membership, visit our Committees and Groups page.

Congratulations to all of our 2019 Award winners.

A Shared (Assessments) Success...

Eileen Smith 04-23-2019

The 12th Annual Shared Assessments Third Party Risk Summit featured the latest thought leadership and best practices in cybersecurity, risk management, vendor management, privacy and assessments featu[...]

The 12th Annual Shared Assessments Third Party Risk Summit featured the latest thought leadership and best practices in cybersecurity, risk management, vendor management, privacy and assessments featuring provocative topics and engaging keynotes and panelists. Attendees visited with exhibitors and sponsors while engaging in some serious networking with other security professionals from coffee to cocktails.

Catherine Allen opened the conference by introducing the Founder of Security Risk Solutions Steve Katz, known as “the original CISO,” and recipient of the company’s Lifetime Achievement Award. Katz is a pioneer in Information Security practices.

“We’re all part of the same community,” Katz said in his keynote. “If we don’t help each other out, we’re all going to sink.”

 

The Game of Risk

The first keynote and panel centered around the role of CISOs and what challenges they’re facing today and into the future. From security breaches to perceived—and often overlooked—risks, the CISO is both executive and technology expert, wielding real power in the boardroom even though their role within the corporation continues to be fluid and known as being in the hot seat. In fact, according to panelist Devon Bryan, Executive Vice President and CISO for the National IT System at the Federal Reserve, there’s a new name for the information security officer: “Chief Information Sacrificial Officer.”

The CISO is charged with managing a far ranging and complex portfolio of risk while somehow maintaining a sense of calm. Here’s how Circle K Global CISO Suzanne Hall put it on Wednesday. Imagine a bumpy flight where passengers are gripping the armrests. In the midst of turbulence the CISO is like a flight attendant “who’s still serving coffee.” So basically, remain calm and, well, serve the coffee.

There is a definite need to demonstrate how certain policies will reduce risk. “We have gold in the vault at the Fed but I don’t have an unlimited budget,” Bryan said.

 

CISOs should be diplomats, not politicians.

Steve Katz

First CISO and Owner | Security Risk Solutions, LLC

 

OT vs. IT

Today’s CISOs are also tasked with managing new areas of risk, primarily the convergence of OT (Operation Technology) and IT (Information Technology) and any complications that may, and frequently do, arise.

“Both IT and OT teams have to learn to interact together,” said panelist Gary Bruner, Director of IT at El Paso Electric. “I’ve become a guidance counselor, a priest, a rabbi… I’m a bridge builder.”

 

Once More Unto the Breach

Also known as, breaches happen. But how? According to a study by IBM and the Ponemon Institute, “Cost of a Data Breach,” the three top factors responsible for data breaches are human error, system glitches, and malicious or criminal attacks. Almost half of all breaches are a result of these attacks that intentionally target certain businesses with malicious intent. The average cost of a data breach for organizations worldwide is startling and continuing to grow at $3.8 million. Even more startling? An estimated 73 percent of businesses are not prepared to adequately respond to a cyberattack.

Assume that a security breach occurred in your company. There’s nothing more important than knowing how to rebuild your reputation after a crisis. “Take responsibility,” said panelist Davia Temin, CEO, Temin and Co. “Give a real apology, not a non-apology apology.” Jesse Bryan, CEO and Creative Director at Belief Agency, had a similar rationale. “Companies go down in hubris borne from success and people think they are clever,” Bryan said. “But flat-out lies and half-truths both damage credibility.”

“You have an opportunity after an incident to turn that around and enhance your reputation,” said Teri Robinson, Executive Editor of SC Magazine. “Show that you’re a good steward of data.”

From cybersecurity and data protection, to financial services and machine learning, the first day of the conference explored a wide range of issues—ones that will essentially revolutionize the world of third party risk as we know it.

 

Only 1.5 percent of security breaches are known.

Davia Temin

CEO  | Temin & Co. Inc.

 

Which takes us to Day Two.

 

The Animal Kingdom

James Lam, keynote speaker and President of James Lam and Associates, took attendees on a wild ride as outlined in his February cover story for the National Association of Corporate Directors, “An Animal Kingdom of Disruptive Risks.” There are black swans, or the “unknown unknowns,” gray rhinos, or the “known unknowns,” and white elephants, the “known knowns.” Although each risk has unique characteristics, the impact on a company’s profitability, competitive position and reputation is that same.

As Lam states in his article, corporate directors must “expand their traditional risk oversight beyond well-defined strategic, operational, and financial risks. They must consider atypical risks that are hard to predict, easy to ignore, and difficult to address.”

These challenges make the CISO relationship to the corporate board even more important.

 

In Boards We Trust?

“Boards feel that it’s the ‘unknown’ that will get us,” said panelist Tammy Rambaldi, Director of Enterprise Risk at Johnson & Johnson. “It’s not always the unknown that gets you. The ‘known’ is most often what’s leading to breaches.”

According to panelist Chuck Yamarone, Chief Corporate Governance Officer at Houlihan Lokey, there’s nothing more critical than the tone that the CISO sets at the top. The overall priorities related to risk and security ultimately dictate the decision-making process of how potential obstacles and breaches will be handled.

“The risk group is not a group of auditors, at least I hope not,” said Annie Searle, a lecturer at the University of Washington. “Be nervous when everybody in the room agrees with you.”

  

Risky Business

In the final keynote of the summit, Shamla Naidoo, Managing Partner at IBM Global Security Services, discussed global challenges in risk management.

“Cyber risk, technology risk and business risk have all merged and function together in the world of Risk with a capital R,” said Naidoo. She also stressed the importance of diversity in the world of cybersecurity and the lack of qualified candidates. By 2021 there will be an estimated 3.5 million of unfilled cybersecurity positions, according to Cybersecurity Ventures.

“Talent is short in the cybersecurity area,” Naidoo said. “It’s a real crisis. There aren’t enough people to fill the jobs and what we’ve done in the past is not working.”

 

In the Long Run

The summit concluded with a review of the much-anticipated 2019 Vendor Risk Management Benchmark Study, “Running Hard to Stay in Place,” conducted by Shared Assessments and Protiviti. The survey polled 554 risk management practitioners and C-suite executives based on the detailed criteria in the Shared Assessment Vendor Risk Management Maturity Model (VRMMM).

Key insights included:

  • A strong correlation between high levels of board engagement with VRM issues and capabilities
  • Vendor risk management programs barely able to keep up with the fast pace of change
  • A lag in Continuous Monitoring across all sectors
  • Resource constraints as one of the largest VRM challenges

 

More than half of security breaches originate from a third party, making the role of CISO and its overall management of the risk portfolio paramount to a company’s success—or its demise. Putting a plan in place now to both recognize and respond to known and unknown threats (remember the gray rhinos!) is a good first step in what will surely be an integral component of a corporation’s lifecycle.

If Left to Our Own DevicesR...

Eileen Smith 03-14-2019

These days everything’s connected through the Internet, that constantly growing and evolving massive communications network. More and more devices are being connected (75 billion or so by 2025), for[...]

These days everything’s connected through the Internet, that constantly growing and evolving massive communications network. More and more devices are being connected (75 billion or so by 2025), forming a complex interrelated platform or ecosystem commonly referred to as the Internet of Things (IoT). This platform offers consumers convenience, ease of use, comprehensive information management and, unfortunately, unknown security risks. Every consumer wireless device—every smart appliance, every wearable, every medical implant, every door lock and thermostat, every self-driving car, every surveillance camera, every seemingly eavesdropping personal assistant —transmits data, very sensitive data at that, in order to keep everything working. Some of the time.

Meanwhile businesses are leveraging IoT to foster greater efficiency and productivity, gain real-time information and improve the customer experience by providing innovative solutions and devices. These solutions collect vast amounts of data across their enterprise and the third parties they may employ to support and deliver those services. A good deal of this information is generated by those third parties such as contractors and partners. This leaves business cybersecurity teams markedly more challenged and vulnerable to cyberattacks and data breaches through a vast IoT landscape that may provide open entry points that have either gone unnoticed, or worse, ignored.

State lawmakers have begun to enact sweeping security legislation to address these issues in lieu of slow action at the federal level. In June 2018 California became the first state to pass comprehensive consumer privacy regulations—the California Consumer Privacy Act (CCPA)—which will take effect in January 2020. This legislation broadens the definition of “personal information,” providing consumers with significantly more control over how their information is used, including how businesses collect, share and sell your information. However, it did not tackle IoT security specifically.

California doubled down on consumer privacy laws with the Security of Connected Devices Act (SB-327). This additional law will institute strict new regulations pertaining to connected devices, increase oversight on IoT security, and cover the data (beyond personal data) that IoT devices collect, store and transmit, thus expanding upon consumer privacy features contained in the CCPA legislation.

SB-327 will require manufacturers of connected devices to equip those devices, depending on their function, with “reasonable” security features that protect the device as well as “any information it may contain from unauthorized access, destruction, use, modification, or disclosure.” For example, users of new devices would be required to create a unique password before using the device for the first time, removing the default password problem and ensuring a stronger layer of password protection. Overall, consumers of these devices should feel a greater sense of control over their personal information.

“The net of this bill is it basically requires people to understand IoT devices,” said Charlie Miller, Senior Advisor at The Santa Fe Group. “It’s all good stuff and essential to have in place but one of the challenges will be how companies are required to monitor and demonstrate compliance with the law. The problem is no longer just exposure of one’s personal information but reducing exposure to many things, including one’s personal safety.”

Consider the fact that as more employees telecommute—working from home, airports or anywhere they can access the internet—they are potentially compromising their security. Many companies have been focused more on managing and securing internal workplace IoT devices as opposed to those in use by external third parties.

This lack of regulation, oversight and governance has slowed risk management efforts over IoT. As Miller notes, “Our research shows that there continues to be limited assignment of accountability and limited success in maintaining inventories of IoT devices within their organizations and their third party suppliers, which is essential to ensure they know what functions the devices perform, what security features are present, what data is collected and how it is secured and transmitted.”

The current threat landscape is real and expanding rapidly, consisting of countless avenues for malicious attacks: malware, ransomware, cryptojacking (mining sensitive data across devices for cryptocurrencies), phishing (mostly through email click-throughs), denial of service (DoS) attacks and botnets.

So, what can third party risk managers do to address these critical issues and mitigate risk? One major action would be to understand who in your organization is accountable for IoT. Develop a plan to inventory IoT devices, understand the risks they pose to your organization, ensure your internal and third party controls are assessed/validated to mitigate those risks, report results to your risk committee and include IoT risk in your education/awareness training and perform at all levels of the organization.

Additionally, IoT device manufacturers who wait or fail to comply with this law and implement these requirements related to consumer security and privacy measures may face financial penalties and fall behind those manufacturers who do comply.

At the very least, “This law will get people to pay attention to the risks posed by IoT devices, and given that this law is still somewhat open-ended, we should expect to see additional requirements,” Miller said.

Shared Assessments Takes Top I...

Jenny Burke 03-07-2019

Just when you thought awards season was over.... Shared Assessments was honored with two awards for SC Magazine's celebration of 30 years in cybersecurity. The Shared Assessments Program was named [...]

Just when you thought awards season was over….

Shared Assessments was honored with two awards for SC Magazine’s celebration of 30 years in cybersecurity. The Shared Assessments Program was named one of the Most Important Industry Organizations of the Last 30 Years. Though we have only been around for half of that time, we are proud of the contributions that our Membership has made to make vendor management and the risk landscape in general more secure. In addition, Catherine Allen was named one of the Visionaries of the Last 30 Years. As the founder of Shared Assessments she has seen big changes in this space, but remains passionate about our mission.

 

Another honoree, Steve Katz (Information Security Executive of the Last 30 Years)  will be receiving a Lifetime Achievement Award and deliver the opening keynote address at the Annual Shared Assessments Summit on April 10th in Arlington, VA. For more information on this award, visit SC Magazine.

 

Shared Assessments was also named winner of the prestigious 2019 Cyber Defense Magazine InfoSec Awards in both the Hot Risk Management Company and the Leader in Third Party Risk Management (TPRM) categories, and that Chairman and CEO Catherine A. Allen was named an honoree in the Cutting-Edge Women in Cyber Security Category.

 

“Nation state exploitation, Cybercrime, Hacktivism, Cyberespionage, Ransomware and malware exploits are all on the rise,” said Gary S. Miliefsky, Publisher, Cyber Defense Magazine. “Shared Assessments/SFG has won these awards after we reviewed nearly 3,000 infosec companies, because they are an innovator that might actually help you defeat the next generation of exploiters.” Read more about the Cyber Defense Awards.

 

Shared Assessments was also recently honored by the Cybersecurity Excellence Awards as a winner in Vendor Risk Management.

 

Thanks to our hardworking members who are out there making the economy more secure right along with us.

 

 

Predicting the Privacy Weather...

Linnea Solem 03-04-2019

Trying to predict the privacy weather report for third party risk? The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal[...]

Trying to predict the privacy weather report for third party risk?
The dialog on online privacy is heating up in Washington D.C. this week as hearings and industry discussion on the merits of federal privacy legislation were prompted in the wake of the passage of the California Consumer Privacy Act (CCPA). Record snowfall levels have been reported across the country, even in typically sunny California, creating a February for the record books. This month I had the chance to facilitate a teleconference on CCPA to the Shared Assessments Program Regulatory Awareness and Best Practices working groups. Trying to predict the timeline of the implications of CCPA to third party risk is rather like predicting today’s weather report in an era of unpredictability.

For members who may not have participated in the update, I’ll summarize the sunny and cloudy viewpoints on our discussion with a recap: Background on what CCPA is; CCPA Components and Timelines; CCPA Readiness Challenges, and Implications to Vendor Management.

Background on the California Consumer Privacy Act (CCPA)
Since 1972, “Privacy Rights” are considered inalienable rights under the California Constitution. California has been a leader in putting a spotlight on the sharing of data with third parties. As early as 2003, California’s “Shine the Light” law was an early effort to address the practice of sharing customer’s personal information for marketing purposes. While the initial focus triggered updates to online privacy policies, the CCPA goes even farther in putting more rights on the control of information in the hands of individuals.

A ballot initiative was created in 2017 in to address consumer privacy rights by garnering signatures to put legislation on the ballot in the 2018 election cycle. By spring of 2018, the privacy weather forecast changed swiftly with industry disclosures of the sharing of customer data on social media sites. The activist’s ballot initiative had received over 600K signatures generating a storm of effort to draft a compromise bill that could be modified or amended by the legislative process rather than continuing to put privacy regulations out to voters. So faster than a 10-day weather forecast, CCPA was enacted by the state by the June 30th, 2018 deadline. Amendments were issued at the start of fall 2018 to address discrepancies, clarify exemptions and provide a planned timeline for compliance.

CCPA Components and Timelines
Privacy professionals have focused on the extra-territorial nature of GDPR, and California’s CCPA is creating a similar privacy tidal wave in that the focus is on the collection, use, and retention of personal information of California residents.

Scope: CCPA is targeted at for profit organizations, that do business in the state of California, and collect personal information directly from individuals or on behalf of another entity. CCPA defined trigger thresholds, designed to exempt the bulk of small businesses from needed to address compliance. CCPA applies if any one of these parameters are triggered: Annual gross revenue of $25 million, entities that buy, receive, sell or share data of more than 50K consumers, households, or devices for commercial purposes, or entities that derive 50% of its revenue from the selling of consumer data, regardless of the size of the organization.

Given that the state of California is the 5th largest economy in the world and only 34 countries in the world have greater populations than California, CCPA will have global implications to digital marketing.

Key Requirements:
CCPA defines several rights as the primary objective of the legislation. These rights include:

  • To know what personal information is being collected about them
  • To know whether their personal information is sold, disclosed and to whom
  • The right to say no to the sale of personal information
  • The right to access their personal information
  • The right of deletion if there are not legitimate needs to retain the data
  • The right to equal treatment and price if these rights are exercised.

CCPA defines civil penalties for violations of CCPA within defined parameters. The element of CCPA that is driving much of the heated debate is its right of private action. The potential for class action litigation, or the seeking of damages for violations is triggering a road discussion on the differences between self-regulatory standards for digital marketing and state by state requirements.

CCPA is written from a consumer advocacy point of view. The enforcement will be done by the state attorney general. CCPA comes into effect on January 1st, 2020, with ensuing regulatory guidance to be published no later than July 1st, 2020. The CA AG has indicated they will not enforce the CCPA requirements until six months after the final regulatory guidance is published.

CCPA Readiness Challenges
At first glance, such timelines would indicate CCPA compliance would be on the Privacy Farmer’s Almanac predictions for next winter. However, the consumer’s rights regarding treatment of their personal data have a “Look-Back” period of 12 months. Building the processes to address CCPA will need to be assessed and built out into a roadmap for compliance for data that has been collected in 2019. GDPR provided a 24-month timeline for compliance, and CCPA provides a much shorter timeline given the complexities of data usage in the digital landscape.

Conducting a readiness or preparation phase for CCPA readiness will tend to focus on self-assessment and review of business processes for the collection and sharing of data. Implementing a full readiness plan will be challenging until final guidance is completed. A six-month timeframe for executing a compliance program may be too short a timeline unless preparation activities have occurred to scope and shape the depth and breadth of CCPA compliance needs.

Organizations that were required to build out business processes and infrastructure will likely have a sunnier outlook for CCPA compliance since they are simply extending capabilities to the new CCPA requirements.

Key themes for preparation activities:

  • Data Governance: Creating and maintaining adequate data inventories and data flows, including third parties for data with a “marketing/selling” point of view
  • Consumer Advocacy: Developing the business process enablement and automation of consumer rights to access and delete data typically in unstructured data stores.
  • Digital Marketing Disruption: Assessing the marketing, brand, and customer satisfaction risks for implementing limitations on the “selling” of customer data. Organizations may make business decisions in 2019 to change how or if they share customer data,
  • Vendor Management: Identifying contract provisions with third party vendors and then defining sufficient due diligence based on the service they perform.
  • Reasonable Security: Conducting reviews or self-assessments for data security safeguards. With the expanded focus on information security controls for marketing data – beyond the traditional “PII” focus, security controls will focus on the digital landscape, mobile and device at a much greater level of detail.

Implications to Vendor Management Functions
The digital marketing landscape has layers of third-party relationships. CCPA will trigger the need to identify the applicable third parties that will require affirmation of their obligations to limit the use of personal data beyond the terms of the contract.

3 Things to Think About

  1. A “service provider” for the purposes of the CCPA, is an entity that processes personal information “on behalf” of a business.
    The vendor or “service provider” must be bound by a written contract that prohibits the use of personal information for other purposes
  2. CCPA requires that for the in-scope service provider that the contract includes: A “certification” that the entity receiving the personal information understands the restrictions in the contract, and will comply
  3. These obligations will require updates to key third party risk governance processes to address the contract terms and limitations, but also the corresponding third-party assessment process for due diligence and testing of the controls.

CCPA Vendor Readiness Focus Areas
The final rulemaking for CCPA will be initiated by the CA Attorney General after a series of workshops, hearings, and outreach to the industry. While final interpretations and the potential for additional amendments make final scope and timeframes a bit cloudy, there are preparation and readiness steps organizations can do this year.

For businesses that use third parties, particularly in the online or digital marketing landscape, a starting point is to assess the current vendor inventory and contracts to create a baseline. For vendors who support their clients in the digital marketing landscape, they can begin to assess their role and what data they process and be prepared for additional scrutiny in the due diligence process.

The privacy landscape will continue to evolve, and CCPA dialog will likely continue thru spring and summer of this year. The bottom line is that CCPA is creating momentum for the U.S. to adopt a different approach to digital privacy practices, and that will impact the third-party providers that enable the digital ecosystem.

The Shared Assessments Program’s Privacy Committee will be monitoring CCPA developments to identify impacts to standardized questionnaires, privacy tools, checklists, and testing procedures for the next 24 months. If you or your organization would like to participate in the Privacy Committee or CCPA sub-committee, please click here to sign up to participate in the committee.

Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

What is the Impact of OhioR...

Jeremy Byellin 02-22-2019

Last August, Governor John Kasich signed the Ohio Data Protection Act into law.  The law creates a safe harbor that insulates “covered entities” from tort liability und[...]

Last August, Governor John Kasich signed the Ohio Data Protection Act into law. 

The law creates a safe harbor that insulates “covered entities” from tort liability under Ohio state law if they “create, maintain, and comply with a written cybersecurity program” that “reasonably conforms” to one of the specified cybersecurity frameworks (including several NIST and ISO controls, and other relevant laws that may apply such as HIPAA, GLBA, and FISMA). 

Being the first of its kind, the law is, by definition, a precedent setter.  But how much of an impact will it have on its own?

In short, not much.  The scope of the law is limited to liability under Ohio law – and only tort law at that – in Ohio courts.  In other words, the law only creates a safe harbor against being sued for negligence or some other form of tort malfeasance in Ohio.

Despite all this naysaying, this law should be good news at least for covered companies already operating in Ohio, right?

Unfortunately, not as much as one may think.  In determining whether a company was negligent in a data breach, courts already look at that company’s compliance with industry standards. 

The new law doesn’t cut out any steps to asserting such compliance as a defense to negligence.  It still forces companies to go to court and litigate whether they were compliant with the named industry standards and thus eligible for the safe harbor – which is very likely what they would have done regardless of the new law.

Granted, the law does insure against Ohio courts increasing their expectations, such that compliance with industry standards is no longer enough, but the likelihood of that happening in the foreseeable future is dubious at best.

The law, then, doesn’t make a lot of immediate waves in the cybersecurity legal landscape.  That may change if other states – or more importantly, the federal government – enact similar laws, in which case, Ohio would be the trendsetter for a potential new nationwide standard.

Given that the law only took effect this past November, it remains to be seen how the law will actually play out, or whether it will have any impact whatsoever.

Exercising Good Privacy and Co...

Tom Garrubba 02-13-2019

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study Read the full a[...]

Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study

Read the full article.

Those of us in the privacy profession knew it was only a matter of time that privacy-minded organizations would eventually see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customer’s personally identifiable information are paying off.

Evidence of this came to light in the new Cisco Data Privacy Benchmark Study (January 2019) study published in late January 2019.  The study indicates that both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence that they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.

In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcer’s customer’s prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance; thus, cutting down on due diligence delays.

These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“What, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for non-compliance. In particular, they’ve taken the privacy (and the related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.

One part of the Cisco study did raise my brow however; in identifying the “Most significant challenges in getting ready for GDPR,” 42% of the nearly three-thousand respondents reported “Meeting data security requirements,” as the most important. Closer to the bottom of the priority list is Vendor Management. Given the global impacts of major third party breaches over the last three years, third party risk management (TPRM) must be much higher up on the priority list.

The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.

This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.

A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tap into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments which produces many free tools used by member and non-member organizations alike.

Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.

The impacts of third party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note.  Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third party partners pose.

Cybersecurity: 4 Board-Level T...

Jenny Burke 02-05-2019

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catheri[...]

Consulting magazine recently interviewed Santa Fe Group Chairman and CEO Catherine Allen for an article examining cybersecurity challenges and related consulting trends. During the discussion, Catherine shared her insights on current cybersecurity issues, related third party risk management challenges, and board dynamics concerning information security.

 

The article, which is slated to appear in the publication in March, will feature insights from Cathy along with leaders of cybersecurity practices in global consulting firms. Here are four high-level cybersecurity trends Catherine covered during her discussion with Consulting:

 

1. Resiliency is a primary focal point: Even companies with the most advanced cybersecurity practices are likely to get hacked. As a result organizational information security programs are focusing more on resiliency and business continuity activities. “Prevention remains critical, and companies continue to strengthen policies, improve the technologies they have in place, invest in training, and adopt best practices,” Catherine said. “But we’re just not at a point where we can stay ahead of the bad guys. When a breach occurs, companies need to have a set of incident response, crisis management and business continuity protocols in place. Boards want to know how quickly the company can handle the breach and get back up and running.”

2. Continuous monitoring is crucial: More companies are investing in improvements to continuous monitoring processes and supporting technologies. These capabilities help bolster prevention and incident-response capabilities. “We’re seeing a strong drive toward continuous monitoring so that when a breach occurs, a company can quickly identify, isolate and address it,” Catherine pointed out.

3. OT-IT convergence requires more attention: The convergence of operational technology (OT) and information technology marks an important and rapidly emerging risk-management area (it’s also a topic that features prominently in the upcoming 2019 Shared Assessments Summit). “Boards and C-suites are increasingly looking at the convergence of physical, cyber and operational security,” Catherine told Consulting. This integrated view of risk management is necessary because more adversaries are breaking physical barriers to hack into organizational information systems. As OT-IT convergence attracts more attention, companies with mature third party risk management programs are applying more scrutiny to risk management practices within fourth and fifth parties (i.e., the technology and services providers that their vendors use).

4. Cyber attackers move beyond financial motives: While the hacking of financial data remains a top concern, bad actors and other adversaries also target other data (such as intellectual property) for financial gain, to inflict reputational damage, or to sow chaos. Think of a cyberattack by a nation-state that strikes an electric grid, hospital system or the elections process in a rival country. “Many companies primarily focus on protecting financial data,” Catherine added. “But you have to take a comprehensive view of the organizational data that could potentially be targeted and then understand how that fits into the third party risk management as well as the broader context of enterprise risk management.”

Data Privacy Day 2019 – A Ne...

Linnea Solem 01-24-2019

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance o[...]

Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

  • 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
  • In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
  • A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

  • Update vendor classification, scoping, and inventories for third party relationships
  • Enhance contract provisions for the protection and usage of data
  • Maintain a data inventory to manage and process data access requests
  • Broaden due diligence processes for assessing and identifying corrective actions of third parties
  • Deploy effective ongoing monitoring of vendor relationships
  • Maintain documentation of processing of the personal data
  • Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

    1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
    2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
    3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

    In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
    Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

    Personal Information is like money. Value it. Protect it.

    #PrivacyAware

    Linnea Solem is Founder and CEO, Solem Risk Partners, LLC, a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management. Linnea serves on the Shared Assessments Advisory Board.

2019 Shared Assessments Third ...

Jenny Burke 01-07-2019

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help b[...]

Shared Assessments has released its updated 2019 Third Party Risk Management Toolkit which serves organizations for vendor risk management, regardless of size and industry. The Toolkit elements help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

Shared Assessment keeps a close eye on emerging regulations, guidelines and standards for a wide range of industries, such as: NIST 800-53r4, NIST CSF 1.1, FFIEC CAT Tool and PCI 3.2.1. That knowledge is used to update the new Toolkit, which embodies multiple Tools for a comprehensive “trust, but verify” approach for conducting third party risk management assessments, using a substantiation-based, standardized, efficient methodology.

The 2019 Third Party Risk Management Toolkit includes:

  • 2019 Standardized Information Gathering (SIG) Questionnaire Tools
  • 2019 Standardized Control Assessment (SCA) Procedure Tools
  • 2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools
  • 2019 General Data Protection Regulation (GDPR) Privacy Tools

Changes to the Toolkit were determined by the collective intelligence of our membership, bringing a diversity of views from;

  • Outsourcers, service providers, licensees, assessment firms and regulators.
  • Organizations from start-ups to large, global corporations.
  • Industries such as Financial, Insurance, Consumer Packaged Goods, Services, IT and Healthcare.
  • Subject experts in cybersecurity, privacy, supply chain risk, compliance, regulation, enterprise risk management and third party risk.

The updates for 2019 are a response not only to the changing regulatory and risk landscape, but to our hundreds of members and tool purchasers looking to perform vendor risk assessments that provide assurance but are also efficient and fast. The 2019 Toolkit was built to allow that standardize excellence in content but also to make assessments easier to create, customize and manage. The Toolkit is also built to work together to follow the typical process a third party risk practitioner would use to implement their program.

2019 Standardized Information Gathering (SIG) Questionnaire Tools

The 2019 SIG has undergone a major functionality and content reorganization. The SIG now functions as a questionnaire management tool that allows you to build, customize, analyze and store questionnaires.

  • Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling questionnaires to be created more quickly. You can now create a SIG with questions all on one tab, or with a tab for each risk domain.
  • Content Library – There is no longer a “Full” SIG, but rather a database of member-vetted questions called the Content Library. The Content Library includes the SIG Core and the SIG Lite questions, but also houses industry-specific questions. You can even add custom questions to be treated and scored as any other included question.
  • Custom Scoping – Custom Scoping allows you to create the questionnaires you need without losing the benefits of standardizations by drawing from the Content Library. You now have three ways to edit a questionnaire – by control domain, by external requirement or by control category and subcategory.
  • Saved Questionnaires – A SIG questionnaire can now be saved as a template to be modified later, making it easy to create questionnaires for new vendors.
  • SCA Integration and Scoping – the 2019 SIG is now integrated with the Standardized Control Assessment (SCA) Procedure Tools for onsite and virtual assessments. You can now take a completed SIG and automatically create a SCA.

Content updates to the 2019 SIG Tools include;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Industry-Specific Content – Content Library additions including FDA content for Consumer Packaged Goods (CPG) and Life Sciences, Insurance industry-specific content and IoT (Internet of Things) content.
  • Mapping – The following nine mappings to Authority Documents are now included within the body of the SIG and can be used for creating questionnaires.
    • FFIEC APPENDIX J – Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
    • FFIEC CAT Tool – FFIEC Cybersecurity Assessment Tool (CAT), May 2017
    • FFIEC MANAGEMENT HANDBOOK – FFIEC IT, IS & Outsourcing Examination Management Handbooks, November 2015
    • GDPR – EU General Data Protection Regulation (GDPR), April 2016 (Effective May 2018)
    • HIPAA – S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA) Simplification, March 2013
    • ISO 2700X – International Standards Organization (ISO) 27001/27002, 2013
    • NIST 800-53r4 – NIST 800-53r4 Security & Privacy Controls for Federal Information Systems and Organizations, January 2015
    • NIST CSF 1.1 – National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), April 2018
    • PCI 3.2.1 – Payment Card Industry (PCI) PCI DSS V.3.2.1, February 2018 –

 

2019 Standardized Control Assessment (SCA) Procedure Tools

The SCA Tools are a standardized set of assessment procedures. When combined with the scoping features of the SIG, the 2019 SCA is a quick and efficient way to assess service providers during onsite or virtual assessments.

Enhancements to the 2019 SCA include;

  •  Updated Guidance Documentation – The main SCA document includes new reference material that helps users complete assessments faster and with better understanding about the controls being assessed.
  • SCA Report Template – SCA reporting template is now in spreadsheet format, making it easier to document findings while onsite, copy and paste data and use on a mobile device.
  • Executive Summary Template – A new Executive Summary Template is included that will assist in creating a lightweight summary report of the SCA findings for management without all the detail of the full report.
  • SIG Integration and Automatic SCA Scoping – Using the SIG with its embedded SCA content, automatic customization is available to make SCA assessment procedures match just the SCA questions that were scoped and answered by the Assessee in a SIG.
  • SCA Assessment Standards for Distributable Reports – Due to the requirements within the SCA Standards for distributable reports, the outsourcer can be assured that the procedures in an SCA will be performed consistently, regardless of which certified organization performs it.
  • Content Updates
    • Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
    • SIG Alignment- The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.
    • GDPR Privacy Tools Alignment- The GDPR Toolkit aligns completely with the SCA, ensuring SCA-based assessments address the most current privacy considerations.

2019 Vendor Risk Management Maturity Model (VRMMM) Benchmark Tools

The VRMMM, available since 2013, is the longest running third party risk maturity model, and has been vetted and refined by hundreds of the most experienced third party risk management professionals.

 2019 saw significant updates to the VRMMM content, including;

  •  Privacy and Compliance Updates – Updated with relevant and current U.S. and international regulatory and privacy requirements including an update of GDPR-related content.
  • Inclusion of recent guidance regarding Third Party Risk Management from:
    • The American Institute of Certified Public Accountants (AICPA) which sets guidelines for public auditing principles.
    • The Office of the Comptroller of Currency (OCC) which audits the safety and soundness of U.S. banks.
    • New York Department of Financial Services Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the state of New York (NYDFS 23 NYCRR 500), which is a cybersecurity regulation mandated for any financial services company doing business in the U.S. state of New York.
    • Privacy requirements including the European Union General Data Protection Regulation (GDPR).

The VRMMM is important to third party risk, and we made it free to members and non-members. It can be download here.

 

2019 GDPR Privacy Tools

The GDPR Privacy Tools help meet the requirements imposed on how Controllers (i.e., outsourcers) must appoint and monitor Data Processors (i.e., third parties/vendors) as a part of GDPR.

Enhancements to the 2019 GDPR Privacy Tools include;

  • The GDPR Tool kit was originally released prior to the GDPR compliance deadline of May 25, 2018. The focus and narrative were on preparation for the upcoming deadline. Now that the deadline has passed, the leading practices incorporated in the tools have been updated based on the experiences of dozens of Shared Assessments member companies.
  • The template tools were enhanced to better allow tracking of issues over time.

Download this free tool.

To learn more about the Toolkit updates, and to learn how the tools work together for a Third Party Risk Management Program, you can;

Coming Soon: 2019 Shared Asse...

Jenny Burke 12-05-2018

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December. We are particularly proud of what the [...]

The Santa Fe Group elves are working hard to make December great for our members. The Third Party Risk Management Toolkit is expected to drop in mid-December.

We are particularly proud of what the Toolkit will bring our members this year.

Its all in the Name. Calling it a Toolkit reflects how it is used. The tools are designed to work together to follow the typical process a third party risk practitioner would use to implement a program. The Toolkit embodies a “trust, but verify” approach for conducting third party risk management assessments and uses a substantiation-based, standardized methodology.

Our Membership Roots. The Toolkit, like all our resources, was built by the collective intelligence of our diverse membership. The practitioners that came together to create the Toolkit come from different industries, perspectives and sized-companies, but they all share a passion for creating resources that will improve third party assurance.

We Heard You. The major changes in the Toolkit are all about making the tools easier to use. Here are just a few of the new features we are most excited about:

  • SIG Content Library – there is no longer a “Full SIG” but rather a Content Library that SIGs are created from. To build a questionnaire, practitioners will select a SIG Core or SIG Lite from within the SIG Management Tool and will scope it from there by industry specific content, authority document, individual questions, control categories and risk tiers. This means that your SIG will be exactly the size you need it to be.
  • SIG|SCA Integration – SCA content is now contained within the SIG, so when you scope your SIG you are also scoping your SCA for the accompanying onsite or virtual assessment to go along with the questionnaire.
  • New SIG Architecture – Questionnaires are now created from within the SIG Management Tool. Along with streamlined code, this makes the 2019 SIG size smaller, enabling it to run more smoothly and questionnaires to be created more quickly. You now have a choice to create a SIG with all questions in one tab or with a tab for each risk domain.
  • Saved Questionnaires – Any SIG questionnaire can be saved as a template to be used or modified later, making it easy to fit existing questionnaires to new vendors.

All of our tools have also received a regulation refresh, taking into account recent national and international regulatory changes. One of the most requested new authority documents, the NIST 800-53r4 is mapped within the SIG.

Stay tuned for the tool release later this month. To make sure you are on our distribution list, or for any questions, please email us.

Fear, Uncertainty and Doubt Ma...

Tom Garrubba 11-15-2018

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD[...]

As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD) to fuel their business case for budget increases, cybersecurity leaders are striving to quantify the business impact and probability of cybersecurity events while evaluating new options, including cyber insurance policies, and looking for new ways to address growing challenges, such as third-party risk management.

 

That’s the theme of a comprehensive CSO Online article that features insights from leading security executives and other experts, including Santa Fe Group Senior Director Mike Jordan. Mike weighs in on the growth of the cyber insurance sector. He notes that companies selling these policies have developed “a fairly good idea of what they’re willing to insure and the security measures they require you have in place in order to get a policy.” Mike’s discussion also touches on the increasingly valuable role of vendors that measure a company’s cybersecurity risks and assessment firms that conduct cybersecurity audits.

 

Of course, may organizations still have a ways to go when it comes to quantifying cybersecurity risks and assimilating cybersecurity programs with ERM. The article, authored by CSO Contributing Writer Maria Korolov, pinpoints several obstacles limiting progress toward those two objectives and then highlights approaches that have proven effective in clearing these hurdles.

 

The challenges hampering the integration of cybersecurity into overarching risk management programs include:

  • Getting lost in translation: “There’s often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion,” Korolov writes, noting that “many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies…”
  • An overly tactical focus: Cybersecurity professionals – for sound reasons – tend to focus on “very tactical technical issues,” such as patching vulnerabilities as soon as possible. While this perspective is necessary, it can be helpful to also frame and communicate security priorities in broader business terms. If a patch is needed, for example, the information security group should also estimate and communicate the potential cost – in lost business, remediation and potential regulatory fines – of leaving the vulnerability exposed.
  • Quantifying risks is difficult: According to a patch management expert cited in the article, “there is no formula for calculating how much the implementation of each control lowers your risk.” While the art and science of quantifying cybersecurity risks is advancing, organizations should prioritize risks that elude quantification.
  • Boards misunderstand cyber risk: Deloitte Partner Dan Kinsella frequently speaks to corporate boards about cybersecurity oversight. He says that some boards have yet to grasp the fluid nature of cybersecurity risks. Once a specific cybersecurity issue has been addressed, some boards tend to consider the matter closed. “That’s not the case with cyber risk.” Kinsella stresses.

 

Korolov includes high-level snapshots of effective cybersecurity-ERM integrations.  Several key enablers of this approach within Aetna provide a clear picture of what is needed to succeed, including:

  • Categorization: Cyber risks are treated as an operational risk within Aetna’s ERM framework.
  • Involvement: Aetna’s chief security officer (CSO) is a member of the risk committee that governs the ERM program.
  • Measurement: “Specific and quantitative” cyber risks are evaluated managed according to the daily risk score as they are assigned.
  • Mindset: Aetna’s CSO also stresses that his group risk-management activities and requirements significantly exceed what is required from a regulatory compliance standpoint.

 

Korolov’s reporting also emphasizes that third party risks further complicate the already difficult challenge of measuring the probability and potential bottom-line impact of breaches. Fortunately, progress is being made – as Mike asserts: “Measuring cyber security risk,” he tells CSO, is “becoming less art, and more science.”

European Invasion? Congression...

Tom Garrubba 11-13-2018

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country? These possibilities were on the minds of part[...]

Might the U.S take a page from the European Union’s (E.U.) data privacy playbook? Could the California Privacy Act spread to the rest of the country?

These possibilities were on the minds of participants in recent Congressional hearings concerning data privacy. The European Union’s (EU’s) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA) have captured the attention of technology company executives and legislative leaders. Tech executives appear concerned that other states could follow California’s lead by enacting their own laws concerning consumer data privacy protections. Congressional leaders appear interested in understanding the impacts of GDPR and CCPA on U.S.-based companies — and in potentially applying these learnings to future legislative actions concerning data privacy and security. (Three such bills currently exist in Congress.)

In late September, U.S. Sen. John Thune (R-S.D.), who chairs the Senate Committee on Commerce, Science, and Transportation, held a hearing with executives of leading technology companies. Thune indicated that the hearing was designed to provide “leading technology companies and internet service providers an opportunity to explain their approaches to privacy, how they plan to address new requirements from the European Union and California, and what Congress can do to promote clear privacy expectations without hurting innovation.”

During the discussion, Amazon Vice President and Associate General Counsel Andrew DeVore urged Congress to consider “possible unintended consequences of the CCPA approach” while noting that the law’s speedy passage “left little opportunity for thoughtful review, resulting in some provisions that ultimately do not promote best practices in privacy.” DeVore pointed to the CCPA’s definition of “personal information” as an example, explaining that it “goes beyond information that actually identifies a person to include any information that ‘could be linked with a person,’ which arguably is all information.” The result, he concluded, “is a law that is not only confusing and difficult to comply with, but that may actually undermine important privacy protective practices like encouraging companies to  handle data in a way that  is not directly linked to a consumer’s identity.”

A few weeks later, Sen. Thune convened another hearing, this one attended by privacy advocates who also spoke about the types of consumer protections Congress should consider in future legislation.

In a carefully researched written testimony, the Center for Democracy & Technology President and CEO Nuala O’Connor argued for federal privacy legislation that “will shift the balance of power and autonomy back to individual consumers, while providing a more certain and stable regulatory landscape that can accelerate innovation in the future.” After pinpointing why “the existing patchwork of privacy laws in the United States has not served Americans well,” O’Connor described how a national data privacy law “should create an explicit and targeted baseline level of privacy protection for

Individuals” by addressing four areas:

  • Enshrining basic individual rights with respect to personal information;
  • Prohibiting unfair data processing;
  • Deterring discriminatory activity; and
  • Establishing meaningful enforcement mechanisms.

As businesses, consumer privacy advocates and legislators continue to discuss, and disagree on, data privacy rules, it appears that some common ground – in the form of a growing desire for federal legislation – has quietly been reached. In a speech at an EU privacy conference in October, Apple CEO Tim Cook asserted that the U.S. should follow the EU’s lead by enacting its own comprehensive federal data privacy law.

We’ll keep you posted as these discussions progress; until then, a large number of companies across multiple industries will be dreaming of Californication, or perhaps tossing and turning about the work they need to do to establish and sustain compliance with GDPR and the CCPA.

How To Win (More) Third Party ...

Jenny Burke 11-07-2018

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.” While third [...]

Although he was referring to troop levels, George Washington demonstrated more than a little budgeting savvy when he wrote that “we must consult our means rather than our wishes.”

While third party risk management (TPRM) leaders would do well to heed that (founding) fatherly wisdom, they should also keep in mind that a number of emerging best practices have proven successful in boosting the means TPRM groups have at their disposal. Shared Assessments is currently analyzing research concerning how organizations are addressing heightened regulatory expectations related to TPRM requirements. The Vendor Risk Management Benchmark Study, in its fifth year, has just wrapped up and the research report expected to release in February 2019. Coupled with this annual research is a special project now underway sponsored by the Best Practices Awareness Group and the Regulatory Compliance Audit Awareness Group. One component of this research, which is being spearheaded by subject matter experts in both groups, examines the successful approaches TPRM leaders have deployed to fortify their case for more resources during annual budgeting activities.

While the research remains in process, it has already identified the importance of tightly linking vendor risk management objectives with an organization’s strategic business goals. That coupling of appropriate risk management capability with an enhanced ability to achieve strategic business goals significantly increases the likelihood of successfully procuring additional TPRM resources.

In many companies, for example, the failure to meet regulatory requirements may result in reputational damage. In a company that considers its brand a strategic asset, third party risk management leaders should show how specific vendor risk management gaps would potentially limit the company’s ability to protect its brand. A business case that supports that business-centered point is more likely to result in a favorable budgeting decision compared to a business case that centers only on the risk of a regulatory compliance failure.

This is just one of a number of other approaches TPRM leaders are marshalling in the ongoing battle for more funding. I’ll keep you posted on when in early 2019 a paper highlighting this research is available.

Going Back 2 Cali: The Golden...

Tom Garrubba 10-26-2018

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of co[...]

The California State Legislature recently completed a data privacy/data security two-step by passing two new laws with significant third party risk management implications for a broad collection of companies.

In late September, California enacted what some are referring to as the country’s first “Internet of Things (IoT) security law.” The new law  requires makers of connected devices (those assigned an IP or Bluetooth address) to have in place “reasonable” security features. This vague qualifier is (somewhat) fleshed out in the law’s description of security feature that are:

  • Appropriate to the nature and function of the device;
  • Appropriate to the information it may collect, contain, or transmit; and
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

 

The law states that its requirements are not enforceable by a private right of action, which would prevent class action lawsuits from arising following a major data breach of a connected device. However, the law is enforceable by the California Attorney General as well as government attorneys at the city, county and district level. “As a result, a manufacturer of a device that turns out to have an exploitable security issue may face legal jeopardy on many fronts….” according to a Davis Wright Tremain LLP bulletin on the new law.

 

These requirements are currently scheduled to take effect Jan. 1, 2020 – the same day that the state begins enforcing the sweeping California Consumer Privacy Act of 2018 (CCPA). Approved – swiftly – in June, the CCPA is notable for a number of reasons including:

  • The law’s definition of “personal information” is broad: Personal information includes a consumer’s Internet browsing history, personal identifiers, geolocation data, psychometric data, biometric data and “inferences drawn” from any of that customer data, according to the bill.
  • The CCPA extends a wide collection of companies: While the law applies to the world’s largest technology companies, any business that processes personal data of California residents will have to comply. This includes Internet service providers, data brokers, retailers and other companies that meet any of the following criteria: 1) gross annual revenue north of $25 million; 2) receiving or sharing personal information of more than 50,000 consumers (or households or devices); or 3) earning more than half of annual revenue from the sale of personal data.
  • The law affects third party risk management: The law requires companies to update service level agreements (SLAs) with third party data processors, among other crucial vendor risk management considerations.
  • The CCPA’s quick passage is noteworthy: The law materialized rapidly in June after the sponsors of a ballot initiative containing similar requirements agreed to withdraw their initiative on the condition that the California state legislature approve a replacement law (one that can be amended to address compliance problems prior to its enactment). California legislators did just that – introducing a comprehensive law that was signed into law by Governor Jerry Brown six days later. Although the conditions that drove the law’s prompt passage are unique, the public’s desire for data privacy regulations and the speed with which these laws can potentially be introduced shows that the early warning systems companies use to detect, shape and prepare for legal and regulatory changes may need updating.

 

It’s also notable that the law’s language allows for it to be amended. Any changes that do occur appear likely to be made to clarify compliance requirements. Given that a PwC survey finds that only 52 percent of U.S. companies that will need to comply with the CCPA expect to be compliant by Jan. 2020, organizations should immediately begin assessing and addressing their compliance needs.

 

The Clock is Ticking …It’s...

Linnea Solem 09-19-2018

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take [...]

Tick Tock. It’s that time of year again. Summer’s heat waves are retreating, school is in session, and budget planning is well underway for 2019 and beyond. Each year organizations typically take focused time during Q3/Q4 to evaluate their strategic plans; monitor the evolving risk environment; assess cyber-security threats; and identify programs to be enhanced in the coming fiscal year. Lines of business are focused on business cases for new products/services, while risk teams are working to mature governance to address new compliance obligations with limited resources.

✔ What Regulatory Landscape Changes are changing expectations?
✔ What third party risk focus areas are “hot topics?”
✔ Where does third party risk fit into those competing priorities?
✔ How can self-assessment tools be used for peer benchmarking?

And this season the 5th annual Third Party Risk Management Benchmark Survey, based on the expanded 2019 Shared Assessments Vendor Risk Management Maturity Model, is here to help put an early spotlight on additional areas of practice maturity emerging in response to a number of market changes.

Market Changes

  • New Regulations: Heightened expectations have been triggered for third party oversight and vendor management. GDPR is now enforceable, extending obligations to data processors and vendors. The OCC’s supplemental examination procedures to its “Third-Party Relationships: Risk Management Guidance” are raising expectations for risk management, due diligence and governance. Covered entities impacted by NY DFS 500, are facing the clock as the countdown to March 2019 is fast approaching. In fact, the complexity of certifying or providing assurance on third party risk program effectiveness is difficult to measure and quantify.
  • High-Profile Data Breaches: Recent events have placed a spotlight on the risk of cyber security breaches with vendors and subcontractors, expanding the need to have greater rigor in third party risk management and ongoing risk assessments.
  • Updated Standards: NIST standards are expanding to include risk management and privacy. External audit standards for SOC reports have been updated by the AICPA. The updated Trust Services Criteria will now contain 9 Vendor Risk Management common controls for 2019 engagements.

It’s all about taking “Trust, but Verify” to the next level with enhanced controls, validation, testing, and governance. While each new regulation or standard is focused on a particular jurisdiction or market vertical, the themes for third party risk management have more similarities than differences.

Hot Topics for Vendor Risk Management:
✔ Subcontractors/Nth Party Management
✔ Continuous Monitoring Program Activities
✔ Vendor Inventories
✔ Vendor Contract Modernization
✔ Risk Posture/Methodologies/Approvals

Adapting a vendor risk management program impacted by both internal and external drivers can feel daunting without a roadmap to help mature or expand the program components. Organizations of all sizes may need to develop business cases to get resources, either people or investments to expand third party governance programs.

Vendor Risk Management Maturity Model
The Shared Assessments Program Vendor Risk Management Maturity Model (VRMMM) was developed by its members to provide a roadmap for structuring, operating, and measuring each component of an organization’s Vendor Risk Management Program. Combining best practices, thought leadership, and hands-on vendor risk management, the Program Tool provides a framework for each element of an effective vendor risk management program. The VRMMM self-assessment enables an organization to evaluate the maturity of their current third party risk program based on a ranking of core program attributes:

VRMMM Framework

    • 1.0 Program Governance

 

    • 2.0 Policies, Standards & Procedures

 

    • 3.0 Contract Development, Adherence & Management

 

    • 4.0 Vendor Risk Assessment Process

 

    • 5.0 Skills & Expertise

 

    • 6.0 Communications & Information Sharing

 

    • 7.0 Tools, Measurements & Analysis

 

    8.0 Monitoring & Review

VRMMM based self-assessments enable a critical focus on third party risk management process maturity, a key input to help prioritize resource allocations in any organization’s annual vendor risk management structuring, enhancement or expansion plans.

The 2019 version of the VRMMM has been expanded to incorporate recent regulatory changes and key topics such as vendor inventories, fourth party management, continuous monitoring, risk posture, and contract modernization. The current Benchmark Survey, open from September 20th until October 16th can give you a significant head start on that self-assessment.

The Power of the 2018 Benchmarking Survey
This year’s Benchmark Study is the first to be based on NEXT year’s Vendor Risk Management Maturity Model (VRMMM), not the current 2018 iteration. The study will release in early 2019 – shortly after the 2019 VRMMM Program Tool becomes available – allowing risk managers to immediately gauge their own practice maturity against industry peers by using survey results compared to the newly expanded 2019 Vendor Risk Management Maturity Model (VRMMM).

The survey results will provide critical data for practitioners to understand where their own program may lag, and to prioritize where additional resources might be utilized most effectively.
Catherine Allen, CEO of The Santa Fe Group and Shared Assessments program stated, “The Vendor Risk Management Benchmark Study is a remarkably powerful tool that risk managers routinely use to understand the relative strengths and weaknesses of their programs. This year’s survey update drills down into continuous monitoring, privacy, data management, and a broad range of additional practices to make the insights even more valuable to third party risk professionals.”

“Paul Kooney, a Managing Director in the Security and Privacy practice at global consulting firm Protiviti, notes “Protiviti is excited to team with the Shared Assessments Program to provide one of the most comprehensive benchmark reports providing insights about the overall state of third party risk management practice maturity. Data from this year’s study will be considerably more useful, not just because of the survey’s significantly expanded scope, but because it will provide a current perspective on almost eighty new criteria added to the 2019 VRMMM.”

As always, it’s very important that your organization take the time to thoughtfully complete the Benchmark Survey. Your participation benefits the third party risk management community as a whole by enabling an accurate and updated understanding of the true state of vendor risk management practice maturity. Please join your peers and complete the 2018 questionnaire, open from September 20thth through October 16th at: https://www.research.net/r/B7LCCTV?rnid=[rnid_value]&study=[study_value]

Third Parties, Contracts and B...

Tom Garrubba 09-18-2018

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “ea[...]

While walking outside on my way to an early meeting, between sips of coffee I was additionally jarred awake by a passing car with the music of Van Halen blaring through the speakers. As a fan of “early” Van Halen, I snickered to myself recalling the legend of the “Brown M&M’s” in their contract that was often joked about amongst musicians and DJ’s. Later that evening as I returned to my hotel room I did some research into the background of the “Brown M&M’s” story and quickly realized the importance of it with regards to contracts and dealing with third parties.

 

As many of you will surely know, Van Halen has been one of rock’s premier acts since the 1970’s. However, they were also one of the first bands to take on the road such a massive stage show consisting of, according to the band’s lead David Lee Roth, “Eight Hundred and fifty par lamp lights to illuminate the stage”. Due to the size of such a light set they struggled in the band’s early touring years to get the massive rig into many of the older arenas, as their loading dock doors were ill prepared to handle such a massive spectacle. Additionally, “there were many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through”. On top of all that, set up and tear-down times would “grossly exceed” the local union’s overtime, largely because of the time it took for the crew to set up and take down the production – all of which added to the cost of touring.

 

Roth noted that in most cases, the promotor wouldn’t fully read the contract and would therefore fail to take note of the various structural requirements required and understand the issues (such as loading bearing stress, electrical amperage, etc.) that could cause serious damage to the band, the crew, and even to the audience.

 

According to Roth, to help ensure compliance to the contract, they stuck in a clause in the technical section of the contract, requiring a bowl of M&M’s to be placed backstage but not to contain any “brown M&M’s”. Now this would normally be characterized as silly “rock star-like demands” being placed on the promotor and venue, but it was actually a rather clever test of whether or not the promotor and other notable parties had thoroughly reviewed and honored the contract fully, including how  the items it contained addressing safety concerns. Roth added that if a bowl of M&M’s was missing backstage, or if brown ones were present, then he and other band or crew members could safely assume that other items in the contract were not reviewed, glossed-over, or worse – completely ignored. The band members and crew would then be within their rights to have the venue inspect the work, ask that it be redone, and – per the terms inscribed in the contract – even force the promotor to forfeit the entire show at full pay. Their concern for safety was real as not only had equipment been damaged, but according to Roth, several members of their road crew were severely injured due to poor preparation and lack of appropriate safety measures on the part of the venue.

 

A great example he provided to drive home this wisdom was when Van Halen was playing at a university in the mid-west (his autobiography purports it as a gymnasium in Pueblo, Colorado, while an online interview with Roth purports it to be in New Mexico) Roth noted “the university took the contract rather casually”, adding further “they had one of these new rubberized bouncy basketball floorings in their arena. They hadn’t read the contract, and weren’t sure, really, about the weight of this production; this thing weighed like the business end of a 747.” He added that they found some brown M&M’s in the candy jar and Roth “went into full Shakespearean ‘What is this before me?’… and promptly trashed the dressing room, dumped the buffet, kicked a hole in the door…” causing approximately twelve thousand dollars’ worth of damage. He stated that they “didn’t bother to look at the weight requirements or anything (in the contract) and this sank through their new flooring and did eighty thousand dollars’ worth of damage to the arena floor. The whole thing had to be replaced.” Clearly, this could have been avoided if it were not to the ineffective or non-review of the physical requirements needed to hold such a concert.

 

On top of the structural damage – that had to be replaced – the press blamed Van Halen for the incident. “…It came out in the press that I discovered brown M&M’s and did eighty-five thousand dollars’ worth of damage to the backstage area”.

 

Can similar events happen to you? You bet. You may not have to deal with moving around massive light and sound fixtures from one town to the next, but how truly confident are you that your vendors really understand what you is required of them? Have you built conditions, service-level bench marks, touch-points, and penalties into the contracts? Are they understood and agreed to by all before it becomes fully executed? Part of employing sound principles of contract review is reviewing all documents with all affected parties (both vendor and business line) and making sure that they not only understand the terms laid out in the contract but that they can fulfil all stated obligations.

 

The final takeaway of this piece is to remind you of the importance of going over the details – you know, those small things which can lead to bigger problems. It’s a good idea to employ the advice from legendary UCLA basketball coach John Wooden who used to say “It’s the little details that are vital. Little things make big things happen.”

 

So, with that, do you prefer plain or peanut?

It’s Not You. It’s...

Jenny Burke

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone be[...]

We’ve all experienced the end of a relationship. Sometimes the two parties involved are no longer compatible. Maybe one party realizes that it just isn’t working out. Or they’ve found someone better. Or perhaps there’s been an unforgivable breach of contract.

Naturally we’re talking about an organization’s partnership with a third-party provider and the importance of mitigating third-party risk. There’s a distinct lifecycle to every business relationship—new relationships, existing and evergreen relationships, renewals and terminations.

Managing third-party contracts can be a delicate matter throughout this lifecycle. When it comes to terminating these contracts, the need to have a well-defined strategy already in place is paramount. A contingency plan built upon established business standards and best practices can help avoid damages, alleviate any reputational risks, and help facilitate a smooth exit.

There are four basic types of termination:

  • Normal: The business relationship is no longer necessary or appropriate
  • Cause: There is irreparable violation of contract terms
  • Convenience: Either you or the vendor has a better arrangement/opportunity
  • Regulatory/supervisory: The vendor cannot live up to regulatory expectations

“Third Party Contract Development, Adherence & Management,” © 2018 The Santa Fe Group, Shared Assessments Program

 

It’s crucial to ensure that the predetermined terms of the contract are acceptably fulfilled in the final stages of the third-party vendor relationship. This includes any ongoing services with the departing vendor; recovery of work product and intellectual property; data recovery and security; and a seamless transition to the new provider, if applicable.

More specific best practices will need to be implemented if the contract was terminated for cause. For example, was the provider appropriately rated? Did internal controls or assessment methods fail? Was Pen (penetration) testing conducted and evaluated by credentialed testers? These questions can help safeguard third-party business relationships and guide future contract negotiation processes.

In business, as in one’s personal life, it always helps to have an exit strategy, based on open communication and shared expectations agreed upon from the very beginning.

And, you should probably get that in writing.

 

A brief chat with Tom Garrubba, Senior Director/CISO of Shared Assessment, The Santa Fe Group

In your experience, what are some of the core reasons that a third-party contract is terminated for cause (i.e. fraud or misrepresentation)? What are some examples?

In most cases [the third party] is just not able to achieve what fits into the agreement. Basic cause is when vendors overpromise and underdeliver. Or if they’re falling way behind and start grossly misrepresenting what they said they could do. We need to monitor the contracts. You should be getting something back from the vendor for not living up to contract expectations.

I was in a situation at my previous employer where we had a vendor that did something kind of crafty. A company can turn to a vendor and say, we don’t really have much of an increase in budget next year so we need you guys to hold on to your fees. So this vendor took its offshore support and shifted it from India to China because it’s much lower cost.

They did it on the backend. They’re still supporting your system but now the cost went from $100/hour to $60/hour and they never told the business unit. They didn’t break the contract per se but what they did was kind of unethical, doing something and not telling us about it. You can’t say at that point, I’m taking my ball and going home. But they were banned from all new projects and not allowed to bid on upcoming projects.

 

How can a business protect itself to mitigate the inherent risks of working with third-party providers?

Get everything in the contract. Organizations I’ve had conversations with are not very good at it – they’re working in a silo. Sometimes they don’t want to focus on risk because they want to get things up and running.

Expect the Unexpected: 5 Keys ...

Tom Garrubba 08-31-2018

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surpris[...]

As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surprises. The regulation’s global jurisdictional reach, EU-specific definition of “sensitive data,” steep penalties, hefty compliance costs, and applicability to customers as well as employees startled more than a few privacy and compliance teams.

Now, as more organizations pivot from achieving compliance to strengthening and refining their GDPR programs, another unexpected – and critical– facet of the regulation must be addressed: the extent to which GDPR elevates third party risk.

Conforming to GDPR requires a methodical approach, and one that should be carefully integrated into a company’s existing third party risk management (TPRM) program. The success of this integration hinges on five crucial considerations. Before weighing those keys to success, it is important to understand how GDPR – and the regulation’s Article 28 requirements in particular – places new requirements on vendors and affects third-party relationships.

The Regulation and Third Party Risk

At its core, GDPR poses numerous new requirements regarding how companies, regardless of their industry or location, manage the personal information of European “data subjects” (i.e. customers and employees). While Google, Facebook and other U.S.-based technology giants must adhere to GDPR, so too must the small Denver-based restaurant chain that attracts European tourists, the fin-tech start-up with an office in Bruges and thousands of other companies.

Complying with GDPR requires organizations to make some fundamental process changes concerning breach notifications, a European citizen’s “right to be forgotten,” the anonymization of personal data and other practices affected by components of the new regulation.

GDPR replaces the EU’s Data Protective Directive, which had been the basis for EU laws that govern data privacy. It is important to note that an EU regulation is legally binding in each Member State whereas EU directives identify results each Member State are required to achieve through national laws that each state can develop on its own. Many of the ways that GDPR differs from the previous directive ultimately require vendor risk management capabilities to be updated and enhanced. These changes include:

  • The extension of legal obligations to service providers (which the regulation refers to as “data processors”);
  • A broader definition, or “higher classification,” of personal data (“sensitive data”) that must be protected;
  • New operational requirements for data processing;
  • Severe consequences for violations, including a maximum fine amounting to the greater of €20 million or 4 percent of global revenue; and
  • A new set of requirements for third party data processors, as laid out in GDPR Article 28.

GDPR also introduces new terminology. Three of the most important phrases include:

  • Processing: Any operations or set of operations – automated or manual — performed on personal data, including collection, recording, organization, structure, storage, adaption, alteration, retrieval, consultation, use, disclosure and more;
  • Data Controller: The entity (i.e. a company) that determines the purposes, conditions and means of the processing of personal data;
  • Data Processor: An entity (i.e. a vendor) that processes personal data on behalf of the controller.

This represents a brief summary of the regulation, which comprises 11 chapters and a total of 99 articles, or subtopics. Of course, managers responsible for GDPR compliance should read through the entire regulation. Article 28 requires closer scrutiny for companies and, even more so, for vendors that qualify as “processors” and must comply with new rules presented in that section (See “Getting a Read on Article 28”).

Integrating GDPR

Conforming to GDPR requires a comprehensive, multi-step process that works in conjunction with an organization’s existing vendor risk management program. (A tool to evaluate this type of program against best practices is available here: https://sharedassessments.org/vrmmm/.)

At a high level, organizations should begin with scoping to identity critical vendor relationships that are involved in GDPR compliance. Once these vendors have been identified, organizations should:

  • Understand which GDPR regulations apply to the vendor;
  • Assess the third party’s GDPR readiness;
  • Assess the third party’s overall security posture;
  • Track how the vendor retains, accesses and transfers sensitive data;
  • Address contract provisions to ensure they reflect GDPR requirements;
  • Define key compliance artifacts for due diligence response; and
  • Conduct testing of key privacy controls.

Follow the Data and other Drivers of Success

While a methodical approach to GDPR compliance is crucial, there are several other considerations and practices that have proven helpful in adapting third party risk management programs to meet GDPR requirements. Most of the following perspectives and activities also help strengthen third party risk management programs:

  1. Distinguish processes from procedures: One of the most frustrating – yet, most valuable – aspects of vendor risk management involves the reconciliation of relevant business processes (i.e. how they are executed in practice) to procedures (i.e. documentation that identifies how processes should be performed). When I help an organization address GDPR or TPRM more broadly, my first question zeros in on how things work in practice: Walk me through your processes. My goal is to find out how processes are performed before I look at how that same process is documented in a formal procedure. There are often discrepancies for a number of reasons. For example, procedures frequently have not been updated to reflect process and technology changes. These gaps must be identified and eliminated. After all, procedures represent the record that enforcement teams use to hold your organizational accountable.
  2. Follow the data – and the 80/20 rule: Given how data-driven most organizations have become, keeping a lid on GDPR compliance costs hinges on identifying which systems, applications and data pose the greatest risks. Once compliance teams have evaluated the technical and administrative controls supporting the (roughly) 20 percent of systems that contain 80 percent of GDPR risk, they can expand and refine their scrutiny.
  3. Consider the total cost of non-compliance: In some cases, organizations – especially small- to mid-sized companies contending with resource limitations—may elect to assume some third-party risks rather than spending heavily to protect certain data. This assumption of risk is typically based on the calculation that the cost of the risk materializing would be less than the cost of mitigating it. When this approach is being considered, risk and compliance teams should be sure to include the potential for reputational risk in their calculations. The reputation risks that arise following a major data breach vary by company; these risks are difficult to estimate, but they can be severe. One company’s shareholders and customers may shrug off a cyberattack. Another company, even one in the same industry, may see its share price plummet and its CEO marched before a Congressional hearing (before being sacked by the board) following a similar incident.
  4. Define third parties broadly: GDPR Article 28 makes it clear that an organization’s data-related risk management activities extend beyond its four walls to vendors that process sensitive data. Risk and compliance teams should keep in mind that the types of vendors that process sensitive data extend beyond technology companies. Law firms and consulting firms, for example, routinely have access to organizational data.
  5. Vendors continuously evolve — so should conforming to GDPR: Achieving GDPR compliance is not the same as sustaining GDPR compliance. The same external disruptions and internal changes creating gaps between your own business processes and written producers are occurring within your data processors and other critical vendors. It’s perfectly fine to give the neighbor’s 12-year-old son your house key so he can feed your cat when you take a vacation. It may not be so prudent to continue to entrust that young man with access to your house after he’s arrested for burglary a few years later. The most effective GDPR programs, as well as the best TPRM programs, contain some form of ongoing monitoring of changing vendor processes and vulnerabilities.

A systematic approach to GDPR compliance and its careful integration into a formal TPRM program, combined with an awareness of effective compliance practices, can help companies sidestep the confusion and misperceptions that accompany sweeping regulatory changes. This holds true for GDPR, which despite how it has been reported in many news outlets, is actually not “new” at all. The regulation’s lengthy text has been available to read and assess for more than two years; May 25 marked the first day that the EU could begin enforcing it.

SOC it 2 Me … One More Time...

Linnea Solem 06-25-2018

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to[...]

It’s that assurance time of year again as organizations are kicking into the implementation of their 2018 external audit engagements. We are now under the six-month timeline for new SOC standards to be in place. This is the third year in a row I’ve written about changes in external audit reporting standards that impact service provider controls and executing external assurance engagements. Each year the changes drive maturity, transparency and stronger governance into the process, but also create confusion and need for knowledge. So, let’s dust off the boxing gloves and understand the new assessment protocols that will be in place once we jump back into the audit boxing ring.

Acronyms, Terminology & Methodology – Alphabet Soup
Heavyweight sports fans know terms like Knockout (KO), Clinch. Down & Out. Fall Through the Ropes. Sucker Punch. Throw in the Towel. Prizefighter auditors and assurance practitioners understand terms like AICPA, Attestation. SOC, SSAE18, TSC, CSOC, Carve-outs. Subservice organizations. Qualified Opinion. Information security and IT professionals rely on frameworks like COSO, NIST, and COBIT.

While the terms are quite different the work effort to simply navigate audit standard changes easily creates emotional comparisons to a few of those boxing terms, especially for the non-accountant. Let’s level set on a few of the key concepts that are changing within SOC engagements, but from a more sports fan or business user point of view.

The American Institute of Certified Public Accountants (AICPA) is the national professional organization that sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profits, and governments. They have updated their standards and protocols for audit engagements to align with the 2013 Committee of Sponsoring Organizations (COSO) framework which was designed to assess the design, implementation, and maintenance of internal controls and assess their effectiveness. COSO frameworks are traditionally part of the SOX compliance program for financial accounting of public companies.

The changes in the SOC audit reporting will be effective for audit periods ending on or after December 15th, 2018 . That means the changes will be effective for all engagements in 2019, triggering readiness, migration, and process changes in 2018. During this transition, for audit engagements executed in 2018, a company can choose to early adopt the new criteria structure or continue with the current Trust Services Principles.

Report Changes and Updated Naming Conventions
The methodology standards set out in the SSAE18 framework will now apply to all SOC2/SOC3 reports. Those changes include the requirements to clarify control ownership when there are subcontractors or sub-service organizations in scope for the system being assessed. With the remapping effort to the COSO framework, additional terminology changes for SOC audit reports have been defined:

  • SOC: Was Service & Organizational Control and now is System & Organizational Control.
  • SSAE: Statements on Standards for Attestation Engagements.
  • TSPC and TSC: Trust Services Principles & Criteria (TSPC) are being renamed Trust Services Criteria(TSC)
  • Principles & Categories: Principles will now be called categories, but they still focus on security, availability, processing integrity, confidentiality, and privacy of a system.
  • Risks/Controls: Within the report structure and protocol, the assessor will now use terminology of “points of focus” for the specific control topic area being reviewed.

A SOC2 report must include the Security Category, with all the Common Criteria, and may include the additional categories. Each category will have their own unique criteria to be met as part of the audit. These changes expanded the number of common control criteria and streamlined some of the additional criteria in the Trust Services Categories.

Changes to the Criteria for Audit Engagements

It is important for all organizations to prepare for the new requirements to build out process maturity in conjunction with this year’s audit engagement. The requirements will apply to service providers who use a SOC report to provide assurance to their clients; but also, will trigger changes to the processes a service provider uses to get assurance from its fourth parties.

Implications for Service Providers
External assurance audit reports are a mechanism to provide independent assurance and testing of controls. Each service provider defines the type of audit engagement needed to meet their client contractual obligations based on the systems and services that are outsourced. With the growing focus on cyber security and enterprise risk management, many of the changes in common controls have broadened beyond traditional IT controls or public company financial controls. The shift to include risk management functions and programs will trigger the need for additional control owners, compliance documentation, processes to be tested, and includes operational risk management programs.

There are eight new common criteria related to the alignment with COSO principles:

  • Board oversight
  • Use of information to support internal control
  • Sufficiency and clarity of the entity’s objectives
  • Identification and assessment of changes
  • Controls deployed through formal policies and procedures
  • Procedures to identify new vulnerabilities
  • Business disruption risk mitigation
  • Vendor and business risk management

Third party risk management functions may be implicated in many of these criteria but the focus on Vendor and Business Risk Management as a common control in scope for all engagements shows the growing attention to third party risk. The inclusion will provide a deeper dive into the third-party risk management program structure, implementation, governance and risk reporting. The third-party risk management program elements that will be assessed, audited, and tested include:

  • Requirements for Vendor and Business Partner Engagements
  • Vendor and Business Partner Risks
  • Responsibility and Accountability for Managing Vendors and Business Partners.
  • Communication Protocols for Vendors and Business Partners.
  • Exception Handling Procedures from Vendors and Business Partners.
  • Vendor and Business Partner Performance.
  • Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments.
  • Procedures for Terminating Vendor and Business Partner Relationships.
  • Process to obtains Confidentiality Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Confidentiality Commitments of Vendors and Business Partners.
  • Process to obtains Privacy Commitments from Vendors and Business Partners.
  • Assessment process for Compliance with Privacy Commitments of Vendors and Business Partners.

Each of these operational processes are part of the implementation of a third-party risk management program structure. However, to make the controls auditable and testable will require not only compliance documentation but artifacts and testing of the controls, to provide evidence to auditors of the implementation of the third -party governance program requirements. Multiple regulatory drivers are triggering changes to mature the third- party risk governance process. Creating an external assurance maturity calendar, requires taking a long view, embedding into readiness this year for what is tested next year.

Business Readiness
While it can be easy to feel like throwing in the towel, the reality is the SOC boxing matches will continue, and evolve as new scoring mechanisms are defined. Here are six readiness steps to tackle, one per month to avoid feeling on the ropes or down for the count while you prepare for an audit of your third-party risk governance program.

    1. Policies: Review and create a comparison of the Vendor and Risk Management criteria to your Third-Party Policies and Procedures. Plan for need for additional compliance documentation, process maps.
    2. 2. Employee Knowledge: Prepare employees who manage controls, by sending out a self-assessment of their understanding of the roles, accountabilities and governance for third party risk. Update control owners, assess internal expertise and identify gaps
      3. Technology: Conduct an assessment with your current GRC tools to prepare for any IT or configuration changes
      4. Benchmark: Refresh benchmarking the maturity of your Third-Party Program to the Vendor Risk Management Maturity Model
      5. Risk Reporting: Review existing scorecards, dashboards and management reporting on third party risk governance and identify changes to meet the new common criteria.
      6. Process Refinement: Embed security, confidentiality, and privacy commitment processes into a common third party continuous monitoring process.

    Yes, audit standard changes can feel daunting, and complex. However, just like there are weight levels in boxing to make the fights fair, assessing a third-party program is also risk based. Focus on the critical activities, critical services, critical controls, and third-party relationships, most of these requirements are not dramatically new, they are simply driving maturity into the third-party risk governance program that have been in place for financial controls.

    Linnea Solem is a former Shared Assessments Program Steering Committee Chairperson, and current Advisory Board Member. She is the President and Founder of Solem Risk Partners, LLC a management consulting and advisory services company focused on Third Party Risk Governance, Privacy Program Management, and Enterprise Risk Management.

Cybersecurity and National Sec...

Sylvie Obledo 05-29-2018

The tone of resilience followed the 11th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack,[...]

The tone of resilience followed the 11th Annual Shared Assessments Summit to the Santa Fe, New Mexico home of Catherine A. Allen, Chairman and CEO of The Santa Fe Group. Recovering from an email hack, Cathy hosted sixty guests who enjoyed her signature Missouri ham, dined al fresco in the courtyard as the sun set, and listened to an esteemed panel of subject matter experts speak about Cyberwarfare and National Security: What Americans Need to Know.

Senator Jeff Bingaman, former US State Senator from New Mexico, reinforced the importance of cyber issues and the urgent need for Congress to understand this importance. He introduced the evening’s panelists including:

  • Catherine A. Allen, The Santa Fe Group
  • Mark Fidel, Co-Founder of RiskSense, Inc.
  • Damon Martinez, Former U.S. Attorney and Congressional Candidate
  • Valerie Plame, Former CIA Operative, Author and Cyber Expert

Damon Martinez, former U.S. Attorney and Congressional candidate, covered cyber threats to our democracy, the evolution of protection technologies, protecting voting machines and the undermining of the fundamental basics of our democracy. He spoke about the role of New Mexico National Labs, airspace and missiles and showed Russia’s development of strikingly similar technology to ours, subsequent to us developing it first, in his handout entitled “Emerging Threats: Russian Interference in U.S. Elections and the New Frontier of Cyber Security”.

Mark Fidel, Co-Founder of RiskSense, Inc. focused on vulnerabilities including threat and vulnerability management, election systems vulnerabilities, and the supply chain of digital information that serves the labs in and out of New Mexico. Citing the issues surrounding our election system, Mark described the various vendors involved with the management of the voting process and his commitment to shoring up our systems to protect our democracy and to ensuring a fair, free, and accurate election process.

Valerie Plame, former CIA operative, author, and cyber expert shared her expertise in nuclear proliferation and experience with The New War: Cyberwarfare. Valerie described the relationship between international security and cyberwarfare, our adversaries, and why we should be concerned about Iran, North Korea, China and Russia. Speaking to the gray area between war and peace, she explained the financial benefits of war to a few versus the low profit margin of fighting cyberwarfare.

Catherine A. Allen, Chairman and CEO at The Santa Fe Group and corporate board director, explained the concern of cyberwarfare and critical infrastructures as well as the impact of cyber tactics. Sitting on several boards including that of El Paso Electric Company, Cathy knows the corporate perspective on cyberwarfare. She described the impact of fake news with a visual graphic in hand and reinforced the importance of data integrity. In addition to the media biased chart, The Santa Fe Group provided handouts and multiple relevant materials to guests, including Cathy’s “Cyberwarfare and Critical Infrastructures” and the Ponemon Institute’s “Second Annual Study on The Internet of Things (IoT): A New Era of Third-Party Risk” sponsored by Shared Assessments, a program under The Santa Fe Group umbrella. Handouts quickly moved into guest’s hands as Cathy emphasized that protecting one’s personal and company assets are a must in today’s world of new warfare.

Stating there are not enough people in public policy who are aware of cyber issues and the impact associated, panelists recapped their concerns and suggestions as:

  • Heighten awareness of one’s own biases – go far and wide and beyond
  • Education is key
  • Think
  • Stay strong and informed
  • Voice your concerns about cyberwarfare and the threat to our democracy and safety to your Congressmen
  • Vote

The sun set. And as guests left, they left more aware of cyber threats, than when they arrived, with a tone of resilience.

 

Sylvie Obledo is a Project Manager with The Santa Fe Group, Shared Assessments Program. As Project Manager, Sylvie facilitates thought leadership and collaboration of leadership teams and a variety of groups including the Continuous Monitoring Working Group and Vertical Strategy Groups in industry sectors including Asset Management, Consumer Product Goods, and Insurance. Her scope of work requires creative problem solving, planning, organization, and managing multiple timelines.

Summit Day Two: Recap...

Jenny Burke 05-21-2018

If you haven’t already seen our 11th Annual Shared Risk Assessments Summit Day One recap, read it now. Day two of the Summit was equally educational and our line-up of all-star speakers did not dis[...]

If you haven’t already seen our 11th Annual Shared Risk Assessments Summit Day One recap, read it now. Day two of the Summit was equally educational and our line-up of all-star speakers did not disappoint as we dove deeper into exploring the theme of resilience within the third party risk community and beyond.

 

Breakfast with Bitsight

Day Two of our 11th Annual Shared Risk Assessments Summit began with a breakfast case study presented by Bitsight. The case study begged the question “Is it possible to improve security of existing vendors without contract changes or requirements?” This imperative question had us all thinking about how we should better communicate our initiatives to management, with the note that collaboration does not work with bad data.

 

Slow Down to Speed Up

After breakfast, we had the pleasure of hearing from Wafaa Mamilli, Executive Technology and Digital Leader, Eli Lilly, on Fostering Resiliency from Within Your Organization. One concept Wafaa stressed was the need to slow down in order to speed up. It’s crucial to our organizations and our teams to take the time to have development days, regardless of how busy things are at the office. In order to achieve operational excellence, we need to take a step back, examine our team of teams, and think on how we can best work together based on our strengths and weaknesses.

 

WWDSW

Next, we began our first panel discussion of the day on Privacy and GDPR. With the impending May 25th GDPR deadline, this panel could simply not be overlooked. Moderated by Linnea Solem, Founder and CEO, Solem Risk Partners, the panelists included: Lisa Berry-Tayman JD, Sr. Manager, Privacy and Information Governance, CyberScout; Nathan Johnson, Advisor – Global Privacy Office, Eli Lilly; and Andrew McDevitt, Senior Privacy Analyst – Global Privacy Office, Northrop Grumman. Some key takeaways from this panel discussion were that you can outsource your work, but you can’t outsource the responsibility that comes with it. In times of doubt, Lisa Berry-Tayman JD suggested that we ask ourselves, “What Would Data Subjects Want?” Half-jokingly, she mused that we make bracelets with WWDSW imprinted on them, serving as a constant reminder to put the data subjects first—there should never be anything unexpected happening to their data.

 

Stopping Silos

Following this entertaining, yet informative panel, we moved on to our second panel discussion of the day; Trends in Risk Rating and Continuous Monitoring. Emily Irving, Assistant Vice President, Manager, Enterprise Third Party Risk Management, Wellington Management, moderated the panel, which included Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc.; James Gellert, Chairman and CEO, Rapid Ratings; and Atul Vashistha, Chairman and CEO, Neo Group & Supply Wisdom. The panel stressed that risk doesn’t just happen in one part of a company in an isolated area. Particularly in a company that is weakening, they are going to be cutting corners and investing in other areas, which could expose them to more risks and negatively impact cyber security down the road. While there’s no way to catch everything, having the proper systems in place for addressing the monitoring of the company more closely is crucial—a community-driven effort is the only way to mitigate third party risk.

 

Program Update

Following a brief Exhibitor Networking Break, we heard from our own Robin Slade, Executive Vice President and Chief Operating Officer, who moderated panelists Shawn Malone, Shared Assessments Chair and Founder and CEO, Security Dilligence, LLC and Glen Sgambati, Shared Assessments Program Vice-Chair and Customer and Industry Relations Executive, Early Warning Services, on Shared Assessments program updates. One of our main questions to attendees was their preference on the format of our Certified Third Party Risk Professional (CTPRP) designation from the Shared Assessments program—in-person, or online? If you have a strong opinion on this matter, feel free to contact us and let us know… we’d love to hear from you!

 

SAI Global Case Study

After learning more about our Shared Assessments program, we were presented with a case study from SAI Global, which focused on traceability in the supply chain, citing examples from the pharmaceutical industry.

 

The Bottom Line

The Day Two lunch buffet was just as delicious as the first, and during the break, attendees had the opportunity to check out two different Solutions Showcase sessions, one presented by Opus, and the other by RiskRecon. After the break, we began a panel discussion entitled, Third Party Risk Research Update, which was moderated by our own Gary Roboff, Senior Advisor, and included panelists, Rocco Grillo, Executive Managing Director, Stroz Friedberg; Charlie Miller, Senior Vice President, The Santa Fe Group; Paul Kooney, Managing Director, Protiviti, Inc.; and Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute. The panel focused on IoT and risk. When it comes to risk, it’s not just the regulatory data, it’s the disruption of business and availability. Nothing hits a company harder than the impact to its revenue. Whether you’re a fortune 500, a midsize company, or a mom and pop, if your bottom line is getting hit, your company will receive negative attention.

 

The Three C’s

Following the final exhibitor networking break of the Summit, we heard from an all-star female panel consisting of Wafaa Mamilli, Executive Technology and Digital Leader, Eli Lilly; Anne Lim O’Brien, Global CEO & Board Practice and Global Consumer Practice, Heidrick & Struggles; Ceree Eberly, Former Senior Vice President and Chief People Officer, Coca-Cola Company; and Elena Steinke, Director, Women’s Society of Cyberjutsu, which was moderated by Joyce Brocaglia, CEO, Alta Associates. One of the key takeaways from this panel discussion on Talent Management was how soft skills play a key role in team dynamics. Additionally, in order to be a part of the boardroom, employees need to exhibit the “three C’s”:

  • Curiosity
  • Courage
  • Collegiality

It is with these three “C” characteristics that employees can become agile learners who thrive in the workplace.

 

Will Machines Replace Us?

After this lively discussion, we moved on to the last panel discussion of the Summit on data science/analytics, AI, and ML with panelists Vicki O’Meara, President and CEO, Analytics Pros, and Stephen Boyer, Co-Founder and CTO, Bitsight Technologies.

While consumers enjoy the personalization of their shopping and living options thanks to marketing data, what’s the appropriate use of this data, who owns it, and how do we put a governance process in place? In addition to these questions, the panel had our attendees deep in AI speculation, asking the following questions:

 

  • How will the essence of what we’re creating be helpful, not hurtful?
  • How will human ethics be encoded into self-driving vehicles?
  • Will machines replace us?

 

Concluding the 2018 Summit

The final panel definitely gave us a lot to think about as we concluded the day. The event ended just as it had begun, with remarks from our CEO, Catherine Allen. From there celebratory drinks, hors d’oeuvres, and even karaoke were enjoyed at the closing reception.

 

Save the date for April 10-11, 2019 for the 12th Annual Shared Assessments Summit.

#SAProgram19

Shared Assessments Releases Ne...

Charlie Miller 05-15-2018

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committe[...]

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committee members and staff, and were repeatedly vetted with senior practitioners to ensure they were both reasonable and accomplished the primary goal of improving the consistency of the SCA assessment process.

These new standards are intended for use by any third party risk assessor that utilizes the 2018 (and subsequent) Shared Assessments Standardized Control Assessment (SCA) procedures – formerly the Agreed Upon Procedures (AUP). The SCA is a carefully honed and objective set of testing procedures designed to validate the effectiveness of third party controls through onsite testing. SCA test procedures have been reviewed and updated annually since 2005 and align with the Shared Assessments Standardized Information Gathering (SIG) questionnaire.

The SCA Standards will be used by members of the Shared Assessments Program, tool purchasers and assessment firms (including Certified Public Accounting firms) who hold license to the SCA procedures. They cover: the purpose; objectives; participants; scope of work; assessor qualifications; limitations; assessment process; reporting; sharing of reports; and quality assurance practices to be followed when performing SCA procedures.

Highlights of the new standards include:

  • Participants: The Assessee and/or the Outsourcer must hold a license to use the SCA, and the Assessment Firm (Assessor) must be a member of the Shared Assessments Program and hold a license to the SCA.
  • Assessor Qualifications: The Lead Assessor for an SCA Engagement must hold a Shared Assessments Certified Third Party Risk Assessor (CTPRA) Certification and a Certified Third Party Risk Professional (CTPRP) Certification.
  • Reporting; The Assessor will utilize the SCA Report Template to document the results of the SCA Engagement
  • Sharing of Reports: Participants will agree upon any restrictions, limitations or requirements for sharing the SCA Report as part of the contract process.
  • Quality Assurance: The Outsourcer or Assessee will ensure that the Assessment Firm has performed the engagement in accordance with its own internal quality assurance practices and verified that the Assessment Firm is a current member of the Shared Assessments Program.

 

The compliance date for adherence to SCA Standards is December 31, 2019.

 

Summit 2018 Day One: Recap...

Jenny Burke 05-08-2018

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this y[...]

Our 11th Annual Shared Risk Assessments Summit took place on April 11-12 at the Ritz Carlton in Pentagon City, VA and brought together thought leaders throughout the risk industry. The theme of this year’s Summit was resilience, and our 300+ attendees were able to hear from subject matter experts across an array of different industries on how to stay resilient amongst an abundance of new concerns.

 

Opening Remarks

The day started with opening remarks from our CEO, Catherine Allen, who discussed these new concerns, namely, cyber warfare, fake news, supply chain disruptions, AI, and IoT, and how to focus on detection strategies—we live in an era of when, not if. Following her opening remarks, she introduced our keynote speaker, and first ever recipient of our new Lifetime Achievement Award, Richard Clarke.

 

The Importance of Cassandras in Risk

Clarke, CEO of Good Harbor LLC, explained the importance of “Cassandras” in assessing risk. AI, genetic engineering, and the IoT are all current fields where experts have data that proves we are going to have significant problems, but nothing is being done about it.

When it comes to risk management at the national and corporate level, these outlier experts are being ignored. Clarke stressed the importance of systematically looking for Cassandras and being willing to listen them, despite the risk seeming outlandish, or even laughable.

While we don’t necessarily need to believe the Cassandra, we do need to give them enough credibility to show the data. Companies may need to adjust so that when they start to see what the Cassandra is predicting, they’ll already have contingency plans in place. As risk professionals, we need to take heed of the Cassandras, start making decisions, and reallocating resources in order to do things differently and mitigate the effects of catastrophic events.

 

New Vulnerabilities

Following Clarkes eye-opening keynote, we began our first panel discussion entitled, “The Future is Now: Emerging Technologies and the Impact on Controls.” The panel, moderated by Joe Prochaska, Synovus Financial Corp, included Holly Dockery, Sandia National Laboratories; Catherine Lotrionte, Georgetown University; and Jeff DeCoux, Hangar Technology. The panel focused on Artificial Intelligence (AI) and Internet of Things (IoT)—one of the main takeaways was the vulnerability that these new devices open us up to, and how manufacturers need to start stepping up and start involving the entire management team when evaluating the risks and exposures of their devices. Everyone should have visibility into what their technology can do and what the risks could entail.

Frameworks to Make the Dream Work

After a brief networking break, we began our second panel discussion on “Third Party Risk Frameworks.” The panel, moderated by Roger Parsley, Deutsche Bank, included Mark Holladay, Synovus Financial Corporation; Lin Lu, Freddie Mac; and Renee Forney, Capital One; and focused on how third party risk management fits into different organizations. The panel agreed that we in a new era of risk management, so it’s crucial to increase our skills and expertise in order to fulfill our responsibilities, no matter what the size of our organization. While risk classifications have changed over time, tiering is still important and mission critical vendors are integral to our risk framework, whether we’re at a small company, financial institution, or enterprise corporation. Lin Lu, Freddie Mac, said it best when she stated, “…third party risk is no different than any other risk.” Additionally, the panel touched on how emerging technologies are impacting how we handle third party risk and the importance of scalability. Organizations need to ask themselves:

  • What risks do we have?
  • What risks are we willing to take?
  • What risks are we not willing to take?
  • How does that impact the strategic goals of our business?

 

Believe in Your Mission

Following the frameworks panel, we enjoyed a case study presented by Prevalent. Brenda Ferraro, Senior Director, led the discussion with customer Bob Maley, Senior Strategist at PayPal.  Maley stressed the importance of understanding your company’s mission—if you’re building a program that’s driving your mission, when the regulators and examiners come in, it’s going to be easy. He also introduced the concepts of Chen, the things that everybody knows you do, and Chi, the unexpected, and explained how they relate to risk—if we do the same things over and over, the chen and chi flip. We have to figure out unique ways of staying ahead and understanding the risk of our vendors.

 

Making a Vendor Naughty List

After a delicious lunch buffet, and Solutions Showcases presented by Prevalent and Security Scorecard, we returned to hear insights on third party risk and resiliency from industry thought-leader Jim Routh. Routh gave us the frightening example of “Tina and Tony,” the office manager and broker who did not go through the proper authentication processes when using Amazon Web Services. Since “Tony” did not like passwords, there was no encryption or logging, which led to a security researcher finding and publishing the data, ultimately leaving him without a business. The main takeaway from Rouths’ presentation was the need to educate our third party vendors on their configuration of cloud controls. Finally, if you don’t have a vendor naughty list, you should—vendors need to be held accountable to the same high internal standards.

 

Will China Overtake Us?

Perhaps even more frightening than Routh’s “Tony and Tiny” example were John M. B. O’Connor’s thoughts on supply chain risk. O’Connor, Chief  Executive Officer, J.H. Whitney Investment Management, LLC highlighted the fact that we’re stepping into an unknown domain of technological complexity and the need to pivot hard and fast to global geo-politics, or risk being overtaken by China. O’Connor even cited how Henry Kissinger spent the majority of his career making sure the US was always more important to China than Russia. We need to widen our aperture and observe more broadly in order to put ourselves at the strategic level and fight at the strategic level.

 

People are the Problem… And the Solution

After this frighteningly eye-opening presentation, O’Connor joined our next panel discussion, which included Jim Routh, Chief Security Officer, Aetna, and Rocco Grillo, Executive Managing Director, Stroz Friedberg, for a discussion on resiliency. They highlighted how people are our biggest strength, but also our biggest vulnerability. We have to use the innovation in technology to shrink the threat of risk and acknowledge that behaviors at every level are subject to continuous monitoring. Redundancy is expensive and useless—we need to define resilience, create a sense of community that can endure stress, and have faith in the resilience of these community members to be strong enough to let go of the superficial senses of privacy.

Maintaining Personal Resilience

Following a brief networking break where attendees were able to mingle with our exhibitors, we returned for a heart-warming discussion on personal resiliency with Ambassador (ret.) Mary Ann Peters, Chief Executive Officer, Carter Center. According to Peters, who has had a long and rewarding career where she had to quickly adapt to different cultures, the top 5 keys to personal resilience are:

1) Be flexible and adapt to change

2) Embrace ambiguity

3) Get tough, but stay charming

4) Learn from mistakes and failures

5) Focus on helping others

 

Get Your Regulatory Geek On

Day one concluded with a panel discussion on the regulatory landscape, moderated by Ken Mortensen, Data Protection Officer, InterSystems Corporation, with panelists Valerie Abend, Managing Director, Accenture Security; Kevin Greenfield, Director for Bank Information Technology, Office of the Comptroller of the Currency; and Adam Greene, Partner, Davis Wright Tremaine LLP. As we watched Abend get her “regulatory geek” on, we were asked to contemplate our responsibilities in terms of the broader environments. As third party risk analysts, we need to push the needle a bit more, ask ourselves where we are going to start to fix some of the problems, and ensure that we’re operating at the level we need to operate with the level of assurance that every one of our parties is going to be confident in.

 

Celebrating Day One

We ended the first day of the conference with a reception, sponsored by SecurityScorecard—appetizers, refreshments, and networking with other risk professionals were the perfect conclusion to day one of our 11th Annual Shared Assessments Summit.

 

Stay tuned for our summary of day two!

 

 

 

 

What Would Data Subjects Want?...

Linnea Solem 04-19-2018

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Manageme[...]

Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape.  Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.

While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context.  So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.

Five things on GDPR

  1. GDPR enforcement is close – the grace period is ending
  2. GDPR is complex due to unintended consequences
  3. There are no simple guarantees to determine if your vendors are GDPR compliance
  4. Following the data daisy chain is daunting to determine GDPR scope
  5. It’s a cloudy legal environment – GDPR guidelines require context and interpretation

The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.

The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view.  Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject.  At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.

Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers.  Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.

The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony.  The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content.  The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.

We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.

Five things on Digital Privacy

  1. Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
  2. For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
  3. Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
  4. Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
  5. Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.

Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection!  #WWDSW

Privacy Panel:  (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.

The Fraud Implications of Weak...

Bob Jones 03-19-2018

By Bob Jones, Senior Advisor, The Santa Fe Group   There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees [...]

By Bob Jones, Senior Advisor, The Santa Fe Group

 

There are three different aspects of fraud that are relevant to third parties. The first is defalcations by the third party’s employees exploiting inadequate internal controls.  The second is fraud perpetrated by the principals of the third party. The third, and most common, is data breaches perpetrated by both insiders and outsiders.

 

As a Certified Fraud Examiner, I subscribe to the Fraud Triangle, defined by noted criminologist Donald Cressey, that describes the three causative elements of occupational white-collar crime.  The elements are: pressure (usually an unsharable financial need); perceived opportunity; and the ability to rationalize the act.

 

Typical rationalizations include: “I’m just borrowing it and will pay it back”; “They’ll never miss it”; “Everybody does it”; “They owe it to me”.  The greater the person’s need, the less opportunity he requires to act.  Conversely, the greater the perceived opportunity, the less need required to act.

 

Understanding the fraud triangle illustrates the white-collar crime truism that only a trusted employee will steal. I am occasionally engaged by banks to provide independent expert testimony in litigation involving fraud claims. In the last few years most of the lawsuits I have been involved in have been brought against banks by small to mid-sized businesses alleging that their business’ losses arose from their employees’ embezzlements that were facilitated by the bank’s failure to detect those actions. Quite frequently, however, my bank clients are able to show that the embezzlements resulted from the business customer’s employees’ exploiting the lack of effective internal controls at the customer’s level.

 

Another point of opportunity arises during the confusion and uncertainty endemic in the integration phase of mergers/acquisitions that offer particularly fertile ground for embezzlement. Employees worried about their future can be tempted to set up their own “severance packages”. Research to resolve imbalances in financial accounts can be delayed, because of the assumption they are the result of errors or carelessness, instead of defalcations.  In fact, these periods demand greater scrutiny.

 

The second aspect is fraud perpetrated by the principals of the third party. A recent example is the February 27, 2018 guilty plea by a senior executive of a large soft drink corporation in a federal prosecution resulting from his incorporating a marketing & promotions firm in his wife’s name. He hired her firm to provide goods and services to his employer, and, over a 10-year period, submitted more than 200 false invoices totaling more than $1.7 million. He is scheduled to be sentenced in June for wire fraud and for failing to report his fraudulent income on his tax returns.

 

The third, and most common aspect of fraud, is data breaches perpetrated by both insiders and outsiders. While most typically considered information security issues, most often the intent of acquiring the Personally Identifiable Information and/or Protected Health Information obtained through a breach is to commit fraud.

 

What these three aspects have in common is that their impact can be reduced by a sound Third Party Risk Management (TPRM) program that incorporates a vendor selection process that includes elements such as:

  • An assessment of a prospective third party’s internal control regime to ensure it contains basic controls, such as segregation of duties and physical and virtual access control. More rigorous attention needs to be applied in merger/acquisition situations.
  • An assessment of the candidate vendor’s financial viability. With publicly traded firms, that assessment includes audit reports and SEC filings; and with small, privately held firms, a review of tax returns and principals’ backgrounds (education, professional, criminal). This assessment would apply to any prospective third party relationship.
  • Similarly, the outsourcer will want to inquire into the third party’s reputation. Dun & Bradstreet, other business rating companies, client references and social media can provide insight.
  • Vendor responses to Requests for Information (RFI) from an outsourcer can provide valuable information about a prospective vendor’s general suitability by making sure that RFIs include questions dealing with:
    • Licenses and certifications.
    • Ongoing/pending litigation.
    • Operational/fraud loss experience.
    • Insurance coverage, e.g., Errors and Omissions, cyber, etc.
    • Resiliency.
  • Task/service-specific assessments using responses to Requests For Proposal (RFP). RFPs should:
    • Specify outsourced functionality.
    • Specify desired service levels.
    • Specify security hygiene expectations in detail (level should always meet the outsourcer’s internal security expectations).
    • Seek arm’s length security evaluations if recent and relevant.
    • Specify resiliency expectations: disaster recovery, etc.
    • Obtain information for input into an Anti-money laundering, Bribery and Corruption (ABC) check.
    • Specify desired audit rights and commitment to closing open risk related issues within a specified time period.
    • Obtain references.
    • Solicit information about the third party’s third parties who would be deployed to provide the service/function.

 

Ultimately, preventing fraud from all three of the causative elements relies on robust TPRM program hygiene, which requires that the program ensures the security and other controls at the vendor level always meet the outsourcer’s internal security expectations.

 

Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for nearly 50 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

 

 

 

 

Expert Interview: Tom Garrubba...

Kelly Wagner 02-21-2018

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk managemen[...]

Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program, recently sat down with one of our partners, Aravo Solutions, as part of their expert series on third party risk management. Read what Tom has to say about the ways that collaboration can enhance your TPRM program.

Collaboration is a term that makes people either cheer or wince. However, today collaboration is essential to be a successful third party risk manager – the discipline has moved well beyond administrative box-ticking. Now, a strong culture of collaboration can help create the right environment to foster TPRM program excellence, and drive real value for organizations.

If that sounds difficult to achieve, third party risk executives need to become aware that they are not “flying this plane alone,” says Tom Garrubba, Senior Director at Shared Assessments, a member-driven consortium that creates standards around outsourcing, including assessment questionnaires. “Remember, you have a pilot, a co-pilot, a navigator, flight attendants, baggage handlers and others.” All of these stakeholders need to be involved to make TPRM work – and to make it work better.

Below are Garrubba’s six key ways that collaboration can put the right wind into the sails of a TPRM program:

  • Become involved in standardization programs. Standardization is on the rise, and will become best practice for firms over the next two or three years, says Garrubba. Programs such as Shared Assessments enable organizations to benefit from a substantial body of knowledge and understanding that has been built up over more than a decade. “When creating a third party risk assessment, there is no need to reinvent the wheel,” says Garrubba. “It is very likely that other organizations have run into similar challenges, or have comparable information needs about the vendors they work with.” Working with a well-known group means that an organization can trust the information and suggestions it is receiving. “Google,” Garrubba says, “is a less reliable source of ideas about what a third party assessment should be asking about.” Being part of a group can help when it comes to new requirements, too. Garrubba worked with the Shared Assessments’ Privacy Committee to develop the Shared Assessments GDPR Data Processor Privacy Toolkit, launched in December 2017. This Tool Kit provides guidance to help organizations conform to the European Union’s (EU) General Data Protection Regulation (GDPR) Article 28. The Tool Kit outlines what companies need to do to comply with this privacy-focused element of the regulation.
  • Reach out to your regulators. Around the globe, regulators are beginning to put out more guidance and rules around third party risk. “The US regulators’ Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Appendix J and Office of the Comptroller (OCC) 2013-29 provide a very user-friendly foundation for what third party risk best practice looks like,” says Garrubba. “You don’t have to have a lawyer sitting next to you to understand it. It’s really good guidance on what organizations should be doing.” These regulatory frameworks can provide an excellent starting point for third party risk programs, he says. The EU’s GDPR is also a good framework to understand what a company should be doing around data privacy. Organizations should make sure that, first of all, their programs are complying with all of the necessary rules that may impact them from around the globe, before moving on to enhance their program further. Secondly, a third party program manager can do to enhance the organization’s regulatory relationships is to “document, document, document!” says Garrubba. This gives the regulator the ability to see – quickly and easily – just how well the third party risk program is doing, and to take all of the organization’s efforts into consideration. “You are never going to hit 100% compliance; however, you can hit conformity,” says Garrubba. “Compliance is very black and white, either you have it or you don’t, there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more in the lines of conformity, rather than compliance.”
  • Bond with your board of directors. Third party risk programs need to have board support. “Otherwise,” says Garrubba, “they can become a paper tiger. If you do not have senior-level support, you are not going to have a successful program.” All policies and processes should be agreed, at least in principle, by senior management and the board – and should be actively promoted by them. As well, senior management and the board are sometimes needed to ensure business units comply with third party programs and the changes they may require. Says Garrubba, “You want to make sure that what you are doing is something that will go across the entire enterprise.” In return, the third party risk program should be sure it is supplying the board of directors and senior management with the information it wants and needs to think constructively about third party risk.
  • Have coffee with internal audit, legal, compliance… When creating an assessment questionnaire, it’s important to work with all of the key stakeholders. Says Garrubba, “It’s important that they are on board with what you are doing and that they are helping you shape your questions.” Having several pairs of eyes vet a list of questions can help make sure that the language is clear and that it will achieve the answers needed. A close relationship with internal audit can be particularly fruitful, he says – often internal auditors can provide expertise on not only drafting questions but also analysing the answers.”
  • Friend your vendors. “Why do organizations contract with a third party,” asks Garrubba. “Either because it is cheaper or because they don’t have the talent and the technology to do the process themselves.” This implies that a third party has wisdom it can bring to the relationship between the two organizations. “Organizations really should be treating third parties as a component within their organization – they are a partner, treat them like a partner,” he says. “Don’t treat them like a step brother or sister you cannot really stand.” The reality is that the third party may be able to share information that can help the organization, and they in turn may be running their own third party programs that you can learn from. Says Garrubba, “I’ve spoken with companies that have said their third parties made their own company stronger. They looked at what a third party was doing and said, ‘We should be doing this too.'” He also says he’s seen organizations give third parties extra business, to grow the relationship, as a result of benefitting from this kind of collaboration.
  • Know your business. Having a good working relationship with the business units is essential, says Garrubba. He says that when he was in previous roles, he used to have coffees, lunches, and dinners with a wide range of internal stakeholders to find out what their upcoming projects were, and better understand the company’s overall business strategy and ability to execute. For example, these conversations often helped ensure that new business opportunities were analysed correctly, keeping in mind the company’s own operations and outsourcing needs for fulfilment. Sometimes, best practices from one business unit could be shared with others. Or a casual conversation can help both the business unit and third party risk feel comfortable that things are just “on track.” Having less formal give-and-take can make it easier to resolve challenges, when they occur, too.
  • In short, third party risk managers need to be sure they are actively collaborating across the business – and outside the business – to be successful today. Many firms are choosing to support this with a software solution, which can make collaboration easier – by providing a “single source of truth” for data, and a platform through which some key conversations, particularly around specific processes, can take place. Creating the right third party risk environment will enable the correct culture to take root and flourish.

    Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. His is an internationally recognized subject matter expert and top-rated speaker on third party risk.

Announcing the 2018 Shared Ass...

Kelly Wagner 01-30-2018

Tools That Empower Vendor Risk Management Confidence Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for ris[...]

Tools That Empower Vendor Risk Management Confidence

Shared Assessments is excited to announce the release of the updated 2018 Shared Assessments Program Tools, which serve organizations for risk management, regardless of size and industry. The Tools help both outsourcers and providers to meet regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities.

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and termination. The Tools embody a “Trust, but Verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

  • 2018 Standardized Information Gathering (SIG) questionnaire for remote assessment;
  • 2018 Shared Assessment Standardized Control Assessment (SCA) procedures for performing onsite assessments;
  • 2018 Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices; and
  • The new EU General Data Protection Regulation (GDPR) Tool Kit

Creating Sustainable Standardization in Today’s High Risk, Cyber-Based Environment
Continuous quality improvement evaluation of the Program Tools and our other third party risk management resources is conducted to ensure that:

  • Content updates are in line with modifications in domestic and international regulations, changes in industry standards and guidelines, and the emergence of new risks.
  • Program Tools remain relevant in response to the growing and shifting nature of cyber security threats and vulnerabilities.
  • A standardized process and tools are available that employ a clear, consistent methodology for third party service provider management strategy and risk control verification assessments to reduce duplication of effort for outsourcers and providers.

Updated 2018 Program Tools
These updated Tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The 2018 Standardized Information Gathering (SIG) Questionnaire

  • The SIG employs a holistic set of industry best practices for gathering and assessing information technology, cybersecurity, privacy and data security risks and their corresponding controls. It serves as the “trust” component for outsourcers who wish to obtain succinct, scoped initial assessment information regarding a service provider’s controls. The SIG can also be used proactively by providers, to reduce initial assessment duplication and assessment fatigue.

Enhancements to the 2018 SIG include:

  • SIG Scoping: In response to user feedback, the most significant change you will notice is the addition of a new Scoping Tab, which allows for multiple ways to customize the SIG questions for a company’s individual needs. This tab will be the first stop in starting a new SIG. From this tab, the LITE, CORE, or FULL SIG will be available. The CORE SIG is a new designation and will be used for assessing service providers that run business critical functions, data, and systems. It is meant to meet the needs of most assessments.
  • Industry References: Updates for 2018 that reflect industry and regulatory standards included:
    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
  • Content Organization and Updates:
    • Tab K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Tab P. Privacy was updated to reflect current privacy rules, GDPR & domestic rule updates.
    • Tab U. System Hardening Standards was updated to reflect new industry best practices.
    • Tab V. Cloud Hosting was created to organize cloud security questions into its own separate tab and updated to reflect new industry standards and best practices.
    • The total number of questions has been decreased by removing duplication and redundancy.

    The 2018 Shared Assessments Standardized Control Assessment (SCA) Procedures – Formerly the Agreed Upon Procedures (AUP)

    To better communicate the function of the tool and its alignment with the SIG questionnaire, the Agreed Upon Procedures (AUP) has been renamed the Standardized Control Assessment (SCA) procedures. This name change will also help eliminate any confusion with the formal definition of AUP within the AICPA practice standards, allowing for expansion of general attestation engagements to their client base using the SCA Tool and SCA Report Template.

    Enhancements to the 2018 SCA include:

    Content Re-Organization and Updates:

    • The SCA, and its companion SCA Report Template, have been re-organized to align more closely with the SIG. The updated tool can be utilized for onsite or virtual assessments. All changes to content, including reorganization of section information, contain language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.((AT § 201.03: Agreed-Upon Procedures Engagements. American Institute of Certified Public Accountants (AICPA). June 1, 2001. Statement on Standards for Attestation Agreements (SSAE) No. 10. SSAE No. 11. AICPA. 2015; and as adopted by the Public Company Accounting Oversight Board (PCAOB), April 2003.))
    • Section A. Risk Assessment and Treatment procedures have been added for brevity and clarity.
    • Section I. Application Security subsections were added to more closely align with the SIG.
    • Section K. Business Resiliency was updated for current threat environment and recovery planning best practices.
    • Section P. Privacy was updated for current privacy rules, GDPR & domestic regulatory updates.
    • Section U. System Hardening Standards were updated to reflect new industry best practices.
    • Section V. Cloud Hosting has been added to align with the new SIG tab and to reflect the changing landscape of hosting options and vulnerabilities.
    • SIG Alignment: The SCA has been thoroughly reviewed and updated to align more closely with the SIG, using matching terminology and making it simpler to follow the “trust, but verify” model of third party risk management.

    Industry References: Updates reflect industry standards and regulatory including:

    • New York State, Department of Financial Services (NYSDFS) 23 NYCRR 500.
    • European Union (EU) General Data Protection Regulation (GDPR) 2016/679.
    • Open Web Application Security Project (OWASP) Top Ten 2017 Vulnerabilities RC2 Project.

    The 2018 Vendor Risk Management Maturity Model (VRMMM)

    • Greater adoption of the VRMMM will improve third party risk management overall by assisting industry members in assessing and benchmarking the maturity of their own third party risk management programs. The VRMMM also allows for better benchmarking within and across industries in the annual benchmarking study.
    • Access to this benchmarking tool is especially important to organizations new to third party risk and is aligned to the goal of Shared Assessments to advance the art of third party risk management.
    • To download the Shared Assessments’ Free VRMMM, go to: www.sharedassessments.org/vrmmm.

    GDPR Data Processor Privacy Tool Kit:
    This new tool provides guidance for Data Processors who fall under compliance to the of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) 2016/679, stringent new requirements, which go into effect on May 25, 2018. To meet this deadline, organizations are being challenged with the very sizeable task of not only “re-papering” or modifying their vendor arrangements, but also of applying increased vigor in IT and privacy risk assessments to ensure that customer data is being processed according to the controller/processor contractual arrangements, in keeping with the regulation. Direct compliance liability for data protection provisions will now extend to the data processors or vendors.

    The Tool Kit is Free: The bundle provides a narrative introduction and a series of mini-tools to help determine how to meet the new requirements that will be imposed on how Controllers (i.e., outsourcers) may appoint and monitor Data Processors (i.e., third party vendors).

    Some of the insights provided by this Tool Kit – for both Controllers and Processors:

    • Questions to ask your vendors regarding the secure and private handling of your affected customer data.
    • Test steps to ensure controls are in effect and are operating as intended.
    • A scoping checklist designed to help manage or structure the contract provision tool set needed for compliance.
    • Identifying artifacts to support customer data controls and other privacy program efforts.

    Members of the Shared Assessments Program can access the tools in the Member section of the website by clicking here. If you are interested in purchasing the Program Tools please contact info@sharedassessments.org.

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted leader in third party risk management, with resources to effectively manage the critical components of the third party risk management lifecycle. These resources are creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of Shared Assessments third party risk management resources, including Program Tools, offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency. The Shared Assessments Program (https://sharedassessments.org) is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico.

The State of Data Protection R...

Kelly Wagner 01-22-2018

By Linnea Solem, Chair, Shared Assessments Privacy Committee On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting [...]

By Linnea Solem, Chair, Shared Assessments Privacy Committee

On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, www.staysafeonline.org provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.

Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).

Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.

GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.

To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.

So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!

#PrivacyAware and #SAGDPRToolkit

2018 – Three New Year’s Pr...

Kelly Wagner 01-16-2018

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predict[...]

By Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program

I’m often asked during the holiday season to reflect on the year’s setting sun of cyber threats and make predictions on the upcoming year’s threat horizon. Though I’m certainly not Carnac the Magnificent (one of the late Johnny Carson’s most memorable Tonight Show skits) however, kindly allow me to put on my big purple turban, hold an envelope to my head and mutter my three predictions…

“Going Mobile…Big Money…Third and Four.”

(Now let’s open the envelope, blow into it, and extract the answer…)
“Going Mobile” – No, this has nothing to do with the classic up-tempo song from The Who. It is a reference to data breaches through mobile devices. Through encounters with numerous cybersecurity professionals over the past year, I see that there appears to be quite consensus that a breach stemming from mobile devices lies on the horizon. This is understandable, as many organizations (particularly small and mid-sized organizations) continue to grapple with the challenges of securing not only the various mobile operating systems that they’re supporting, but for identifying the applications on these devices that may pose a threat to unauthorized data exposure. As “bring your own device” (BYOD) is increasingly adopted by organizations, it’s prudent to revisit your policies, procedures, practices, and standards to ensure that controls are present that are capable of tackling current, known threats and investigate ways to deal with mobile threats on the horizon.

“Big Money” – I’m predicting big payouts this year, from companies to regulatory agencies, from companies to other companies, and/or from companies to customers (via class-action lawsuits). US regulators, and even the New York Department of Financial Services (NYDFS), have made it clear that organizations must employ – and provide evidence – that a sound security and privacy posture exists ata their organization. Additionally, as the European General Data Protection Regulation (GDPR) goes into full affect this coming May, there’s much chatter in the privacy profession that companies out of compliance with GDPR will be hit hard financially (up to 4% of total turnover) as European data protection authorities (DPA’s) make efforts to show that any organization in possession of European customer data must take this regulation very seriously. The GDPR is no paper tiger – it certainly does have teeth – BIG teeth. Lastly, lawsuits between companies and even class-action lawsuits will result in hefty legal expenses and payouts to affected parties due to poor security or privacy posture. It’s additionally important to note that cybersecurity insurance normally does not cover a legal action brought against your organization.

“Third and Four” – Since we’re heading into NFL post season play, this may sound like “third down with four yards to go;” but since we’re talking cybersecurity, I am referencing third and fourth parties. Hackers are cognizant that most organizations outsource sensitive functions and data. Hackers will identify their targets and begin to scope the companies they’ve most likely contracted to (those that perform or handle certain key functions) and will then position those vendors for attack. Hackers will hunt for “back doors” and exploit any vulnerabilities to access their target’s network, so they can locate, browse, steal, poison (destroy or deploy malware), or highjack (via ransomware) the data on which they’ve set their sights. To prevent this, organizations need to be diligent in performing risk control assessments on their third parties and, where possible, their fourth parties as well. (Note that this effort may require assistance from the third party to examine fourth parties). It’s also extremely wise (and if you’re in a regulated environment, this part is practically mandatory) to participate in cyber and business resilience activities with your “critical” third and fourth parties.
So, now that I’ve made these predictions, I’m curious to see how long I’ll have to wait to see these come true. While I certainly hope none of these predictions come to fruition, given the current state of world we live in, I’m simply being a realist.

Have a safe and secure new year!

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Are Your Vendors Ready for GDP...

Kelly Wagner 01-13-2018

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc. Chair, Shared Assessments Assessments VRMMM Committee Great, yet another blog talking about the need to get ready fo[...]

By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc.
Chair, Shared Assessments Assessments VRMMM Committee

Great, yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

The Shared Assessment’s Privacy Working Group has developed a Tool Kit to help guide you through the process. Their GDPR Data Processor Privacy Tool Kit has everything you need: the processes you need to have in place to identify and map customer data; samples of model contract provisions to get your vendor contracts in compliance; lists of documentation you’ll need to obtain; an updated privacy survey to obtain the information you need to assess your vendor’s GDPR privacy readiness; and, many other useful resource documents. The best part about the Tool Kit is that it’s free and can be downloaded on their web site https://sharedassessments.org/gdpr-tool-kit/ .

The Shared Assessments Standard Information Gathering Questionnaire (SIG) already contains the information you need to determine if your vendors have adequate IT security controls in place. Now with the help of the GDPR Processor Privacy Tool Kit addressing data privacy concerns, you’ll have what you need to make sure your vendors are ready for GDPR.

Preview: 2018 Shared Assessmen...

Jenny Burke 12-13-2017

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an impor[...]

We are looking forward to the release of the 2018 Program Tools coming soon. The Tools follow a “Trust, but Verify” approach for conducting third party risk management assessments and are an important component of the Shared Assessments Framework that help set standards, and through those standards, efficiency, in third party risk management. The Shared Assessments Program Tools are developed using the collective intelligence of member organizations. Our members bring their expertise in cybersecurity, risk management and privacy as well as their knowledge of the regulatory landscape and specific vertical industry needs to the development of the Tools, which are updated to keep the tools current and effective.

The 2018 Program Tools will include:

  • 2018 Standardized Information Gathering (SIG) Questionnaire;
  • 2018 Shared Assessments Standardized Control Assessment (SCA) procedures (Formerly the Agreed Upon Procedures (AUP));
  • 2018 Vendor Risk Management Maturity Model (VRMMM); and
  • The new General Data Protection Regulation (GDPR) Tool Kit

 

SIG Enhancements:

We are excited about a new capability in the 2018 SIG – a Scoping Tab that will allow multiple ways to customize the SIG for a company’s individual needs. The Scoping Tab will allow for a SIG LITE, FULL SIG, and a new CORE SIG designed for assessing service providers that run business critical functions, data and systems. It was created to meet the needs of most assessments. In addition, content changes were made to reflect the current regulatory and threat environment, including the European Union (EU) GDPR Privacy rules, and the total number of questions was decreased by removing duplication and redundancy.

 

Standardized Control Assessment (SCA):

To better communicate the function of the “Verify” portion of our “Trust, but Verify” approach, the formerly titled Agreed-Upon Procedures (AUP) used for performing onsite assessments, was renamed the Standardized Control Assessment (SCA) procedures and was thoroughly reviewed and re-organized to align more closely with the SIG.

 

VRMMM:

The VRMMM will continue to allow companies to benchmark the maturity of  their third party risk programs. It is also the basis of the annual Vendor Risk Management Benchmark Study, recently released that allows Shared Assessments and Protiviti to analyze third party risk program maturity across verticals and over time.,

We will continue to offer the VRMMM free as a tool to assist the industry.

 

GDPR:  Data Processor Privacy Tool Kit

This new and important tool set provides guidance for Data Processors who fall under compliance to the European Union (EU) General Data Protection Regulation (GDPR) 2016/679, new requirements which will begin to be enforced on May 25, 2018. The Tool Kit contains tools, checklists and templates to help organizations evaluate their readiness and maturity of controls against GDPR privacy requirements. These tools are free and can be used as a standalone privacy assessment or incorporated into a comprehensive Vendor Risk Management program. Download the GDPR: Data Processor Privacy Tool Kit.

 

Availability

Release of the 2018 Program Tools is slated for late January 2018. The Tools are free to Shared Assessments Program members, or you can purchase the Complete Bundle (all tools above) for $9,000. You may also purchase the standalone version of the SIG for $7,000 or the  SCA for $6,000. If there are any questions about the tool or membership, please contact us.

5 Steps to Take Now to Protect...

08-03-2017

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organiz[...]

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organization’s four walls and with the third parties that so often support mission critical activities.

Many of the report’s findings are troublesome: the lack of Board understanding about IoT in the context of both in-house and third party risk management; the lack of an integrated approach to IoT risk management; even the lack of some of the most basic elements required to build an effective IoT risk management program, such as having a complete inventory of IoT devices (only 16% of respondents said they had such an inventory). Those findings come despite the recognition that security incidents related to IoT devices or applications could be catastrophic (94% of survey respondents said they thought such a result could emerge within two years).

What are the consequences of such a large gap between recognized IoT risks and an ability to effectively mitigate them? What are the key steps required to close that gap?

Last October’s headline making IoT-based DDoS attack was a small sample of what the future may hold. That attack disrupted a number of websites including Twitter, Netflix, PayPal, Verizon and Comcast, and was orchestrated by the Mirai botnet. That botnet employed “tens of millions” of malware-infected devices connected to the internet (Bloomberg, October 21, 2016).

The Internet of Things report’s key findings provide important insight on how the state of IoT security will play into the evolving threat landscape as the number of IoT devices expands over the next few years.

The Internet of Things results are strongly indicative of a low level of IoT risk management maturity: only 30% of respondents reported that managing third party IoT risks is an organizational priority; only 27% of respondents said their organization allocates sufficient resources to manage third party IoT risks; and only 25% reported that their governing board required assurances that third party IoT risk was being assessed, managed and monitored appropriately. Only 31% of organizations regularly report to the CEO and board on the effectiveness of their third party risk management program. Why?

More than half of respondents said the effectiveness of their organization’s third party risk management program was not a priority for the board and CEO. Perhaps even more disturbing is the perception (by 56% of respondents) that it is not possible to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach. This last finding suggests that many respondents don’t understand what a mature IoT risk management environment would comprise.

The sheer magnitude in the expected growth of IoT devices suggests that a high degree of automation is vital to effective IoT risk management. Industrial firms have had a focus on Operational Technology (OT) for years because of its essential nature in the production process. What is OT? Gartner defines operational technology as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

For those outside of organizations where industrial device control has been a longstanding requirement, the importance of operational technology security may not be second hand. That will change as IoT security concerns emerge, and we’ll rapidly see a security environment where information security, IT security, OT security and physical security require close coordination to achieve effective risk mitigation. One key question is how quickly that convergence will occur, and there is ample evidence to suggest that here too we’re early-on in that maturity process.

Source: Gartner, 2015

No matter how the IoT security ecosystem evolves, there are steps organizations can take now to protect against emerging IoT threats. The most important are these:

  1. Ensure that third-party and IoT risk management processes are defined and operational at all governance levels, up to and including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Enhance third party contracts and polices to include IoT specific requirements.
  4. Expand third party assessment techniques and processes to ensure the presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure that only IoT devices designed with appropriate security functions included and enabled are considered for product selection and acquisition.

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Best Practices in Third Party ...

07-07-2017

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awaren[...]

Part 3 in a series with Kenneth Peterson, Chairman and CEO, Churchill & Harriman

Q. What does the annual Shared Assessments Summit deliver to its audience to further propel education and awareness in healthcare security?

R. “The Shared Assessments Summit brings together senior risk executives to share best practices and latest insights on managing third party risk across the security, healthcare, financial services, transportation and government markets. This annual gathering and the conversations we have among peers throughout the year are tremendously important in helping us stay vigilant and focused on continuously improving the safety and security of our client’s most critical information. We’re excited to serve and collaborate with those we met at the 2017 Summit and help them with their risk management and third party vendor programs.”

Q. Tell me about some of the things you’re working on?

R. We continue to be very privileged to serve a wide array of very discerning clients and to collaborate with an incredible group of people. The depth and breadth of the issues we grapple with each and every day continue to become more and more complex. Therefore, it is incumbent on C&H to constantly hone the techniques we apply for our clients. These techniques have a measurable bearing on our client’s inward facing and outward facing cybersecurity risk management program. We’re able to then replicate those techniques as is appropriate for other clients.

Q. Where does Churchill &Harriman fit into the healthcare security market?

R. “Churchill & Harriman (C&H) is a leading provider of cybersecurity risk management and third party risk assessment services to the healthcare industry as well as the financial services, transportation and ecommerce markets. Certain results that C&H contributes to are formally recognized by the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), the National Health ISAC (NH-ISAC), and the National Directorate of ISACs (NCI Directorate). We’re privileged in that our tools, talents and techniques are being leveraged across industry. Working closely with our partners at Prevalent, Churchill & Harriman is further serving the collective good, providing third party risk management services that benefit the entire health care community.”

Q Help me finish this sentence…if a healthcare organization could only focus on 1-2 critical items for safeguarding their data and operations moving forward they should…
R. “Focus on the implementation and maintenance of a Threat and Vulnerability Management program that enables the organization to acquire and retain a thorough understanding of the threats to their information and operations, the vulnerabilities that those threats can exploit, and the probability of occurrence so that resources can be appropriately managed. Over time threats change, vulnerabilities can change quickly, and probabilities are never static. Therefore, the program must have the ability to take advantage of real time sources of accurate intelligence and information as well as continuous monitoring of their environment so that changes to policy, processes and technology do not fall behind and expose the organization to adverse results.”

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

Internet of Things (IoT) and T...

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are a[...]

In our digital age, everything is connected. Cars can drive themselves, Planes can fly themselves, and your Refrigerator can use the internet to tell you if you are out of milk and eggs when you are at the grocery store. The era of connectivity and immediacy of data has created a new worldwide web out of normal everyday devices. The concept of “Internet of Things” or IoT, has created functionality and convenience, but can also introduce new risks to our ecosystem.

Common definitions of IoT include (from Wikipedia) “the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data” and (from OWASP), “the proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”. IoT is a game changer to consumerism, but also a game changer to the hacktivist. It changes our thinking about risk in typically non-risky areas of our lives, or of our workplace.

Identifying risks in the IoT ecosystem and managing or mitigating them can be daunting for the risk professional. The norms of criticality, materiality, and critical infrastructure don’t equate when the risk is in a benign system or device. Dealing with these risks impacts not only the organizations’ who leverage technology but requires organizations to adopt their viewpoints on third party risk.

This past month a joint research project by the Ponemon Institute and Shared Assessments Program was released to focus on the Internet of Things: A New Era of Third-Party Risk. The report highlights are shown in this infographic. The sheer volume or proliferation of connective devices is expected to double in two years; creating more challenges on how to monitor and contain risk. Key themes that emerged from the survey show the concerns risk professionals face:

  • 78% believe loss or theft of data could be caused by IoT
  • 76% think a cyber-attack could be executed through IoT
  • 69% of risk managers don’t regularly report to the C-Suite and Board the effectiveness or maturity of third-party risk oversight programs.

Some of the challenges in enabling security for IoT requires a multi-layered approach. Not all organizations consider IoT devices to be endpoints and may not be monitored, inventoried, or tracked like asset management. Technology will evolve, as do controls. Key areas of focus to assist with maturity risk management for IoT include:

  • Integrate IoT into third party risk management reporting
  • Enhance asset management processes and inventory systems
  • Assess contracts and policies
  • Expand third party controls to identify risks/controls unique to IoT devices
  • Broaden security and awareness training to include IoT themes

Web site standards have long been developed by industry groups, and collaboration to enhance the world-wide web. The OWASP top 10 threats have been table stakes in securing traditional web applications and eCommerce sites. When I first started in web development and eCommerce, the threats we phased were mild in comparison and complexity to our vastly connected world today. The OWASP group has expanded their tool sets and risk focus as IoT has evolved and they have created the OWASP Internet of Things Project to provide free tools to industry members on how to assess and address the risks of IoT.

We need to continue to embrace technology – the advances make up for the risks, it simply requires industry collaboration and the evolution of our risk viewpoints and perspectives, to ensure we look at risk and third party risk from a multi-dimensional point of view.

The full survey report can be downloaded from www.sharedassessments.org.

OWASP tools can be seen at https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Applying a Risk Management App...

jaengen 07-05-2017

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the "Evaluating Cloud Risk for the Enterprise" white paper produced by th[...]

Niall Browne is the SVP Trust & Security and CISO, at Domo, a data management platform company. Niall is also the Chair of the “Evaluating Cloud Risk for the Enterprise” white paper produced by the Shared Assessments members.

In the past five years, we have seen tremendous changes in technology, personnel and business practices. Cloud has now become the de-facto industry model for providing computing services. Mobile has become the most common model for accessing data. Cloud platforms are managing billions of Internet of Things (IoT) devices daily, and new exciting developments are evolving, such as microservices, to enable previously unimaginable scalability and efficiencies.

However, with the introduction of enterprise cloud, new audit controls are required to address the use of these new technologies, new service models, and new nuances in how existing audit controls apply to cloud.

The Evaluating Cloud Risk for the Enterprise whitepaper is a Shared Assessment guide that provides step-by-step guidance for enterprise organizations moving their services to the cloud. It assists in helping enterprise organizations create a cloud strategy that will scale across hundreds of their cloud providers, both locally and internationally. I had the privilege of being the chair of this enterprise cloud whitepaper. My role as CISO at Domo, the largest analytics platform in the Cloud and with more than 25% of the Global Fortune 50 companies as customers, enabled me to incorporate some key industry best practices and lessons learned into this whitepaper.

Best Practices for Enterprise Cloud Computing Management

The whitepaper introduces the concept of Common Cloud Controls. These are mature control areas associated with traditional IT services environments, also equally applicable to cloud-based services. These audit mechanisms are considered mature (e.g., anti-virus, background checks, etc.), and there are hundreds of these mature controls that apply to cloud. Organizations can simply use their existing audit vehicles to assess these controls, such as SOC II, ISO 27001, Shared Assessments AUP, etc.

This process should allow an organization to quickly and efficiently evaluate greater than 80% of a cloud provider’s controls, using current audit programs.

This then leaves those control areas that are not typically covered in ISO 27001 or SOC II (e.g., multi-tenancy, containerization, etc.). The whitepaper refers to these as Delta Cloud Controls and provides dozens of practical examples of how to effectively incorporate these control areas into an organization’s cloud strategy and audit program.

The Evaluating Cloud Risk for the Enterprise white paper includes the full list of practical recommendations, questions to discuss with cloud providers and lessons learned for cloud-related control domains, but we have summarized the Cloud Control evaluation steps into some key themes to consider:

Data Management:

What are the controls at each of the four main layers? As public cloud services all run on the same cloud environment, they share the same infrastructure.

Look at the data segmentation and separation controls at the main layers: network, physical, system and application, and evaluate each of the above controls at each layer (e.g., cloud data separation controls are typically weaker or non-existent at the physical layer as there is often no physical separation), requiring controls on the other three layers to be far stronger. Pay particular attention to the application controls, since this is the layer where the majority of critical cloud controls will reside.

Also organizations should understand their role and responsibility as the “data controller” and that of the cloud provider as the “data processor.” Misunderstanding who is responsible for what is one of the leading causes of security and privacy incidents.

Determine whether each customer is provided with a unique encryption key or whether encryption keys are shared. Unique customer keys are a strong control that can render co-mingled data unreadable in the database by another customer.

Ascertain whether customer data will be encrypted at storage and in-network transmissions, across external and internal networks, i.e. cloud provider and their underlying infrastructure (e.g., AWS, Azure). Internal network and datacenter-to-datacenter network encryption is increasingly important; as private or internal networks are susceptible to unauthorized network sniffing.

Location Management:

Where is my data? This is particularly important for cloud providers that may have datacenters and support teams in multiple legal jurisdictions.

It is important to ask your cloud providers to list all the locations that they store, process, transmit or access customer data and whether these are explicitly defined in the contract. Ensuring that the cloud contract documents all the countries or legal jurisdictions where company data will be stored, processed or accessed from is important in helping organizations meet their internal data privacy requirements. It is important to note that simple web access by support from another country is oftentimes considered the same as “data storage” in that country, and as such the full set of security and privacy requirement for data storage can apply.

The evaluation process should include investigating thoroughly any potential conflict in countries’ data privacy and legal requirements. One example is that a data privacy conflict could arise if the customer and cloud provider are located in the US and the provider has multiple datacenters in the US, but also has a datacenter in Germany for disaster recovery and resilience. The US could mandate certain data be deleted (due to a US data privacy requirement), while German law may require that the data be retained (as evidence in a subsequent legal case). In this scenario, the conflict of laws between jurisdictions may place the integrity of the customer data at risk.

 

User Management:

How is user authentication, authorization and accounting managed? A unified user management model is an essential component of cloud, from a business, usability and security perspective.

Businesses using cloud may be presented with the challenge of integrating their existing identity and log management solutions with that of the cloud provider. Ensure that the cloud provider supports identity federation standards such as SAML or OpenID, so as to help prevent costly and one-off individual integrations.

Once the user is authenticated, the next step is authorization. It is important that the cloud provider can support a granular set of user permissions, so that a customer’s least privilege and separation of duties requirements can be complied followed within that cloud provider’s environment.

Also, ensure that all end user actions, be it write or view, are logged in the cloud and that there is an API available to integrate the log data directly into the customer’s security monitoring tools. This is important so that the customer can monitor their numerous cloud providers from the customer’s Security Operations Center (SOC).

 

Vendor Management:

How do I assess my cloud vendor? As with any vendor model, an organization can outsource the responsibility for the service, but not the associated risk or accountability.

One of the foundations of cloud is its agile nature, which is inherent in its roots in innovation and rapid change. As such, the classic model of assessing your vendor once per annum does not scale for cloud. Instead companies must build an on-demand vendor monitoring and management program that is based on the continuous level of change in cloud. Where possible, this should mandate that the cloud vendor provides a number of notification requirement triggers, including notification upon substantive security control changes, change of the cloud provider’s relevant vendors (e.g., move from AWS to Azure), or upon certain defined control deficiencies (e.g., an external high level vulnerability remains open for a certain period of time).

One challenge is to ensure the benefit of deploying a cloud solution is not outweighed by the complexity of doing business in the cloud. The cloud provider should provide a single point of contact, a single contract and a single point of accountability to manage the solution end-to-end, independent of what underlying services that they themselves use.

It’s important to guard against an “out of sight, out of mind” mentality: it’s still your data and your service even if it is hosted or directly managed by the cloud provider.

The above are just some of the best practices that can be found in the recently-published Shared Assessments Evaluating Cloud Risk for the Enterprise white paper.

I hope that you find value in the Evaluating Cloud Risk guide and that it becomes an integral component of your cloud vendor management toolkit. The complete whitepaper can be downloaded from here.

Third Party IoT Security: Inte...

06-15-2017

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organiz[...]

Shared Assessment’s just published Ponemon research report The Internet of Things (IoT): A new Era of Third Party Risk provides a great snapshot of current IoT Risk management both within an organization’s four walls and with the third parties that so often support mission critical activities.

Many of the report’s findings are troublesome: the lack of Board understanding about IoT in the context of both in-house and third party risk management; the lack of an integrated approach to IoT risk management; even the lack of some of the most basic elements required to build an effective IoT risk management program, such as having a complete inventory of IoT devices (only 16% of respondents said they had such an inventory). Those findings come despite the recognition that security incidents related to IoT devices or applications could be catastrophic (94% of survey respondents said they thought such a result could emerge within two years).

What are the consequences of such a large gap between recognized IoT risks and an ability to effectively mitigate them? What are the key steps required to close that gap?

Last October’s headline making IoT-based DDoS attack was a small sample of what the future may hold. That attack disrupted a number of websites including Twitter, Netflix, PayPal, Verizon and Comcast, and was orchestrated by the Mirai botnet. That botnet employed “tens of millions” of malware-infected devices connected to the internet (Bloomberg, October 21, 2016).

The Internet of Things report’s key findings provide important insight on how the state of IoT security will play into the evolving threat landscape as the number of IoT devices expands over the next few years.

The Internet of Things results are strongly indicative of a low level of IoT risk management maturity: only 30% of respondents reported that managing third party IoT risks is an organizational priority; only 27% of respondents said their organization allocates sufficient resources to manage third party IoT risks; and only 25% reported that their governing board required assurances that third party IoT risk was being assessed, managed and monitored appropriately. Only 31% of organizations regularly report to the CEO and board on the effectiveness of their third party risk management program. Why?

More than half of respondents said the effectiveness of their organization’s third party risk management program was not a priority for the board and CEO. Perhaps even more disturbing is the perception (by 56% of respondents) that it is not possible to determine whether third party safeguards and IoT security policies are sufficient to prevent a data breach. This last finding suggests that many respondents don’t understand what a mature IoT risk management environment would comprise.

The sheer magnitude in the expected growth of IoT devices suggests that a high degree of automation is vital to effective IoT risk management. Industrial firms have had a focus on Operational Technology (OT) for years because of its essential nature in the production process. What is OT? Gartner defines operational technology as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.”

For those outside of organizations where industrial device control has been a longstanding requirement, the importance of operational technology security may not be second hand. That will change as IoT security concerns emerge, and we’ll rapidly see a security environment where information security, IT security, OT security and physical security require close coordination to achieve effective risk mitigation. One key question is how quickly that convergence will occur, and there is ample evidence to suggest that here too we’re early-on in that maturity process.

Source: Gartner, 2015

No matter how the IoT security ecosystem evolves, there are steps organizations can take now to protect against emerging IoT threats. The most important are these:

  1. Ensure that third-party and IoT risk management processes are defined and operational at all governance levels, up to and including the board.
  2. Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
  3. Enhance third party contracts and polices to include IoT specific requirements.
  4. Expand third party assessment techniques and processes to ensure the presence and effectiveness of controls specific to IoT devices.
  5. Develop specific sourcing and procurement requirements to ensure that only IoT devices designed with appropriate security functions included and enabled are considered for product selection and acquisition.

 

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

 

Tips, Tools and Recommendation...

06-09-2017

In this series, Shared Assessments Steering Committee member Ken Peterson talks about managing cyber risk in the healthcare space. Q&A Series – Part 2 For the healthcare industry, let[...]

In this series, Shared Assessments Steering Committee member Ken Peterson talks about managing cyber risk in the healthcare space.

Q&A Series – Part 2

  1. For the healthcare industry, let’s talk about third party risk management, who are the third parties here and what types of risk are they inserting into the healthcare data security landscape?
  2. “Third parties are any organization that your company may bring in to deliver specific services for your company and your customer network. Third party firms come in all shapes and sizes, different levels of business maturity and varying levels of demonstrated risk management.  It is incumbent on your company to ensure your third party vendor network is pre-qualified and vetted to ensure you’re not exposing your business and your customers to the risk of outside attacks.  A risk management plan is critical.”

 

  1. What are the risks for healthcare organizations associated with not engaging in a risk management plan?
  2. “As we’ve seen in multiple cases in the last several years, a cyberattack can have a far reaching and highly damaging impact on an organization. A company’s brand, business equity and “earned public trust” are often in jeopardy with a breach.  In addition, customer and investor exposure are also in direct risk with a breach. And the time it takes to remediate a breach, earn back the trust and confidence of customers and shore-up the safety and security of a business operation can take months if not years if the proper risk management plans are not in place.”

 

  1. What are some of the initial steps that a company should take in protecting its intellectual assets?
  2. “There are a number of key steps that an organization should take toward safeguarding its assets: 1) Kick-off a formally empowered POC related to securing your third party network 2) Do an inventory of your vendor network to ensure what capacity a vendor is being utilized and what types of data do they have access to within your organization; 3) Define your vendors risk criteria to your business – vetting most critical to least critical and; 4) Define specific remediation efforts to help harden the security of your vendors.”

 

  1. What industry organizations and tools do you recommend for healthcare organizations that are trying to improve the security of their operations?
  2. “The healthcare industry is not an amorphous mass. As an example, clinical research organizations have concerns not always shared by medical device manufactures.  It is a diverse environment.  With that said there are organizations that provide to its member’s trusted intelligence and techniques that meet those broad areas of common interest that all healthcare organizations share when it comes to information security.  The most prominent right now is NH-ISAC as it is directly focused on healthcare information security and compliance needs. Most major industries have their own ISAC at this point.  The Shared Assessments Organization focuses on tools and techniques to assess vendor risk that are common across verticals.  The focus on tools should be those that enable organizations to conduct initial vendor due diligence, monitor in real time the vulnerabilities that can compromise their information, those that can provide continuous monitoring of critical networks and those that can assist the organization with making sense of large masses of data in time to be of value.”

 

Kenneth J. Peterson, CTPRP
Founder and CEO
Churchill & Harriman

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

The Evolving Threat Landscape ...

06-07-2017

  In this series, Shared Assessments Advisory Board Committee member Ken Peterson talks about managing cyber risk in the Healthcare space. We look forward to hearing more on this topic from Ke[...]

 

In this series, Shared Assessments Advisory Board Committee member Ken Peterson talks about managing cyber risk in the Healthcare space. We look forward to hearing more on this topic from Ken and the NH-ISAC at the 10th Annual Shared Assessments Summit.

Q&A Series – Part 1
As a seasoned veteran in risk management and threat detection in the global cybersecurity market, how would you describe the cybersecurity environment we’re operating in today? Where are the biggest risks and the areas we need to be mindful of moving forward?

“We’re operating in a highly dynamic and continually evolving threat landscape for potential cyberattacks. We’ve learned that more extensive information sharing and reporting about incidents has given us a clearer picture of the dimension of the threats organizations face. The biggest risk for any organization is not understanding the unique threats and vulnerabilities for a potential attack. It is important to engage with communities of interest who can provide intelligence and techniques that can assist the organization in meeting its information security requirements.”

The healthcare industry has recently made a big push to move from paper to electronic health records putting and enormous amount of personal data in motion? How does the shift to electronic health records make your business more challenging?

“We’re balancing two paradigms here – consumer demands for easier access to their personal health information and the need to protect sensitive data that is increasingly more in motion. Our goal is always to ensure the right safeguards, and procedures are in place to better protect sensitive information – for the benefit of consumers, the healthcare market and organizations engaging with the healthcare industry.”

As the healthcare industry embraces an increased exchange of electronic data, what are 2-3 things an organization needs to be mindful of as it relates to mitigating their risk for cyberattacks?

“The first thing to understand is where and how your organization might be vulnerable to attack. For example, companies don’t often have a firm grasp of their vendor population and the intended or unintended risks that vendors may bring to your business operations. Are these vendors introducing a potential virus or malicious code via their electronic communications with your company or are they not taking proper measures to safeguard physical information that may put your business at risk. Also, does an organization have a proper vendor or third party risk governance process in place for routinely reviewing and updating vendors that are engaging with your organization. Lastly, does an organization have a proper vetting process for onboarding new vendors to ensure they meet proper security requirements. All important steps in mitigating risk for cyberattacks.”

Kenneth J. Peterson, CTPRP
Founder and CEO
Churchill & Harriman

Ken Peterson is a recognized leader in developing and implementing cybersecurity risk management strategies and solutions. Under Peterson’s stewardship, C&H has optimized enterprise risk governance programs, executing thousands of third-party risk assessments globally since 1997. C&H risk management work has been formally recognized by the U.S. Department of Homeland Security, the Federal Bureau of Investigation, the U.S. Department of Health and Human Services, the National Health ISAC, and the National Directorate of ISACs. In partnership with Prevalent, Inc., C&H has been formally selected by the NH-ISAC to perform certain third-party risk management services on behalf of their Members.

C&H is an Assessment Firm Member of the Shared Assessments (SA) Program, actively contributing to the Shared Assessments Agreed Upon Procedures (AUP), the Standardized Information Gathering (SIG) questionnaire, the Technical Development Committee and public outreach programs. Peterson is privileged to serve on the Shared Assessment Program’s Steering Committee and governing Advisory Board. Peterson additionally serves as the formal liaison between these two bodies.

To Learn more about C&H, please email info@chus.com.

Failed Risk Controls – T...

04-17-2017

By: Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program and Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program. The Sales Practices Report released by[...]

By: Bob Jones, Senior Advisor, The Santa Fe Group, Shared Assessments Program and Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program.

The Sales Practices Report released by the Board of Wells Fargo on April 10th provides an extraordinary behind the scenes look at the breakdown of risk control processes at one of the nation’s largest banks. We think this board-initiated report is an important pedagogic tool and should be required reading for risk control professionals in banking and elsewhere.

In a previous posting, Tone at the Top: Culture Counts – the Wells Fargo Saga, we discussed extensively the evolution of the sales culture at Wells Fargo. This new and remarkably candid report document places that sales culture in the context of an extremely decentralized risk control structure. Within this decentralized structure, senior business leaders ran their operations in hermetically sealed environments where risk-related data could be (and was) shielded from both the board of directors and the relatively ineffective central risk functions that existed at Wells until recently.

Although the report demonstrates how risk control mechanics at Wells failed over a period of years, it also provides details about opportunities the bank had – but did not take – to corral an aberrant culture that the bank accurately pinpointed earlier than the outside world might have expected, given the timelines management has presented in sworn testimony, press interviews and other communications from the company.

As early as 2004 Wells initiated a task force to report on gaming the sales incentive program, already perceived as an issue in the community bank. The report said:

“It is the conclusion by Corporate Security Internal Investigations” that “whether real or perceived, team members on the current Corporate Sales Incentive Plan feel they cannot make sales goals without gaming the system. The incentive to cheat is based on the fear of losing their jobs for not meeting performance expectations…. [i]f customers believe that Wells Fargo team members are not conducting business in an appropriate and ethical manner, it will result in loss of business and can lead to diminished reputation in the community.” (( Independent Directors of the Board of Wells Fargo & Company, Sales Practices Investigation Report. April 10, 2017. page 88.))

The report went on to state that Wells Fargo had been losing unemployment insurance cases involving sales integrity terminations, and said that in some of those cases judges had “made disparaging comments” about the Wells sales incentive system. The report recommended that Wells reduce or eliminate sales incentive programs and remove the threat of termination if goals were not met. Those recommendations and findings were never advanced to the company’s executive management or to the board of directors.

As the sales culture hardened at Wells, critical risk control processes broke down completely. For example, beginning in 2013 there were regular audits of the risk control culture in the community bank. In both 2013 and 2014, Audit rated the risk control culture “strong” based upon the stature of risk management in the community bank and the presence of “strong and effective controls” which demonstrated an appropriate focus on risk management. As late as March 2016, Audit rated the Community Bank risk control culture “satisfactory,” citing actions underway “to strengthen sales practices by fostering a culture where ‘only needs-based and value-add product and service solutions [would be] delivered to customers.” ((Independent Directors of the Board of Wells Fargo & Company, Sales Practices Investigation Report, April 10, 2017, pages 94-95. This “satisfactory” rating came despite a May 2015 lawsuit filed by the city of Los Angeles against Wells Fargo alleging ongoing widespread unfair, unlawful and deceptive sales practices.))

In 2004, Wells Fargo risk functions were still able to accurately document material risk culture weaknesses even if they were never vetted at appropriate levels of executive management. Ten years later that self-diagnostic ability was long gone, and with it any hope of steering clear of what became one of the largest ethical lapses and process breakdowns ever seen in retail banking.

Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Setting a New Benchmark –...

For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500 has begun. The new[...]

For financial services companies that fall under the New York State Department of Financial Services (DFS) cybersecurity requirements rule, the timeline for implementing 23 NYCRR500 has begun. The new rule became effective March 1st. Each section of the rule has a timeline relating to the development of cybersecurity programs for all “Covered Entities.”

The regulation applies to the array of organizations that operate under license, charter or other authorization under New York’s Banking, Financial Services or Insurance Laws, which place that organization under DFS regulation. Exemptions do exist, which affect only organizations of less than 10 staff (including outside contractors), with minimum annual revenue requirements (less than $5 million) and total year end assets of less than $10 million (Section 500.19). An exempt organization must file a Notice of Exemption (Appendix B form) within 30 days of determining that it qualifies.

The rules are prefaced with the statement that, “The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.” ((Cybersecurity Requirements for Financial Services Companies. 23NYCRR500. New York State Department of Financial Services. Effective March 1, 2017. New York State Register.))

Cybersecurity programs are required under Section 500.02 to: be “designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems” and must “be based on the Covered Entity’s Risk Assessment” and designed to perform “core cybersecurity functions including identification and assessment of internal and external cybersecurity risks, use defensive infrastructure and written policies and procedures.” Mitigation and program improvements to meet compliance are included in that statement, as are appropriate supporting documentation. The regulation requires that Covered Entities have a cybersecurity program that addresses 14 areas within their third party risk management program, including:

  • Encryption of non-public information (Section 500.15).
  • Multi-factor authentication that is appropriate to the risk assessment (Section 500.12).
  • Third party agreement due diligence that includes actionable contract requirements that allow the outsourcer to mirror its own risk requirements at down chain levels (third party and on) within its supply chain (Section 500.11).
  • Periodic risk assessments of information systems, business operations, technology developments and emerging threats are required (Section 500.09).

The Covered Entity may meet the requirements through adopting an affiliates program – affiliates do not include third party providers, as defined by the regulation. The rule requires all Covered Entities to have a third party risk management program. Written policies and procedures that are approved at the senior and/or board levels, ongoing training, audit trails and specific risk controls are all mandated, along with incident response planning, monitoring and testing and designation of a formal Chief Information Security Officer (CISO). The CISO must be “qualified” and would be responsible for cybersecurity program design, implementation, oversight, program updates and enforcement and be responsible under Section 500.04(b) for reporting at the board level of the Covered Entity.

This last point, appointment of a CISO, has been contentious, in part because it is viewed as burdensome for smaller organizations. The DFS allows for the CISO to be an outsourced position, an accommodation designed to alleviate the cost burden for smaller firms. However, outsourcing the CISO position may have unintended consequences, since for smaller firms the most logical third party to handle that role might well be an individual from the company that provides technology infrastructure to the outsourcer. Conflict of interests may reasonably occur. For example, part of the CISO’s responsibility is validating compensating controls when an outsourcer may not be able to or cannot comply with new DFS security requirements, such as encryption of at-rest non-public data or multi-factor authentication. Will a CISO paid by the third party be able to make an independent assessment of control adequacy when that person’s primary employer may have a vested interested in the outcome that’s different from its clients?

This regulation mandates that it is the CISO’s role to identify, sign off on and report to the board on the effectiveness of the program, materiality of risks and the compensating controls for all areas of the cybersecurity program. Is it feasible for the outsourced CISO, who may be tied to application development or other IT functions as defined in Section 500.10 Cybersecurity Personnel and Intelligence, to remain independent? These questions only scratch the surface on the potential pitfalls this situation poses in relation to robust third party risk management.

Rule provisions that immediately took effect and involve reporting to the DFS Superintendent of Financial Services include Section 500.17(a), notice within 72 hours or a cybersecurity event and Section 500.17(b), written statement of compliance with the rule (Appendix A form), which is due February 15th each year. ((The Regulation defines a cybersecurity event as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse [of] an Information System or information stored on such Information System.”)) Defined transitional period milestones to comply with the remaining requirements of the regulation are noted in Section 500.22. A full list of transition requirements are available in the regulation document.

The Shared Assessments Program member vertical groups and development committees will continue to examine and discuss the regulation and take 23NYCRR500 into account during best practices resources development and Program Tool updates.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing research and other support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other outreach documentation. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

The Shared Assessments Program...

04-11-2017

The Shared Assessments Program is the only organization that has uniquely positioned and developed standardized resources for managing the complete third party relationship lifecycle. Such standardiza[...]

The Shared Assessments Program is the only organization that has uniquely positioned and developed standardized resources for managing the complete third party relationship lifecycle. Such standardization is critical to the advancement of effective, secure third party controls and risk management in an otherwise fractured market. As part of our 2017 initiative, we’re formalizing the Shared Assessments Third Party Risk Management Framework. This agnostic and holistic framework will be freely available and will further raise the bar for all organizations that want to achieve rigorous third party controls.

Third party risk now extends beyond
regulated industries to all outsourcers
and verticals:

The Challenge: Risk management has reached a critical inflection point. Third and fourth party risk management, as well as risks posed by new, transformative technologies (IoT, Fintech, etc.), are increasingly on the agenda at the Board and C-Suite levels. Outsourcing and emerging technology open up strategic, financial, quality and business resiliency risks; each with the potential to affect the outsourcer’s compliance posture, services integrity and, ultimately, the organization’s reputation and market position.

Increased training and improved third party risk control discipline respond directly to this growing need. However, the proliferation of unstandardized questionnaires and processes complicates advancement of vigorous third party controls and risk management. Success within this evolving third party landscape means establishing and consistently employing best practices in the field.

Solution Building: Shared Assessments is a mature organization that has worked with industry members for over a decade to bring the efficiencies in vendor management to the market that make robust third party risk management affordable. Shared Assessments is founded on an unequalled, cross industry knowledge base and has become a standard for more efficient and less costly means of conducting rigorous assessments of controls for cybersecurity, IT, privacy, data security and business resiliency.

Shared Assessments resources are developed by members and powered by the experienced thought leaders at The Santa Fe Group, who work collaboratively:

  • Raising awareness about third party risk issues;
  • Bringing best practices to light for our members and for the larger community;
  • Providing resources with the efficiencies that only standardization of third party risk tools and processes can achieve; and
  • Providing training and skills certification that holistically address the key elements of a solid third party risk management program.

The Shared Assessments Program’s 2017 Strategic Risk Management Initiative: This initiative addresses the needs of the business community through:

  • Third Party Risk Management Framework: Shared Assessments was the first to articulate a framework that embodies a ‘trust, but verify’ approach. We are taking this to a new level in our end-to-end process framework unique to the third and fourth party risk management landscape. The Framework will be available to all and is relevant to both beginner and advanced practitioners.
  • Research and Publications: Expansion of member committees to capture and disseminate best practices and expand the learnings of the marketplace in the form of publicly available white papers, case studies and independent research studies.
  • Awareness Groups: Building off the tried and true Best Practices and Regulatory Compliance Awareness Groups, 2017 sees the creation of vertical strategy groups that hone in on the unique third party risk needs of currently underserved industries.
  • Certification and Leadership Group Training: Expansion of the tool agnostic Certified Third Party Risk Professional (CTPRP) program, with online training and testing availability to extend our capability to educate assessors, information security and other third party risk professionals. A new Certified Third Party Risk Assessor (CTPRA) training is being developed that will explore the deeper level of understanding of risk controls required for an assessor. In 2017, we will be adding specialized add-on training can be gained that is specific to the use of the Shared Assessments Program Tools.
  • Up-to-Date Third Party Risk Management Program Tools: Our member-led development committees ensure that our tools help create efficiencies and lower costs; are kept current and aligned with regulations, industry standards and guidelines for cybersecurity, IT, privacy, data security and business resiliency and the current threat environment; and have been adopted globally across a broad range of industries both by service providers and their customers. The Vendor Risk Management Maturity Model (VRMMM) is now provided FREE to the third party risk community. This tools allows organizations to evaluate their program against a comprehensive set of best practices. The Standardized Information Gathering (SIG) questionnaire provides the most comprehensive and only standardized third party risk questionnaire in the industry. As outsourcer needs and third party relationships differ, not every relationship requires every question be answered. That is why Shared Assessments is creating enhanced, automated SIG scoping capabilities to fit specific risk needs. The Standardized Control Assessment (SCA) procedures (formerly the Agreed Upon Procedures – AUP) is being renamed to better reflect the Tool’s purpose and role as a validation methodology for verifying questionnaire answers. Standards are being developed to guide assessors in the use of the SCA in order to ensure appropriate qualifications are met for assessors using the Tool and quality assurance checks.
  • Increased International Third Party Risk Involvement: Shared Assessments is responding to the increased request for guidance from businesses globally, including the UK and APAC (Asia-Pacific) markets, which includes many US organizations that operate globally. These efforts take the form of convening roundtables, summit participation and publications, and inclusion of more international players to increase the knowledge base in this area, as more organizations understand the growing need to address global marketplace and regulatory concerns.

Catherine Allen is the Chairman and CEO of The Santa Fe Group, a strategic advisory company providing thought leadership expertise and management support for strategic industry and institutional projects across the supply chain, providing expertise to all industry verticals and critical infrastructure organizations, in the areas of cybersecurity, emerging technologies, and other areas surrounding third party risk management. The Shared Assessments Program in managed by The Santa Fe Group. Catherine currently serves as a board member of Synovus Financial Corporation, El Paso Electric Company, and Analytics Pros, and is a member of the Risk, Energy and Natural Resources, External Affairs and Nominating and Governance Committees. She chairs the Security Committee for El Paso Electric.

Setting Expectations for Your ...

03-14-2017

Risk Rating During On-Boarding Including third party risk rating as a strategic part of a robust risk management program provides the opportunity for early identification of the wide range of issue[...]

Risk Rating During On-Boarding

Including third party risk rating as a strategic part of a robust risk management program provides the opportunity for early identification of the wide range of issues that ripple through both regulated and unregulated industries wherever outsourcing is present. Scoring third parties consistently was ranked as the most challenging issue in the 2017 “Development of Third Party Risk Management Practices Report.” ((“The Development of Third Party Risk Management Practices” MyComplianceOffice (MCO) and Center for Financial Professionals (CFP). 2017.))

Outsourcing brings more players to the table, inherently expanding the potential of risk for an enterprise. Outsourcing can expose the enterprise to country, strategic, financial, quality and business resiliency risks, each of which has the potential to deeply impact the outsourcer’s compliance posture, integrity, availability of information or services and, ultimately, the organization’s reputation and market position. Globally, the need for effective third party risk management extends to all verticals and is increasing rapidly as a major concern for risk managers as the business environment is perceived to be noticeably riskier in 2017. ((Executive Perspectives on Top Risks for 2017. North Carolina State University ERM Initiative and Protiviti. 2017.))

Establishing a well-designed risk rating system offers a clearer and more realistic view into third party relationships than can be achieved through piecemeal evaluations. The 2016 Shared Assessments Vendor Risk Management Benchmark Survey found that maturity levels increased significantly in 2016 for organizations focused on ensuring inclusion of a defined third party provider risk classification/rating system that includes established criteria as part of the contract review cycle. ((2016 Vendor Risk Management Benchmark Study. The Santa Fe Group, Shared Assessments Program and Protiviti, Inc. 2016.))Risk rating during due diligence provides the added benefit of setting expectations before entering into a relationship, or in the case of renewing a third party contract, re-setting expectations.

A robust risk rating system:

  • Is tailored to suit the complexity and risk appetite of the organization.
  • Takes into consideration the risks associated with each type of product or service and third party relationship.

To be effective, criteria for risk rating should be based on documented program parameters that are appropriate to the risk appetite the board has set for the contracting organization. ((Commonly examined key impact areas include: process criticality, concentration of services, compliance, reputation, financial, strategic, logical and physical security, business resiliency, recover time objectives and vulnerability to risk based on product/service type.
)) A risk rating system can contain as few as three rankings (e.g., low/medium/high), or may have a more refined scale. Either way, a formal risk rating will include a process that sets assessment cycles, depth and remediation expectations. Existing management systems may be leveraged to facilitate implementation.

A rigorous risk management system takes into account:

  • A system for inventorying and assessment tracking for all third parties.
  • Key data, systems and applications that are accessed by a third or fourth party.
  • Vetting indicators of third party financial and operational stability and resiliency.
  • Pre-contract requirements that are tied to a given risk rating (by service type and provider, or both).

Once instituted, risk rating should be part of the on-boarding process throughout the enterprise and be performed consistently on every potential third party. This approach allows for well-informed and timely allocation of appropriate resources toward third party oversight, reassessment need and timing and the frequency/quantity of other ongoing management activity. It also provides a measure of assurance that processes are being applied uniformly and that outsourced functions are being managed and monitored more consistently, as well as more efficiently.

By establishing a well-considered rating process, outsourcers can make better-informed decisions that support critical risk program functions. This process can also reveal significant gaps in due diligence, provide the opportunity to make processes more efficient and provide a defensible, repeatable third party assessment process. Within the Shared Assessments Program Tools, the Standardized Information Gathering (SIG) questionnaire provides a standard for risk rating third party service providers. This common-scale objectivity gives the outsourcer an enhanced capacity for maintaining regulatory compliance and a risk profile across its supply chain that mirrors its own macroeconomic, operational and strategic risk profile.

Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.

Building Your TPRM Program –...

Robert Wilkinson 03-06-2017

This is part two of a two-part series created in response to an increasing number of member requests for foundational concepts that support Boards and executive managers as they work to define, design[...]

This is part two of a two-part series created in response to an increasing number of member requests for foundational concepts that support Boards and executive managers as they work to define, design and implement evidence-based Third Party Risk Management (TRPM) programs. This second part provides starting-point approaches and essential focus areas for an organization just beginning to implement a TPRM program from scratch.

At the TPRM program level, within an organization the key program activities required for robust program development are:

  1. Build a Core Team: Establish a core TPRM team that will be responsible for driving all of the key initiative steps listed below, to document an organization third party risk management policy, build an initial organization structure and architect a third party solution adapted to the organization’s operational structure (i.e., centralized versus de-centralized). Decide which additional functionality is required and whether it will reside within a core team or be implemented through staff augmentation can be determined as the team plans evolve. Note that management’s support of the program through hiring of qualified individuals at the core team level demonstrates key senior level commitment to the program’s success.
  2. Complete a Full Inventory: Seek detailed information to build a complete inventory of all third and fourth parties from, at minimum, Procurement, Accounting, International Operations and the Legal departments. While on the surface this appears to be a straight-forward exercise, it often takes an extended period of time and new vendors may be discovered well into the program implementation phase. Fourth parties (subcontractors of third parties) can be captured as part of the inventory building process or at a later stage; however, they must be recognized as a critical component of the overall program. Key fourth party focus areas include those firms that have access to confidential outsourcer information through third parties or connectivity directly into third party networks where outsourcer confidential information may reside. Implementing a process to capture new third parties as contracts are signed is an important element for keeping the inventory up to date.
  3. Define a Repository for Contracts Administration: This database is usually held under the supervision of the Procurement function and may already exist. However, it may be incomplete for all contracts, and therefore takes time to research and compile a complete repository database.
  4. Define a Standard Contract Template: This template must include, among other clauses, a ‘right to audit’ clause that ensures the outsourcer’s ability to perform a security assessment of its third parties. The Shared Assessments white paper “Building Best Practices in Third Party Risk Management: Involving Procurement” discusses sample contract clauses in more detail.
  5. Define a Security Requirements Appendix: This will be a mandatory attachment for the standard contract template that will address specific company security requirements that third party service providers must meet.
  6. Identify a Business Unit Vendor Relationship Managers (VRMs) for each Third Party: This individual will be responsible for acting as the third party interface for all communications and ensuring third party performance commitments are met, as well as for maintaining the overall health of the relationship. This role includes managing issues through remediation and any new requirements, as well as project oversight and third party performance.
  7. Identify a TPRM Risk Management Software Platform: Options include leveraging a common system with Procurement for contracts and third party inventory management or using a separate Governance, Risk and Compliance (GRC) platform. Key components include automated capture of assessment questionnaire responses from third parties and leveraging (as available) automated tools to be used in the review of submitted questionnaires.
  8. Develop TPRM Training Materials: These should be tailored for each of the key stakeholders in the company and used and updated on an ongoing basis. These materials and associated trainings raise awareness and ensure proficiency in program execution.
  9. Develop a Third Party Risk Categorization Process: This is required in order to define, identify and document the risk associated with each of the organization’s third parties, as not all represent the same risk to the company, and to ensure that those third parties that represent the highest risk are focused on first and in the greatest depth. It is used to determine the frequency of risk assessments being performed and the type of continuous monitoring that should be implemented.
  10. Develop or Leverage an Existing Issue Management System: This will serve as the repository of all identified third party issues, including the tracking or remediation plans status, as well as documentation of any risk acceptances signed off by the business where remediation will not occur.
  11. Implement the TPRM Program in Phases: Initially, focusing on program implementation for new third parties being onboarded can allow the organization to ease into the implementation process and limit the growth of non-compliant, high risk third parties within an organization. After this has been accomplished, establish a periodic assessment process for all existing third parties to bring them in line with TPRM program requirements.

The recommendations in these two articles can be used as a foundational outline for building a TPRM program work plan for your organization. As you implement and track the impact of your program, you can respond to changes in your organization’s risk tolerance and strategies, as well as respond with greater agility to changes in the regulatory and industry environment as it evolves.

Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.

Employing Lines of Defense –...

02-23-2017

Robust risk governance principles are espoused in guidelines worldwide for Enterprise Risk Management (ERM) from organizations that vary from oversight agencies to industry support groups. Just for ex[...]

Robust risk governance principles are espoused in guidelines worldwide for Enterprise Risk Management (ERM) from organizations that vary from oversight agencies to industry support groups. Just for example, the International Association of Privacy Professionals (IAPP), Financial Stability Board (FSB), Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Basel Committee on Banking Supervision, Organisation for Economic Co-operation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC) all have conducted projects to revise corporate governance principle guidelines to include more robust risk governance. Lines of defense within governance structures offer safeguards in the event that risk management breakdowns occur, and help to mitigate the damage that such breakdowns can cause to enterprise value.

Lines of Defense
Corporate governance has evolved to include a commonly-used three lines of defense model. The lines are prescribed within organizations in order to strengthen the risk and compliance function throughout the enterprise and into the supply chain, including at the third party provider level. ((Corporate governance models include lines of defense that are typically divided into three lines (such as ISACA, International Institute of Auditors, and others), though there are models with four or five lines of defense defined.)) The lines of defense concept, which is rooted in military theory, has been widely applied within the financial services and insurance industries since the 2008 economic upheaval that resulted in regulatory requirements for active and effective risk mitigation. Once an organization’s board of directors has completed the critical function of establishing a defined, documented risk appetite ((“A risk appetite statement documents the types and amounts of risk and organization is willing to accept in order to achieve its business objectives. An organization’s strategic goals should be the driver of its risk philosophy, which is defined through a disciplined process that involves setting risk preferences, articulating specific risk tolerances (e.g., high, medium and low), then establishing risk guidelines, rules, policies and controls.” Toole, J. and Stahl, M. Developing a Robust Risk Appetite Statement. Risk Management. January 2016. Redistribution of Carrier Management Magazine release April 21, 2015.)) for the organization, a framework for staying within established risk limit criteria has to be implemented. This framework must include specific roles and responsibilities for tracking related data and reporting that data in meaningful ways. This is similar to financial modeling and stress testing requirements.

The framework structure and process identify and manage risk throughout the enterprise and its supply chain. The framework defines key roles and assigns specific responsibilities, policies and procedures and depends throughout on the Tone at the Top set by the board and executive management, as that is the most salient factor impacting an organization’s risk culture. The lines of defense framework is generally depicted as follows:

  • First Line of Defense: Business operations unit teams that assume ownership and responsibility for the design and application of risk assessment, control and mitigation. These components are embedded into the unit’s decision making and operations at all levels. Third party risk management first line also resides here. Business units should work in concert with other functions, such as procurement and an assigned vendor relationship manager, to ensure that management appropriate to the organization is taking place throughout the vendor lifecycle.
  • Second Line of Defense: Compliance oversight team, which may employ aspects of other control functions for support. Third party risk management second line of defense resides here.
  • Third Line of Defense: Internal audit team, a function which must remain independent and therefore cannot provide direct support to the other lines of defense in the chain. This function may be outsourced, which can add a level of complexity to third party risk management.

The following graphic shows the relationship of the lines of defense and the role of Tone at the Top in establishing accountability throughout the organization. Each line has accountability to the others, even if that is indirectly coordinated between tiers.

Source: International Finance Corporation (IFC) World Bank Group. May 2014.
In overview, the cycle of risk management begins with documented risk review and setting of risk governance limits by the board of directors. Senior management then designs the organization’s formal risk management program in line with that board-defined risk appetite. The cycle continues with business unit implementation of the program, with ongoing adjustments being directed by senior management in response to the organization’s unique needs within the larger dynamic risk environment. Oversight is conducted on an ongoing basis by the compliance team, with independent assurance of risk controls through the audit function. And finally, at pre-determined intervals or at incident escalation trigger points, senior management, compliance and audit each report back to the board, completing the cycle.

Best Practices

    To function properly and meet the overarching goal for rigorous cybersecurity and other control standards and at the same time face the increasing risk-related overload while remaining efficient, teams throughout the lines of defense framework must:

  • Work within a board defined risk appetite that is supported both top-down and bottom-up. This demonstrates the board’s commitment to robust risk management. Risk management is a key governance issue and how risks are identified and how the risk appetite is set are critically important to all organizations, regardless of industry vertical.
  • Determine how often risk data is compared to targets that are board approved, who reports this information and how often and in what manner this is reported to the board.
  • Have clear, documented definitions of roles and responsibilities for each team and line. This includes establishing at both board and C-levels who is responsible for development and overall risk management implementation and oversight.
  • Work within an overall framework of lines of defense that is designed and appropriate for the organization and its industry.
  • Ensure appropriate resource allocation (human and technical resources). Train and communicate with staff enterprise-wide to teach breach resistance and to ensure that the individuals responsible for compliance and risk mitigation functions are fully qualified to perform the tasks that fall under their scope of work within the lines of defense.
  • Employ a dynamic approach – review defense framework components at pre-defined periods, or as required by events.
  • An incentive system is applied in many organizations to reinforce robust risk management practices. Ensure that the framework avoids conflict of interest, as marketing targets and risk management targets for business lines can blur the roles and responsibilities of team members.

Lines of Defense and Incident Management
Holistic risk management involves a range of domains, covering security for organizational assets that include data, intellectual property (IP) and other crown jewels; physical and environmental security, privacy, compliance, business resiliency, access control and operations management. Special focus has fallen on cybersecurity in both regulated and non-regulated sectors. An examination ((Original concepts for the link between security incident management and lines of defense is adapted from text provided by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP. Adjunct Professor. National Institute of Bank Management. Pune, India. February 2017.)) of how the three lines approach can be utilized to bolster security incident management provides the following overview:

  • First Line: With business units as the primary information systems managers, these team members sit in the “cat bird seat” with the closest access for detecting abnormal or otherwise suspicious activities. Business unit managers set objectives and metrics for reporting, as well as train personnel on risk detection and response strategies. Technical security controls implemented by IT operations teams, including cybersecurity security analysts from the security operations center, can provide ongoing and continuous monitoring for the overall ecosystem troubleshoot and provide application support for administrators, unit teams, and help desk/service deck staff. The threat intelligence team can communicate advance information on emerging threats.
  • Second Line: Compliance team oversight design that includes key monitoring and reporting on risk-related practices and information is a semi-independent function that involves monitoring of various risk management support functions; including risk control, finance, compliance and back office functions. The compliance team validates models that are used by the operations functions within business units.
  • Third Line: This line includes audit functions, incident response and forensic teams, as well as application scanning and testing, alongside traditional financial, safety, quality assurance, legal and operations audits and provide reports on a regular basis to management and the board. They also step in a pre-specified trigger points to escalate remediation and forensic activities in the case of an incident. This line of defense ensures that the other two lines act in alignment with the board defined framework and the C-level design for the structure of the overall risk management program.

Real Return on Investment in Risk Management
The lines of defense framework for design and implementation of internal control systems has garnered much research since the global financial crisis in 2008. The three-line form has been applied since that time to financial services and insurance services organizations as a matter of regulatory compliance. While other industry verticals may not currently apply such a framework, all organizations would benefit from this best practice lines of defense approach. The pressure for integrity and protection of market value and brand reputation from investors, consumers and the global market as a whole will continue to increase. Stakeholder expectations dictate protection of the organization’s business model and reputation, and organizations should set clearly defined ‘compliance’ criteria, even where regulatory or industry standard guidelines are absent.

Benefits of employing a line of defense system, in which managing risk becomes everyone’s responsibility, span strategic, operational, ethical and reporting objectives. Benefits for all industries, even those not mandated at the regulatory level to have a lines of defense structure, include:

  • Eliminates redundant processes and information gathering, promote information sharing.
  • Provides independent verification and validation of risk management reporting and processes.
  • Ensures a holistic and timely response to potential threats and incidents.

The three-lines approach should be dynamically applied to allow for ongoing adaptation to changes in the evolving risk landscape and to changes in the unique needs and capacity of the individual organization. When all three lines of defense work in concert with functional reporting lines that are accountable directly to the board, governance risk gaps can be identified and closed, objectivity enhanced and the application of the framework can be expected to yield improved risk-related outcomes throughout the supply chain.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other marketing documentation projects. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

Building Your TPRM Program –...

Robert Wilkinson 02-03-2017

This two-part article responds to an increasing number of requests to outline foundational concepts to support Boards and executive managers as they work to define, design and implement best practice-[...]

This two-part article responds to an increasing number of requests to outline foundational concepts to support Boards and executive managers as they work to define, design and implement best practice-based Third Party Risk Management (TRPM) programs. In particular, this article provides starting point approaches and essential areas for focus for an organization attempting to implement a TPRM program from scratch. The second part will provide key program activities that need definition and implementation at a third party risk management program level within an organization.

Four foundational elements for achieving a successful TPRM program are:

  1. Early High-Level Buy-In: Obtaining Board and senior management buy-in is essential, along with the need to set early expectations for ongoing, defined reporting periods and effective metrics for managing and mitigating third party risk. In most cases, this will require a Board and senior management education initiative.
  2. Defined Metrics: In parallel with program implementation, a set of program metrics must be developed that includes Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Depending on organization maturity and approach, this can be implemented along with an independent Operational Risk Management (ORM) function implementation and defined program reporting requirements that meet Board and senior management expectations defined from step 1 above.
  3. Defined Roles: Clear definition of stakeholder roles and responsibilities at each phase of the framework is needed, as defined in the table below.
  4. Address the Effect of Silos on Implementation: This element has to be addressed prior to implementation if the program is to achieve a functional level of effectiveness and maturity. Recommendations and other input from all relevant stakeholders should be sought to provide insight into the true structure and nature of key roles and responsibilities and the perceived effect that silos have on program implementation. Continuous quality improvement (CQI) is an essential element of understanding how silos and other organizational structure elements impact the program as it develops and becomes mature.

The following table will assist in understanding which stakeholders can effectively interact together throughout these four foundational steps.

TPRM chart

This concise, considered approach to TPRM program development and execution will assist your organization in reaping the return on investment in risk management programs and help you achieve a program level that responds directly to evolving regulatory, industry and other guidelines and standards and emerging risks. The second part of this article will provide guidance regarding essential activities for implementing a robust TPRM program.

Robert Wilkinson, Chief Strategy Officer at The Santa Fe Group and the Shared Assessments Program has provided support to these organizations for more than 15 years, including as an Advisory Board member and Advisory Board Chair with a deep understanding of results-oriented risk management. He has more than 30 years of extensive global experience developing and implementing enterprise operational risk management solutions focusing on Operations and Technology, having worked in 45 countries and various locations throughout the United States. He has extensive experience interacting with government regulators and addressing regulatory findings.

Building Your TPRM Program...

01-25-2017

PwC’s report highlighting monitoring of vendor networks by means of supply chain risk analytics focuses on the fact that the volume and transactions of outsourcing amplify risk. “The increasing se[...]

PwC’s report highlighting monitoring of vendor networks by means of supply chain risk analytics focuses on the fact that the volume and transactions of outsourcing amplify risk. “The increasing severity of consequences for regulatory violations by vendors in complex global supply chains is matched only by the corresponding damage to reputation when vendor network violations get exposed.” Risks presented by the supply chain now mean that organizations have to defend against threats throughout the chain, including service providers, shippers and a host of other parties that can affect the outsourcer’s very business resiliency, in addition to reputation, compliance stance and overall risk profile.

This requires management to balance cost advantages gained through outsourcing with a risk posture appropriate to the unique risks posed by each product/service line and each third party relationship. The PwC report, Needle in the haystack: Monitoring vendor networks through supply chain analytics, can help organizations understand the vulnerabilities they face across their supply chain, the leadership for a robust framework and process development, ongoing and continuous monitoring needs, stakeholder awareness training needs and the return on investment from such efforts.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

Shared Assessments 2016 – St...

01-17-2017

Shared Assessments finished the 2016 year with 85 new members, a 25% increase over 2015. We closed out the year with a total of 226 members, showing continuing year-over-year growth in the commitment [...]

Shared Assessments finished the 2016 year with 85 new members, a 25% increase over 2015. We closed out the year with a total of 226 members, showing continuing year-over-year growth in the commitment of organizations to improving third party risk management and advancing best practices worldwide.

We’ve come a long way together since Shared Assessments was founded in 2006, when we set out to ease the burden on both outsourcers and third parties by streamlining the cumbersome evaluation process and creating a proven industry standard. Today the Shared Assessments Program’s membership is industry agnostic as companies from across the globe in a variety of industries have adopted the Shared Assessments standards.

The year’s highlights include:

  • The Ninth Annual Shared Assessments Summit boasted record attendance by 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.
  • We provided roundtables, workshops, training and other educational resources for risk professionals throughout the year.
  • We continued our increased international focus, working with organizations with an international presence, as well as those headquartered overseas.
  • Release in November of the 2017 Shared Assessments Program Tools, updated to reflect emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent.

2016 Shared Assessments Summit
The Ninth Annual Shared Assessments Summit was held May 18-19, 2016 in Baltimore, MD. The pre-Summit workshops drew more than 100 attendees. And, in keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrated several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. You can read more about the Summit here.

International Expansion
In 2016, Shared Assessments expanded its international footprint by working with leaders in the heavily regulated Singapore market to involve them in building best practices for third party risk. Additional roundtables, conference participation and sponsorships were developed in 2016 and will be expanded throughout the UK and Singapore in 2017.

Industry Roundtables
This past year, Shared Assessments convened our members and other thought leaders, providing a venue for:

  • Privacy and Shared Assessments Program Tools Development Committees.
  • Committees for regulatory compliance awareness and best practices third party risk management and assurance awareness.
  • Industry and regional groups in the UK and in the areas of legal and healthcare/pharma.

Shared Assessments convened and/or participated in the following industry roundtables:

  • Financial Institution Roundtable – January 2016.
  • International Singapore APAC – March 2016.
  • Asset Management Roundtable – March 2016.
  • 2016 Shared Assessments Summit – May 2016.

2016 Studies and Papers
Member participation in various Committees and Awareness Groups increased drastically in 2016. For instance, the Best Practices Awareness Group increased to over 70 committee members, an increase of 84%. Each of the papers listed below were released in 2016 by Shared Assessments member volunteers and partner member organizations, who also participated in the monthly Member Forum webinars on each of these topics:

  • Regulatory Compliance Awareness Group White Paper and Initiatives:
    • It Takes It Takes In-Tune Tone at the Top to Shape an Effective Risk Management Culture white paper addresses the growing consensus that an effective risk culture cannot be developed without a “Tone at the Top” that demonstrates, beyond doubt, that the Board and C-Suite are active in building and maintaining an effective enterprise risk management culture and program, inclusive of third party risk issues.
    • EU General Data Protection Regulation (GDPR) and Brexit have been examined in articles and Member Forum calls.
    • A subject matter expert article was prepared upon invitation by the ISACA Journal, The Tone at the Top – Assessing the Board’s Effectiveness, and accepted for publication and released in November 2016.
    • The Committee prepared a response in May 2016 to a Request for Comments from the Office of Comptroller of the Currency (OCC) on its Supporting Responsible Innovation in the Federal Banking System white paper and conducted ongoing Committee discussions on the issues involved and the June OCC Forum in response to comments..

Shared Assessments Certified Third Party Risk Professional Certification
In 2016, 10 CTPRP in-person workshops were offered. Our Certified Third Party Risk Professional (CTPRP) certification has now trained more than 500 CTPRP certification holders. A new Associate CTPRP designation is now available, announced in September 2016, which is awarded to individuals who have successfully completed the full CTPRP training, yet lack the requisite five-year work experience for the full CTPRP certification. In 2017, we will announce the ability to participate in online CTPRP training opportunities and are expanding CTPRP in-person workshops internationally.

Updated 2017 Program Tools
Shared Assessments Program Tools help organizations create sustainable, organization-wide efficiencies in today’s high risk environment. The tools, which are foundational elements for risk management program assessment and evaluation of third party service provider cybersecurity, IT, privacy, data security and business resiliency controls, are: Standardized Information Gathering (SIG) questionnaire; Agreed Upon Procedures (AUP), a tool for standardized onsite assessments; and the Vendor Risk Management Maturity Model (VRMMM).

The Shared Assessments Program maintains its status as the trusted source for industry standard third party risk assurance leadership, in part through regular identification of modifications in domestic and international regulations, industry standards and guidelines and the emergence of new risks. Evaluation of pertinent changes to the Program Tools is made on an ongoing basis against tool content and related updates. It is the partnership between Shared Assessments and member organizations, which creates the essential industry leadership that helps our members to meet the surge in regulatory, consumer and business scrutiny within the constant landscape of cyber and other security threats and vulnerabilities.

These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns. Changes to the 2017 Program Tools reflect US and International regulatory changes and guidelines, as well as industry specific standards and best practices for gathering and assessing cybersecurity, IT, privacy, data security and business resiliency in an information technology environment to provide a complete picture of service provider controls, with scoring capability for response analysis and reporting.

On the Horizon for 2017
Shared Assessments will continue to provide a professional platform for examining and resolving the critical issues as they emerge in the evolving third party risk landscape, including managing for risk rather than compliance, optimizing third party risk mitigation and leveraging resilience to ensure positive outcomes. Members can sign up to participate in our 2017 initiatives by completing our “request to participate.” More information about each activity and to sign up you can go here.

Deliverables from the working groups and supporting staff from The Santa Fe Group include publications, research studies, speaking opportunities, webinars and podcasts, events and meetings, social media input, and consulting and advisory services. The CTPRP Program will seek to expand its offerings by providing online training opportunities, SIG and AUP master-level course additions and a Certified Third Party Risk Assessor (CTPRA) certification.

2017 committee initiatives include:

  • The Best Practices Awareness Group has already released its first white paper of 2017, Continuous Monitoring of Third Party Vendors: Building Best Practices, which discusses moving the needle on longitudinal tracking for more effective processes and more effective decision-making and achieve discernable gains in risk management.
  • Other 2017 Best Practices Awareness Group initiatives and white papers include: Vendor Risk Rating for Third Party Management; Assessment of Public Cloud Computing Vendors; and Fourth Party Risk Management.
  • The 2017 Regulatory Compliance Awareness Group is working on: Phase II of the Tone at the Top and Third Party Risk project; building a Compliance Maturity Model for Third Party Risk; and examination, and where appropriate response to, both domestic and international regulatory changes in this dynamic area, including GDPR.
  • The 2017 Vendor Risk Management Benchmark study, sponsored by our member partner, Protiviti, Inc.
  • The 2017 Ponemon-Shared Assessments Study is being developed, with a focus on third party risk management.
  • Additional Member Awareness Group committees are being developed for individual sectors, benchmarking, continuous monitoring, cybersecurity, and environmental trend groups. Invitations to participate are being fielded to all members.
  • Additional Member Resources are under development, such as a Third Party Risk Management library, which would include the Collaborative Onsite Assessments (COA) Addendum.

Jenny Burke, is a Senior Vice President for Marketing and Communications with The Santa Fe Group, with key responsibilities that include advancing strategy to increase awareness of the Shared Assessments program, grow memberships, improve tool adoption and communicate all the combined efforts of our staff and members. Prior to joining The Santa Fe Group, she has worked both as an independent marketing consultant and in private industry in branding, digital strategy, website redesign, content management and social media for a variety of software, consumer and website clients. Connect with Jenny on LinkedIn.

Shared Assessments Program Add...

01-13-2017

The Threat Horizon The December 29th joint analysis report (JAR) GRIZZLY STEPPE – Russian Malicious Cyber Activity, contains specific indicators of cyberattacks and steps organizations can take to m[...]

The Threat Horizon
The December 29th joint analysis report (JAR) GRIZZLY STEPPE – Russian Malicious Cyber Activity, contains specific indicators of cyberattacks and steps organizations can take to mitigate the “the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.” (( GRIZZLY STEPPE – Russian Malicious Cyber Activity. US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and the US Federal Bureau of Investigation (FBI) Reference Number: JAR-16-20296, December 29, 2016, Page 1.)) The Grizzly Steppe report was motivated by the hacking attacks outlined in the subsequent Background to: Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution unclassified report released January 6th. ((Background to: Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution. US Office of the Director of National Intelligence and the National Intelligence Council. Reference Number: ICA 2017-01D. January 6, 2017.))

These attacks have highlighted the extent of our cyber vulnerability globally and should result in step function increases in our motivation to close seemingly wide gaps in overall online security. Damaging and/or disruptive attacks have been made on critical infrastructure networks globally. Cases where third party identities have been used to mask hacking have been documented. Once access is gained, the hackers analyze information garnered for its intelligence value.

Technical Indicators and Recommended Mitigations
Shared Assessments Program Tools address the breadth of the attack indicators that the Grizzly Steppe report identified as critical known factors surrounding a pattern of ongoing cyber-enabled hacking operations. This includes notable and ongoing Advanced Persistent Threats (APT), that have been used since at least 2015 to target “government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.” ((GRIZZLY STEPPE – Russian Malicious Cyber Activity. US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) and the US Federal Bureau of Investigation (FBI) Reference Number: JAR-16-20296, December 29, 2016, Page 1.)) A variety of methods are used to interfere with systems, such as injection flaws, cross-site scripting (XSS) vulnerabilities and server vulnerabilities. Spear phishing was specifically identified as a common technical means of system compromise in the joint NCCIC/FBI report.

Mitigation Resources
Each of the security needs identified by the report are addressed by the Shared Assessments Program’s member-driven resources. The Program Tools provide a holistic picture across verticals for risk assessments and evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls, including:

  • Risk analysis
  • Staff training,
  • Application whitelisting,
  • Vulnerability scanning and patching, and
  • Other business resiliency indicators.

Shared Assessments Program Tools are specifically designed using objective, rigorous best practice standards and regulatory guidelines to ensure that the very indicators identified by the reports are accounted for in risk management programs. Using these “trust, but verify” structured, evidence-based resources can inform enterprise-wide progress toward closing dangerous gaps in overall online security, so that robust incident planning and response programs are implemented before an incident occurs, as well as to minimize the impact of security events when they do occur. The Tools are mapped to both US and international standards and regulations, including National Institute of Standards and Technology (NIST) Cybersecurity Framework, FFIEC Cybersecurity Assessment Tool (CAT), International Standards Organization (ISO) 27001/27002 guidelines, Payment Card Industry (PCI) DSS v.3.2, as well as anticipated EU General Data Protection Regulation (GDPR) rules and Cloud Security Alliance Controls.

To aggressively improve your third party risk management program by building a better understanding of what it takes to create a more risk sensitive environment in your organization you can access best practices white papers and other relevant resources, at: https://sharedassessments.org/.

Shane Deay is a Senior Project Manager with The Santa Fe Group, Shared Assessments Program. Shane works alongside staff and members to manage the Shared Assessments Program Tools alignment to national and international standards, regulations and guidelines. Connect with Shane on LinkedIn.

Smart Cities Incorporate Solid...

01-03-2017

Local government liability exposure is far-flung and both large and small municipalities are vulnerable. As the landscape of risk has evolved, not only facilities and service delivery risk management [...]

Local government liability exposure is far-flung and both large and small municipalities are vulnerable. As the landscape of risk has evolved, not only facilities and service delivery risk management come into play. Now in-house and third party management is essential for risk areas that include cybersecurity, IT, privacy, data security and business resiliency controls. The most recent victim, hit in November, was San Francisco’s Municipal Transportation Agency, which was effectively shut off from its fare revenue for several days, reportedly through the use of ransomware. ((Weekend Muni hack shows that cybersecurity affects us all. The San Francisco Chronicle. November 28, 2016. http://www.sfchronicle.com/opinion/editorials/article/Weekend-Muni-hack-shows-that-cybersecurity-10641036.php))

Since the loss of municipal immunity in the late 1970’s, large city and small town managers and mayors have been responsible for an ever expanding range of risks, which now include social media exposure and such elements as body camera and drone use. Such exposure place municipalities at crossroads where difficult choices abound. For instance, new technology can reduce costs but may include the use of third parties to carry out critical functions, which in turn increases exposure to risk through third party systems.

Municipal sector best practice responses to these pressures dictate that risk managers adopt an enterprise-wide approach, where they take control of local risk management practices through strategic planning that addresses ongoing risk evaluation and monitoring where managers anticipate third party risk issues and apply proactive solutions. Shared Assessments members include municipalities that have turned to our member-driven knowledge base and Program Tools, which can be tailored to meet local needs, to help them build stronger, more resilient programs for managing and mitigating risk.

Long-term benefits of strong prevention and management include:

  • Risk management aligned to the community’s unique defined risk profile;
  • More engaged leaders;
  • Improved workplace culture;
  • Safer communities; and
  • Reduced taxpayer burden.

With local government affecting all aspects of community, risk evaluation and proactive planning is critical to: reducing, preventing and mitigating losses; cutting insurance costs; allowing for effective budgeting for risk management program needs; building a culture of accountability that includes third party and other risk management, so that they can serve their main purposes of providing services and maintaining local infrastructure while remaining viable economically.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

Press Release: 2016 Shared Ass...

12-20-2016

MEDIA CONTACT: Marya Roddis, Vice President of Communications O: 505-466-6434 C: 575-235-8228 marya@santa-fe-group.com   2016 Shared Assessments-Protiviti Benchmark Study  Demon[...]

MEDIA CONTACT:
Marya Roddis, Vice President of Communications
O: 505-466-6434
C: 575-235-8228
marya@santa-fe-group.com

 

2016 Shared Assessments-Protiviti Benchmark Study
 

Demonstrating the Increased Maturity of Third Party Risk Management Programs
Santa Fe, NM – December 20, 2016 – The member-driven Shared Assessments Program and Protiviti, Inc., a Shared Assessments member organization, are pleased to announce the release of the 2016 Vendor Risk Management Benchmark Study, the third annual study in this series. This year’s study shows, for the first time, positive trends in third party risk management maturity. Data from the 2014 and 2015 studies showed maturity levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny.

Vendor Risk program maturity levels have jumped in all eight risk management categories, with training levels in particular showing notably improved progress. This year’s study also examined the relationship between tone at the top and more than 140 elements of risk management process maturity.

Key Findings include:

  • A clear correlation between boards with high engagement in and understanding of emerging risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
  • While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors’ level third party risk management awareness levels are still lagging.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go until organizations routinely have fully operational third party risk programs with all compliance measures in place.
  • A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.
  • Financial services firms with between $50 and $250 B in assets under management outperformed all other asset management categories and verticals, regardless of industry. Financial services firms of this size may represent an optimum organization size where there are both: (1) adequate resources to bring robust expertise and tools to programs; and (2) a scale that is still easily managed from a risk control perspective.

The 2016 study includes responses from nearly 400 C-Level, VP/Director Level and Manager Level respondents. The study basis in maturity levels is derived from the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls in the following areas:

  • Program Governance
  • Policies, Standards and Procedures
  • Contracts
  • Vendor Risk Identification and Analysis
  • Skills and Expertise
  • Communication and Information Sharing
  • Tools, Measurement and Analysis
  • Monitoring and Review

You can request the full 2016 Vendor Risk Management Benchmark Study here.

###

Strengthening Third Party Risk...

12-14-2016

Third party mishaps resulting in breaches and other newsworthy events continue to drive home the need for improved risk management program capabilities in all verticals. From planning for engagement, [...]

Third party mishaps resulting in breaches and other newsworthy events continue to drive home the need for improved risk management program capabilities in all verticals. From planning for engagement, through due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and through termination, the Program Tools helps organizations effectively manage the critical components of third party relationships.

The Shared Assessments Program, released its updated 2017 Program Tools November 29th. These Tools provide users with the means for evaluating cybersecurity, IT, privacy, data security and business resiliency controls throughout the third party engagement lifecycle using a proven “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Tools, as well as the expert knowledge base and mentoring provided to Shared Assessments Members, serve organizations, regardless of size and industry. The Shared Assessments Program Tools are:

Each Tool has been updated, mapping in detail against the current landscape of regulatory guidance, best practices and industry guidance. The Tools provide a holistic means for evaluating third party risk programs including in the following areas: Program Governance; Policies, Standards and Procedures; Contracts; Vendor Risk Identification and Analysis; Skills and Expertise; Communication and Information Sharing; Tools, Measurement and Analysis; and Monitoring and Review. For example, the VRMMM Contracts tab items allow assessment of those items that allow an organization to “protect” and “control,” two of the NIST’s functional categories.

Use of the tools gives the user the confidence that all controls and activities (both internal to the outsourcer and external to third and fourth parties) are as strong and effective or better as the outsourcer’s risk appetite demands. Key factors that differentiate the Shared Assessments Program and its Program Tools are the solid focus on third party risk, incorporation of operational risk perspectives that go well beyond IT security, and regular updating by the industry’s most accomplished practitioners, who represent stakeholders across the spectrum of outsourcing, vendor and assessor operations and risk management.

While each Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cybersecurity threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues. You can check out the Program by visiting https://sharedassessments.org and the tools by visiting https://sharedassessments.org/store/.

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

What is Your Voice Privacy Deb...

12-01-2016

By, Martin Geddes Co-Founder and Executive Director Hypervoice Consortium Co-Written By, Kelly Fitzsimmons Co-Founder and Managing Director Hypervoice Consortium Today, we can talk to a computer ju[...]

By, Martin Geddes
Co-Founder and Executive Director Hypervoice Consortium

Co-Written By, Kelly Fitzsimmons
Co-Founder and Managing Director Hypervoice Consortium

Today, we can talk to a computer just as easily as can type at one. The use of Personal Voice Assistants (PVAs) — such as Siri, Alexa, Cortana — is skyrocketing. According to Google, 20% of mobile searches are voice-activated.

As it gets easier and more of us use PVAs, a new concern arises: When is it not appropriate for me to talk to a PVA?

To answer this, context is king. With PVAs being used in all sorts of new and interesting ways, different concerns quickly arise in different contexts. If you work in a regulated industry, such as healthcare, finance and law, it is critical to stop and think this new context all the way through.

Voice isn’t just a new interface, it’s a whole new way of performing computing. The rise of intelligent personal voice assistants is a fundamental change in how we relate to computers. The advance is comparable to the invention of the PC desktop. A voice interface brings with it a welcome humanization of technology, one that democratizes access to a wide range of valuable capabilities.

It is increasingly common to use smartphone PVAs as dictation engines for taking notes. Enterprise CRM systems also now often come with voice transcription functionality. In the context of most enterprises the use of these capabilities is an innocuous choice.

However, for regulated industries (most notably finance, law and healthcare) this is not the case, especially when sharing confidential information. The inherent nature of PVAs sets up a trap for the unwary or unthinking user.

The voice interface is designed to mimic a helpful human. Yet what sits behind the façade is merely a machine-learning algorithm, one that has little concept of contextual ethics, so potentially shares our corporate secrets inappropriately. When we mention confidential client information while dictating, that data becomes a digital privacy biohazard with a long-term waste disposal problem.

As such, services like Siri bring a new class of ‘digital health’ problems with serious ‘enterprise wellbeing’ consequences, just as the desktop brought email viruses and pop-up malware. So why would anyone do this? There are three reasons: you’ve not considered the risks; you wrongly feel they are always small; or you think the costs don’t matter (and you’ll not get caught!).

Why we get seduced by Siri
We fail to consider the risks of PVAs because our brains are hardwired for the hazards of a primeval world. The pains we anticipate are biased accordingly. You might feel giddy when you stand at the edge of a precipice, because you naturally fear the consequences of a fall. Yet few of us feel similar terror when we drive a car, since moving at 70mph along a freeway wasn’t a feature of our distant ancestors’ jungle or savannah environment.

Our bodies are physical and our minds are forgetful. This means our human voice conversations are by default tied to one place and are ephemeral. When we talk to Siri, we are presented with a human-like interface, and naively make assumptions that the interaction remains local and time-bound.

Yet we are interacting with a machine that exists to persist and replicate information. Siri is the frontend to an AI engine that is designed to learn things over time, and those learnings may be collated across users. An innocuous mention of a corporate takeover or a patient procedure may suddenly become part of the learning database of Apple. If not today, then it could happen tomorrow, without you ever noticing the change of functionality and terms.

We also have little visibility and no control over where that voice-as-data gets stored and used. It may seem that everything Siri is doing happens locally on the machine, but the reality is that your information is being passed into a complex set of back-office cloud systems. We have little or no visibility or control over where that information resides, or who might have access to it later.
With humans there are also some very specific expectations from conversations, ones that the machine simulation breaks. A human has social understanding of what is appropriate to his or her context. If your doctor asked an anonymous passer-by to come into their surgery and act as a scribe during consultations, that person might balk at the prospect as being inappropriate.

With PVAs we have artificial intelligence systems which lack artificial ethics. Siri will never let you know “you really shouldn’t tell me this”! Whilst Siri might refer to itself as “I”, but there’s nobody there. What you hear is merely the machine rearrangement of the sound of a human voice actor.

Because Siri and her friends have no concept of appropriate context, that means the user has to take on that burden. It’s obvious personal email is inappropriate for some work contexts, and with a website there is a distinct URL and visibly different site layout to show you that you have strayed away from an approved enterprise application. With a PVA making that context transgression is far less obvious.

A ‘bring your own’ approach to PVAs is in some ways the ultimate socially-engineered attack on the privacy of customer data. We could have secure IT systems with air-gapped isolation from the outside world. When we invite a smartphone voice engine in with a human feeding it, we bypass all that enterprise protection. It is a Trojan of a third party brought into the heart of the enterprise. The unintentional and socially accepted nature of the attack is what makes it all the more subversive.

The risks are bigger than you think
With IT systems, we face novel risks for which we are not well adapted, and for which our systems of behavioral feedback are weak. It is rather like how we fail to relate our choices over sugary processed food to the serious consequences of heart disease and diabetes. The hyper- abundance of calories or computation bring unfamiliar problems to deal with.

Furthermore, with IT the effects of our personal choices are often not internalized: the impact of the risk falls upon colleagues and customers, possibly many years later. In the context of the corporation, an individual’s failure to ‘wash their digital hands’ can lead to reputational ruin risks to the whole enterprise.

So what might go wrong? The nature of information security risks is that they are often of a ‘black swan’ nature. The hazards may be infrequent, but the consequences and costs very severe.

For example, the boundaries could change at any moment with a single update to the technology or device user policies. We’ve seen this happen recently with WhatsApp and Facebook. What was a strong privacy pledge for WhatsApp users has turned into a security risk for anyone using it for work, as messaging contacts are used to personalize ads. The allowable use of information is neither fixed nor bounded.

When there are no signed terms of service, the conditions under which data is stored and shared can change at the whim of a third party. Companies come and go, get taken over by local and foreign competitors, divest divisions, and constantly redesign products. Even if you read the original terms of service for Siri, they can keep changing whenever Apple chooses. Are you going to re-read them every time? Will you ask Apple what their policy is on personally identifiable information in Siri? (We did, and they don’t have one.)

When you use a service like Siri for dictation of private and confidential customer data, you are arming a whole series of subtle security hazards. There is no firm commitment on record retention, so you cannot prove (potentially in court) what was (or was not) shared. You have no right to audit the supplier, so you are in a very weak position to evaluate your compliance with industry regulations. For instance, the data might be held for too short a time, or too long. This disregard for the rules will appear recklessly negligent should there be any ‘data spill’ downstream.

In summary, you have no power to audit Apple’s or Amazon’s suppliers for compliance with your IT security policies, and there is nothing stopping them from using the data they capture in ways that would harm your reputation. A single incident in any regulated industry, or by any major supplier, could at any time attract attention to this issue. This would arm a latent risk of ruin, which is the cumulative liability built up over time from years of non-compliant use.

The risk isn’t just about you and your enterprise, but is also systemic. There are bad actors in the world who constantly strive to break into these systems for gain. Once the epidemic of privacy breaches reaches critical levels, things can fall apart, like how a cholera epidemic spreads in an overcrowded and unsanitary slum.

We lack a feedback system to account for our behavior
There are many routine daily activities for which PVAs like Siri are wholly appropriate, even in an enterprise context. Sharing private customer data is not one of them. Just because something is easy and convenient doesn’t mean it is the right thing to do.

If you work in a regulated industry, such as finance or healthcare, then you as a professional know you are responsible for the privacy of confidential customer data.
However, personal morals are not enough. We also need systems of feedback to create the right behaviors, and make systemic and architectural choices to support them.

We need to have a way to quantify the cost and benefit of different solutions to our productivity issues. And here’s the catch. When any data is captured by an information system, then it has some asset value to the enterprise. It also comes with it a liability, which includes the need identify private information, pay to secure and manage it, and ultimately delete it to expunge the liability.

At present our systems for accounting for the liability are generally weak. There is no ‘double- entry data-keeping’ to track where the information has been shared and sum up the total liability. Yet just because the liability is hard to measure does not mean it ceases to exist.

So there is an implicit cost on the enterprise of all non-compliant use of PVAs for private data. The liability is being self-insured, and sits as an invisible item on the CIOs or CFOs books. Each and every single non-compliant use of a PVA is an invisible debt on that account.

The conversation that regulated enterprises need to have is to begin to size that debt. What are the frequency of those breaches? What are the resulting hazards that you face? What is the impact of those hazards? What is the total implicit cost of self-insurance for the hidden ‘voice privacy debt’?

At the end of the day, it may be far cheaper and safer to avoid the non-compliant use in the first place, and select a tool that is fit-for-purpose for regulated industry use.

AboutHypervoice Consortium
The Hypervoice Consortium’s mission is to bring awareness to the importance of the emerging communications ecosystem and serve as the official forum for standards, capabilities and applications. Our purpose is to research the future of communication and advocate passionately for humankind’s best interests. Learn more at http://www.hypervoice.org/ or follow the conversation on Twitter with #Hypervoice. Hypervoice(TM) is registered trademark of the Hypervoice Consortium LLC.

Updated for 2017: Tools Specif...

11-29-2016

PRESS RELEASE Contact: Marya Roddis Vice President of Communications marya@santa-fe-group.com  505-466-6434 Updated for 2017: Tools Specifically Designed to Manage Third Party Risk Shared Assess[...]

PRESS RELEASE

Contact:
Marya Roddis
Vice President of Communications
marya@santa-fe-group.com 
505-466-6434

Updated for 2017: Tools Specifically Designed to Manage Third Party Risk

Shared Assessments Program Tools Empower Risk Management Confidence

Santa Fe, NM — November 29, 2016The Shared Assessments Program, the member-driven trusted source in third party risk assurance, announces the release of our updated 2017 Program Tools. The Tools serve organizations, regardless of size and industry, helping them meet the surge in regulatory, consumer and business scrutiny within the constantly evolving landscape of cyber and other security threats and vulnerabilities posed by the use of third party service providers. This concern is very real. A study of global data breach investigations showed that 63% of breaches were linked to a third party component (Trustware, 2013). And the likelihood of a material data breach involving 10,000 lost or stolen records in the next two years is 26% (Ponemon, 2016).

The Program Tools are an important component of the Shared Assessments Third Party Risk Management Framework, which helps organizations manage the full lifecycle of a third party relationship, from planning for third party engagement, to due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring and through termination. The Tools embody a “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

The Shared Assessments Program Tools are:

  • Standardized Information Gathering (SIG) questionnaire remote assessment;
  • Agreed Upon Procedures (AUP) for performing onsite assessments; and
  • Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices.

Creating Sustainable Efficiencies in Today’s High Risk, Cyber-Based Environment
While each Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cybersecurity threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues.

Martin Freeman, Information Security Manager at Dealogic LTD and a Shared Assessments Steering Committee Member, comments that “because of its alignment with such a wide range of industry and regulatory standards, Dealogic has been able to use the Shared Assessments toolkit not only to provide our customer-base with a comprehensive portrait of our security programs but also to thoroughly assess our global portfolio of third-party service providers.  It has also enabled us to perform a gap analysis against our established information security baseline when assessing potential business initiatives or implementing new products and services.”

The Tools are designed to be tailored to an organization’s unique application of regulations, divisional needs and risk appetites. Shared Assessments keeps a close eye on emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent, such as: the proposed changes to the U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool; New York State’s proposed requirements for banks, insurance companies, and other financial services institutions; and the OCC’s request for comments on its proposed Enhanced Cyber Risk Management Standards and its request for comments on Responsible Innovation in Banking.

Accordingly, the Shared Assessments Program Tools are designed in alignment with a wide body of the most updated domestic and international regulatory guidance and industry standards, including:

U.S. Domestic Industry Standards, Regulations and Guidance:

  • American Institute of Certified Public Accountants (AICPA) – Incident Response Procedures, 2004
  • FFIEC Information Technology Examination Handbook – Appendix J: Strengthening the Resilience of Outsourced Technology Services, February 2015
  • FFIEC Cybersecurity Assessment Tool (CAT), June 2015
  • FFIEC Examination Handbook Management Booklet, November 2015
  • Health Insurance Portability and Accountability Act (HIPAA) Final Rule Modifications, March 2013
  • NIST Cybersecurity Framework (CSF), February 2014
  • NIST Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations, April 2013
  • NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide, August 2012
  • U.S. Computer Emergency Readiness Team (CERT) – Federal Incident Notification Guidelines, October 2014
  • U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool, 2009
  • U.S. Food and Drug Administration (FDA) Title 21 of the Code of Federal Regulations (CFR) Part 11 (Electronic Records) Section 11.1(a), April 2016
  • U.S. Department of Treasury, Office of the Comptroller (OCC) Bulletin 2013-29 – Third-Party Relationships, October 2013

International Industry Standards, Regulations and Guidance:

  • Asia-Pacific Economic Cooperation (APEC), February 2014
  • Association of Banks in Singapore Outsourced Service Provider (OSP) Standardized Guidelines, June 2015
  • Australian Prudential Regulatory Authority (APRA), May 2013
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v3.0.1, 2014
  • EU General Data Protection Directive (GDPR), April 2016
  • Hong Kong Monetary Authority (HKMA), December 2001
  • International Standards Organization (ISO) 27001/27002, 2013
  • Monitory Authority of Singapore (MAS), March 2013
  • Payment Card Industry (PCI) PCI DSS v.3.2, April 2016
  • UK regulation – SYSC 8.1 Outsourcing, May 2016
  • UK Guidance – CPNI SICS Managing Third Party Risk, May 2015
  • UK Cyber Essentials Scheme, January 2015

Updated 2017 Program Tools
These updated tools respond to the many cybersecurity and other third party risk management issues that are at the forefront of everyone’s concerns.

The Standardized Information Gathering (SIG) questionnaire and SIG Lite:

    • Uses industry best practices to gather and assess cybersecurity, IT, privacy, data security and business resiliency in an information technology environment to provide a complete picture of service provider controls, with scoring capability for response analysis and reporting.
    • Enhancements to the 2017 SIG include:
      • Addition of a Cybersecurity Guidance overview to provide users with instruction on which questionnaire tabs they complete to have a view of their cybersecurity preparedness, in keeping with FFIEC’s Cybersecurity Assessment Tool (CAT) and the NIST’s Cybersecurity Framework (CSF).
      • Reduction in tool size and enhanced scoring capabilities based on user feedback and findings from Shared Assessment’s briefing paper, Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program.
      • Changes related to industry and regulations guidance that reflect: HIPAA final rules modifications; NIST’s Cybersecurity Framework (CSF) and companion roadmap; FFIEC IT Handbook reference updates; and PCI DSS version 3.2 standards revisions.

    The Shared Assessments Agreed Upon Procedures (AUP):

      • Uses a substantiation-based, standardized, efficient methodology for onsite assessments by companies to evaluate their own controls, as well as those their service providers have in place for cybersecurity, IT, privacy, data security and business resiliency, in alignment with the content of the SIG.
      • The 2017 AUP:
        • Allows for execution of a Collaborative Onsite Assessments (COA), a unique and pilot-tested capability, with benefits that include consistency, rigor and efficiency.
        • All sections of the AUP have been amended with language that is in alignment with AICPA AT § 201.03: Agreed-Upon Procedures Engagements standards.
        • Industry updates, including: HIPAA final ruling modifications; PCI DSS version 3.2 updates; FFIEC Cybersecurity Assessment Tool (CAT); and the NIST Cybersecurity Framework.

    The Vendor Risk Management Maturity Model (VRMMM):

      • Provides third party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices to identify specific areas for improvement and help manage provider-related risks efficiently and effectively.
      • Enhancements to the 2017 VRMMM include:
        • Modifications to Maturity Level definitions and improved guidance that simplify and clarify Maturity ranking.
        • Addition of an Accountability Tab to assist organizations in assigning responsibility for completion of the VRMMM, allowing users to identify the resources responsible by risk area category.

      About the Shared Assessments Program
      The Shared Assessments Program is the trusted source in third party risk management, with more than a decade of developing program resources. Shared Assessments helps organizations effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments member-driven Program Tools offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (http://www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can—and should—be a good citizen. Corporations should be built on a foundation to provide greater good to society. For more information on Shared Assessments, please visit: https://sharedassessments.org.

      ###

Demonstrating the Increased Ma...

Adam Greene

The Shared Assessments Program and Protiviti, Inc., a Shared Assessments member organization, have completed the 2016 Vendor Risk Management Benchmark Study, the third annual study in this series. Thi[...]

The Shared Assessments Program and Protiviti, Inc., a Shared Assessments member organization, have completed the 2016 Vendor Risk Management Benchmark Study, the third annual study in this series. This year’s study shows, for the first time, that companies appear to have reached a positive turning point with regard to managing third party risks. Data from the 2014 and 2015 studies showed program Maturity Levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny. This year, maturity levels have jumped in all eight vendor risk management categories, with training levels in particular showing notably improved progress. This year’s study also examined the relationship between tone at the top and more than 140 components of risk management process maturity.

The 2016 study includes responses from nearly 400 C-Level, VP/Director Level and Manager Level respondents. The study basis in maturity levels is derived from the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – – a holistic tool for evaluating maturity of third party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls in the following areas: Program Governance; Policies, Standards and Procedures; Contracts; Vendor Risk Identification and Analysis; Skills and Expertise; Communication and Information Sharing; Tools, Measurement and Analysis; and Monitoring and Review.

“This year’s survey shows improvement in incident reporting and focus on policy and standards related to communications. That said, on balance, the Communications and Information Sharing category lags others at a time when internal two-way internal communications (top-down and bottom-up) and external information sharing are more important than ever,” noted Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation – a Shared Assessments Member organization.

The study will soon be available. Here are a few of the Key Findings:

  • Third party risk management is gaining more attention and program maturity levels are rising, showing significant improvements in vendor risk management capabilities that demonstrates a shrinking gap between financial services, which has shown higher levels in prior years, and organizations in other verticals.
  • This year’s study shows, for the first time, positive trends in third party risk management maturity. Data from the 2014 and 2015 studies showed maturity levels remaining largely unchanged, a surprise given the increase in both also cybersecurity threats and regulatory scrutiny.
  • Boards are showing a higher level of engagement with cybersecurity risks in their own organizations (39%), but fall far lower in risk management engagement for third parties (26%).
    The study showed a clear correlation between boards with high engagement in and understanding of emerging risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
  • Vendor risk program maturity levels have jumped in all eight risk management categories, with training levels in particular showing notably improved progress. Maturity levels have jumped on a number of components that relate to vendor assessments and performance metrics.
  • Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Study shows there is still a long way to go for organizations to routinely have fully operational third party risk programs with all compliance measures in place.

The narrowing of the maturity gap between financial services and all other verticals is most likely a function of increased regulatory pressure in sectors that include insurance and health care. Interestingly, financial services firms with between $50 and $250 B in assets under management outperformed all other asset management categories and verticals, regardless of industry. Financial services firms of this size may represent an optimum organization size where there are both: (1) adequate resources to bring robust expertise and tools to programs; and (2) a scale that is still easily managed from a risk control perspective.

Regulators have increasingly stressed the role of the board in establishing, funding and evaluating vendor risk program effectiveness, with good reason. Board engagement is a key differentiator for program maturity. Cathy Allen, CEO of The Santa Fe Group, the managing company for the Shared Assessments Program, stated that “Risk managers at all levels, including the C-Suite and Board of Directors, understand that the maturity of our risk management programs has a profound effect on our organizations. This study documents in detail what many have believed to be true – that for organizations in which boards have high engagement in and knowledge of critical issues, vendor risk management and maturity levels are noticeably higher.”

For more than four decades, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the in financial services planning and management, including 25 years at JP Morgan Chase where he retired as Senior Vice President of Electronic Commerce. Gary has worked extensively in electronic payments, payments fraud, third part risk management, privacy and information utilization, as well as business frameworks and standards for electronic commerce applications.

Shared Assessments Updated 201...

11-01-2016

Tools That Empower Vendor Management ConfidenceShared Assessments responds directly to the dynamic landscape of third party risk management with the annual update of its Program Tools. The Tools serve[...]

Tools That Empower Vendor Management Confidence
Shared Assessments responds directly to the dynamic landscape of third party risk management with the annual update of its Program Tools. The Tools serve organizations, regardless of size and industry, helping them navigate the constantly evolving landscape of cyber and other security threats at both the national and international level and also to meet the recent surge in regulatory, consumer and business scrutiny. We are pleased to announce that the 2017 Program Tools will be released mid-November.

The Program Tools are an important component of the Shared Assessments third party risk management framework, which helps organizations manage the full lifecycle of a third party relationship – from planning for a third party engagement, due diligence and vendor selection, contract negotiations, ongoing and continuous monitoring to termination. These Tools embody a “trust, but verify” approach for conducting third party risk management assessments and use a substantiation-based, standardized, efficient methodology.

Shared Assessments Program Tools are:

  • Standardized Information Gathering (SIG) questionnaire remote assessment;
  • Agreed Upon Procedures (AUP) for performing onsite assessments; and
  • Vendor Risk Management Maturity Model (VRMMM) for evaluating programs against a comprehensive set of best practices.

While each Program Tool may be used independently, the combined value of the Tools provides maximum protection from third party risks, allowing risk management professionals to respond to the relentless pace and shifting nature of cyber security threats and vulnerabilities associated with rapidly changing outsourcing, Cloud, mobile and fourth party security issues.

The Tools are designed to be tailored to an organization’s unique application of regulations, divisional needs and risk appetites. Shared Assessments keeps a close eye on emergent risks, as well as emerging regulations, guidelines and standards for the wide range of industries that our members represent, such as: the proposed changes to the U.S. Cyber Consequences Unit (CCU) Free Cybersecurity Matrix Tool; New York State’s proposed requirements for banks, insurance companies, and other financial services institutions; and the OCC’s request for comments on its proposed Enhanced Cyber Risk Management Standards and its request for comments on Responsible Innovation in Banking.

All of the updated Program Tools will be available to all Shared Assessments Members and are included in the annual membership fee. Membership provides opportunities to deepen vendor risk management expertise through members-only meetings, events, teleconferences and regular cross-industry working groups that discuss best practices, new standards and guidelines and the regulatory climate. Non-members are able to purchase the Shared Assessments Tools, either as a bundle or separately, by visiting https://sharedassessments.org/store/.

Halloween Happenings – W...

10-31-2016

Hacking and data breaches have continued to dominate media headlines, putting a stronger emphasis on Cyber Security. However, there are other emerging terms that are creating goosebumps, scary dreams,[...]

Hacking and data breaches have continued to dominate media headlines, putting a stronger emphasis on Cyber Security. However, there are other emerging terms that are creating goosebumps, scary dreams, and keeping compliance professional up at night. This past week, over 400 attendees at the 14th annual Executive Women’s Forum, conference with a theme focused on Transforming Cyber Security, Risk, and Privacy Beyond the Enterprise.

Here’s my version of a Halloween Happenings Top 10 list of words, concepts that have earned a fear factor ranking in today’s risk landscape and that we will be talking about heading into 2017…

10. DATA RESONANCE

In the olden days, the focus on data resonance was on stripping or degaussing data from machines to deploy the technical asset securely. Today, data resonance can be on a device, or a cookie trail of searches on the web, or retrieved data by search engines. The right to be forgotten is taking this concept to a higher level, requiring a different viewpoint for managing data risk.

9. CLOUD CENTRIC CYBER SECURITY

All clouds are not alike – be they the ones in the sky that are fluffy white or those that are scary and ominous and can create devastation with howling winds. Each type of cloud and type of business process may require a different configuration. Most organizations are somewhere between cloud chaos, and leveraging cloud technology for competitive advantage. In most approaches to take the fear factor out of cloud requires based decision making founded on data analytics.

8. ADVANCED AUTHENTICATION

Credentials and access control have been pillars of privacy and security controls. When regulators triggered multi-factor authentication for high-risk transactions, organizations deployed many strategies to achieve layered security controls. The growth in mobile devices and applications is changing the came on what constitutes acceptable authentication. When credentials and identities are compromised, new authentication parameters are needed in the digital ecosystem.

7. VOICE PRIVACY

From a coffeemaker that is Wi-Fi enabled to order new water filters, to devices like TVs and phones you can talk to and that answer back, voice privacy is becoming a new area of focus. Many devices require a “wake word” that triggers the device to start paying attention. Simple requests are processed directly on the device, while more complex needs are routed via wireless to the cloud to translate the text into action. The security of the data, data retention, and access all become nuanced in looking at the device to cloud pathways.

Instead of the old fear of “Big Brother” watching you, voice privacy is more about who is listening and recording.

6. CSA – CELLPHONE SEPARATION ANXIETY

While internet outages create havoc for customer service, retail, and business process flow, we have become a nation addicted to our phones. Cell phones, Smartphones, tablets are so prevalent; the question is who does not use or have access to such a device. Cellphone separation anxiety will be the next buzzword for a malady that is affecting people of all demographics.

5. PSEUDONYMIZATION

Gone are the days when a focus on simple data sanitization was a key element in a data safeguards program… Today we have terms like anonymization and pseudonymization . The simple Wikipedia definition describes “Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers or pseudonyms. “

The goal is to render the data record less identifying so that data can be used for analytics and processing. However, that pseudonym may still enable the tracking of the source data back to its origin, as compared to making the data totally anonymous so that any metadata to allow backtracking is purged. Compliance with the European Union General Data Protection Regulation (GDPR) will put the definitions of personal data, anonymous data, and pseudonymous data under the mad scientist’s microscope.

4. RANSOMWARE

2016 may become known as the year of Ransomware. A report issued by TrendMicro showed that the number of new ransomware families detected in the first half of 2016 exceeded all of 2015 by 172% including estimated monetary losses from ransomware at $209 million

3. WHALING ATTACKS

Social engineering schemes are evolving, even past the routine scenarios covered in traditional training and awareness programs. A whaling scheme is written as a legal subpoena, a customer complaint, or an escalated inquiry that masquerades as a critical business need. While phishing attacks are common place to end consumers, Whaling attacks target the C-Suite.

In fact, the FBI has reported that such scams have cost companies more than $2.3 billion in losses since 2013. This is not just a US issue but has been seen in over 79 countries. Reports show a 270% increase in identified victims and exposed losses due to CEO scams since the start of last year.

2 . SMART DIGITIZATION

The recent botnet attack on an estimated 100,000 IoT devices, were used to flood servers at a DNS provider in a distribute denial-of-service attack. The resulting impact to blocking access to major websites revealed risks in managing cybersecurity in an era of internet connectivity. Smart digitization is the concept to apply risk-based analytics to where and how we connect devices. To me, it makes me wonder how to configure devices – like that interconnected refrigerator in my home to a car to a device…we are all connected.

1. DIGITAL VORTEX

Looking to the future, things talk to people; things will talk to things; and machines will talk to people. Adding it all up can feel like a perfect storm, but as technology gets smarter, our controls need to get smarter. Halloween week may be the week we celebrate our fears, but I say we need to embrace the top scary words and find new definitions and solutions to rest easy.

So as your teams start to prep for next year, remember this Halloween post and keep your eyes peeled for these emerging threats! Sleep tight and don’t let the bedbugs bite.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

Tone At The Top: Culture Count...

“Tone at the Top” has become an often-quoted mantra in business circles but it appears to have shed a rather dim light when evidenced by the continuing saga at Wells Fargo. In a nutshell - in case[...]

“Tone at the Top” has become an often-quoted mantra in business circles but it appears to have shed a rather dim light when evidenced by the continuing saga at Wells Fargo. In a nutshell – in case you haven’t followed the recent news reports – the San Francisco-based bank recently fired over five thousand employees (roughly one percent of its workforce) for signing up customers for credit cards and checking accounts without their permission. In all, authorities estimate that as far back as 2011, two million bogus accounts were opened – complete with forged signatures, phony email addresses, and fake PIN numbers. Pressures by banking supervisors pushed employees to create these bogus accounts in order to meet daily (and sometimes hourly) account quotas. This lead to an estimated $1.5 million in fees charged back to customers for these bogus accounts.

Gary Roboff and Bob Jones, senior advisors with The Santa Fe Group, an executive risk management consulting firm based in Santa Fe, New Mexico, who each have decades of financial and banking experience in payments fraud and operation risk, recently analyzed and blogged the situation at Wells Fargo and provided some very thought-provoking analysis.

They noted four key points that we haven’t seen in previous analysis into Wells Fargo:

  • The sales culture at Wells Fargo was more than two decades in the making, and as early as 1995 they were already achieving cross-sell ratios twice the industry average;
  • The specific targets used in Wells incentives were wrong;
  • Under the right circumstances and done correctly branch sales incentives can be useful tools in banking; and;
  • Communication channels from the Board of Directors on down (and back up again) were lacking.

Wells Fargo predecessor, Minneapolis-based Norwest Bank, was renown in the banking industry for its “unusual success” in cross-selling retail banking products. The organization was already measuring cross-sell performance daily at the branch and salesperson level and was already achieving industry-leading cross-sell performance. They believe that cross-sell, in and of itself, is not an unethical practice; that a good cross-sell typically results from understanding customer needs and suggesting other products the company offers to meet those needs. However, they note “when the incentives to cross-sell go astray and inconsistent messages about corporate priorities come from a board and C-Suite, sales cultures may go off the tracks”.

Additional analysis evidences cross-sell ratios at Wells Fargo climbed to astronomical levels over the years, and the bank’s profitability climbed with it. “By 2006 cross-sell ratios at Wells were well over four accounts per household, reached five accounts per household in 2007, and six per household in 2012. Cross-sell ratios have exceeded six in every year since 2012” they noted,a year that the American Banker Association (ABA) reported the industry average was 2.3 accounts per household.

In a different internal culture, the steps Wells took might have been enough to quickly halt unethical business practices. “Their internal sales culture had evolved to such an extreme that perhaps the only way to straighten it was by blowing it up, which – in effect – has happened as a result of the extreme legal, regulatory and legislative push-back we’ve seen in the last few weeks” noted Roboff and Jones.

What happens at the board and C-suite and within the retail bank will be apparent in the months ahead. Per Roboff and Jones, “consistent, focused, and regularly reinforced behavioral expectation messages from the board and C-suite are essential to developing appropriate risk cultures.” Additionally, they noted that retail employees sadly received two contrasting messages from executives; one set appropriate behavioral and policy expectations, while the other “directly encouraged a sales culture of ‘the sky’s the limit’”.

Roboff and Jones have identified a key concern though; that the regulatory community and the financial services industry might draw the wrong conclusions from the recent events at Wells Fargo. “Stigmatizing the practice of cross-selling and completely eliminating branch-based sales goals does not strike at the real source of the problem” adding that “(there) was an imbalance between management’s often expressed desire to reach ever improving levels of cross-sell performance and a textbook set of risk culture and ethical values that were clearly on the books at Wells Fargo but were under-communicated and under-enforced within the retail bank.”

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Originally posted on Huffington Post.

Comments Invited on Federal Ba...

10-19-2016

The three federal banking regulatory agencies, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, announced an advance notice of p[...]

The three federal banking regulatory agencies, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, announced an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards for large and interconnected entities under their supervision, as well as those entities’ service providers. The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For such sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.

As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.

Comments are invited on:

  • The set of potential enhanced cybersecurity risk-management and resilience standards; and
  • Potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector.

The enhanced standards being considered are being established to increase the operational resilience of the supervised and interconnected entities and reduce the impact on the financial system in case of a cyber event. Five categories of cyber standards are being addressed:

  • Cyber risk governance;
  • Cyber risk management;
  • Internal dependency management;
  • External dependency management; and
  • Incident response, cyber resilience and situational awareness.

These tiered standards are a response to the interconnectedness of the U.S. financial system due to the increasing technology dependence and use of third parties in the financial sector, which increases the opportunities for high-impact technology failures and cyber-attacks that can impact the safety and soundness of the entities involved, as well as other financial entities with potentially systemic consequences.

The standards would impose more stringent standards on the systems of the effected entities, which are critical to the functioning of the financial sector. “The enhanced standards would be integrated into the existing supervisory framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector.”

Comments must be submitted to the Federal Reserve by Tuesday, January 17, 2017. Submission instructions are provided beginning on page two of the ANPR.

Click here to view the announcement OCC 2016-131.

You Can’t Build a Robust Ris...

10-16-2016

The intricate third party risk management (TPRM) lifecycle requires coordinated and well-integrated knowledge from the Board and C-Suite through management and general staff, and extends throughout th[...]

The intricate third party risk management (TPRM) lifecycle requires coordinated and well-integrated knowledge from the Board and C-Suite through management and general staff, and extends throughout the relationship with third and fourth parties. The complex elements of a robust TPRM program involve effective design, control and monitoring of policies and processes, third party and system inventories, contracts, risk tiering and assessment techniques, ongoing oversight, tools and technology and awareness of the threat, regulatory and industry landscapes. Yet, maturity levels of organizations’ third party risk management programs, skills and expertise remains consistently the least mature component (Shared Assessments and Protiviti, 2015). A stunning 55% of risk professionals recently reported having no regular access to any IT security experts, either internal or third party. Of those that reported having IT professionals, 67% of those professionals say they have no security certifications (Spiceworks, 2016).

The 2015 (ISC)2 Global Information Security Workforce Study projects a 1.5 million shortfall in the global information security workforce by 2019 (Frost & Sullivan, 2015). This shortfall stems from an existing gap that is deepening year over year.

While there are several professional training programs and certifications, such as ISACA’s Certified in Risk Information Systems Controls (CRISC), that focus on components of third party risk, only Shared Assessments Certified Third Party Risk Professional (CTPRP) and Associate CTPRP holistically address the key elements of a solid TPRM program. In 2016, more than 80% of Shared Assessments members reported that they do not mandate any of the following training certifications for their third party risk management team members: Certified Information Security Officer (CISM), Certified in Risk Information Systems Controls (CRISC), Certified Information Privacy Professional (CIPP), Certified Information Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Third Party Risk Professional (CTPRP) (Shared Assessments Member Survey, 2016). Of those members who do mandate certifications, CTPRP, at 12%, was the leading training that organizations required, followed by CISA and CISSP at 10% each.

In short, in response to the growing regulatory and industry need to adapt quickly to the changing threat landscape, organizations need to carefully review their staffing and management expertise to ensure that their staff and management are supported in their risk management efforts with:

  1. Crisp, functional, nimble technology and tools.
  2. Clearly defined, qualified certified skill holders with disciplined expertise.
  3. Ongoing education that provides employees, procurement and third parties with clear, consistent information and messaging to increase awareness of risk management goals and policies.

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.

G-7 Financial Sector Fundament...

10-14-2016

This week the U.S. Department of the Treasury and the Board of Governors of the Federal Reserve System announced the publication of the G-7 Fundamental Elements of Cybersecurity for the Financial Sect[...]

This week the U.S. Department of the Treasury and the Board of Governors of the Federal Reserve System announced the publication of the G-7 Fundamental Elements of Cybersecurity for the Financial Sector. The document, released by central bank governors and finance ministers of the G-7 nations, delineates eight fundamental elements around cybersecurity for the financial sector.

This release reflects risks to organizational stability that are associated with cyber threats. “Cyber threats present a set of pressing operational, reputational and financial stability risks facing the international financial system. Sovereign borders do not contain these threats, and accordingly, nations must work together to address them,” said Treasury Deputy Secretary Sarah Bloom Raskin, co-chair of the G-7 Cyber Expert Group.

The eight elements provide guidance on cybersecurity strategies and operating frameworks tailored to their specific cyber risks, and assigning roles and responsibilities for personnel implementing, managing, and overseeing those strategies and frameworks. The elements also call on entities to identify activities that present cyber risks and implement controls to protect against and manage those risks. In addition to covering how entities should respond to, recover from and share information on cyber incidents, the elements reinforce the need for a dynamic process of continuous learning, through which entities systematically re-evaluate their cybersecurity strategies and frameworks based on lessons learned as their operational and threat environments evolve.

While the elements explain the application to financial services, it is the view of the Department of the Treasury that the elements transcend sectors and can serve as a guide to all types of industries and organizations affected by cyberattacks.
 
For more information, you can read the full G-7 Fundamental Elements of Cybersecurity for the Financial Sector.

Jenny Burke, is a Senior Vice President for Marketing and Communications with The Santa Fe Group, with key responsibilities that include advancing strategy to increase awareness of the Shared Assessments program, grow memberships, improve tool adoption and communicate all the combined efforts of our staff and members. Prior to joining The Santa Fe Group, she has worked both as an independent marketing consultant and in private industry in branding, digital strategy, website redesign, content management and social media for a variety of software, consumer and website clients.

Education Increasingly Importa...

10-07-2016

Who does your organization trust to assess key service providers with access to your confidential and proprietary data? Specialized skills and expertise are required to manage risk in a rapidly evolvi[...]

Who does your organization trust to assess key service providers with access to your confidential and proprietary data? Specialized skills and expertise are required to manage risk in a rapidly evolving outsourced economy. Certifications are an important way to demonstrate competency in a complicated field to employers, colleagues, and customers.

According to the 2015 Shared Assessments and Protiviti Benchmarking study, which examined the maturity levels of organizations’ third party risk management programs, skills and expertise is the least mature component across the board. Relatively few organizations offer training on third party risk management policies and procedures, or measure employee understanding of third party risk management accountabilities.

This gap between the importance of education and a critical need at many organizations for third party risk professionals led to the creation of the Shared Assessments Certified Third Party Risk Professional (CTPRP) program. The CTPRP certification provides formal training in third party risk management policies and practices, and prepares individuals in managing the vendor lifecycle, vendor risk identification and rating, and fundamental knowledge of vendor risk assessment, monitoring and management. The CTPRP certification offers the right knowledge to build, shape and modify a third party risk program and ensure alignment with management’s expectations, government regulations and industry standards.

In a recent survey of the Shared Assessments membership, the majority of respondents reported holding one or more industry certifications with the Certified Information Security Professional (CISSP) and CTPRP certification ranking the highest.

What certifications do members of your third party risk management team hold?
(multiple answers allowed)

CTPRP blog chart 1

The Shared Assessments member survey also identified a growing mandate within organizations to require certification for their third party risk professionals. The need for specialized skills and training is evident as a comprehensive third party management program will include various components such as vendor risk identification and rating, contracts, tools, measurement and analysis, and monitoring and review. There are several professional certifications that focus on components of third party risk, but the Shared Assessments CTPRP is the only certification that covers these topics holistically, and is increasingly a mandatory training for employees at our member organizations who perform third party risk tasks and analysis.

Are any of these certifications mandatory for your third party risk management team members? (multiple answers allowed)

CTPRP blog chart 2

In addition to more organizations requiring specialized training for their third party risk practitioners, it is wise for professionals to seek certification as a way to highlight and verify experience in a professional development portfolio. Increased organizational focus and management attention on third party risk, coupled with a market demand for a specialized skill set indicates that third party risk certification will continue to be adopted by organizations and individuals.

To learn more about how to gain a CTPRP certification for yourself or to hold a training at your organization, please visit: https://sharedassessments.org/certified-third-party-risk-professional-ctprp/ or contact Katherine Kneeland at katherine@santa-fe-group.com.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Press Release – White Pa...

10-04-2016

MEDIA CONTACT: Marya Roddis, Vice President of Communications O: 505-466-6434 C: 575-235-8228 marya@santa-fe-group.com Involving Procurement to facilitate a centralized process can be leve[...]

MEDIA CONTACT:
Marya Roddis, Vice President of Communications
O: 505-466-6434
C: 575-235-8228
marya@santa-fe-group.com

Involving Procurement to facilitate a centralized process
can be leveraged to achieve more than just cost savings

Santa Fe, NM – October 4, 2016The Shared Assessments Program is pleased to announce the release of its newest white paper: Building Best Practices in Third Party Risk Management: Involving Procurement. The paper outlines an integrated approach to risk management that consolidates third party onboarding processes by including all stakeholders before a third party is brought onboard.

With the right tools and framework, the Procurement function can work closely, efficiently and effectively with all areas of an organization to help provide partners and regulators with a level of assurance that third parties are appropriately vetted and monitored throughout the life of the relationship. Procurement can also help facilitate a centralized process that is designed to mitigate many of the risks associated with these relationships and should therefore be seen as a critical function that organizations can leverage for more than just achieving cost savings.

Not only does Procurement bring a body of knowledge to the table that can be leveraged; adding Procurement to the process from the outset allows stakeholders enterprise-wide to collectively establish a standardized internal program for handling third parties that meets the organization’s unique risk appetite needs. This paper provides guidance on building such a program. Recommendations include:

  • Partnering business units with Procurement to achieve economies of scale and risk mitigation.
  • Adopting methodologies that align with industry best practices, as well as regulatory requirements, allows for the most effective risk ranking of a given third party’s controls.
  • Ensuring the process is practical, sustainable and defendable, by applying four guiding principles to the development of a holistic set of internal standards for vetting and onboarding third parties: consistency, objectivity, balance and management oversight.

Such an integrated approach consolidates third party onboarding processes, naturally resulting in better risk management controls, as risk ranking and negotiations take place in a consistent manner that aims to achieve common goals. This allows every department to remain advised of goals and objectives, so that they can each contribute the necessary elements to ensure that request for proposals (RFPs) and contract negotiations include elements of good risk management hygiene throughout the process.

About the Shared Assessments Program
This work is sponsored by the Shared Assessments Program, the trusted source in third party risk management, with more than a decade of developing program resources. Shared Assessments resources help organizations effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: The Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. For more information on Shared Assessments, please visit https://sharedassessments.org.

The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company providing unparalleled expertise to leading financial institutions, healthcare payers and providers, law firms, educational institutions, retailers, utilities and other critical infrastructure organizations. The core of The Santa Fe Group’s belief system is that, despite how complicated the world of commerce might be, business can—and should—be a good citizen. Corporations should be built on a foundation to provide greater good to society. We help organizations determine core values, make meaningful connections, facilitate collaboration and affect change.

###

Building A Robust Third Party ...

Adam Greene 09-16-2016

Strong third party risk management is a growing requirement in the face of globalization and the increasing dependence on third parties that support core products and functions. Third party risk manag[...]

Strong third party risk management is a growing requirement in the face of globalization and the increasing dependence on third parties that support core products and functions. Third party risk management (TPRM) revolves around the whole relationship lifecycle. This intricate lifecycle requires organizations to apply an integrated approach that expands the need for robust governance, efficiency and business models that respond to economic pressures that arise from the need to use outside expertise and speed-to-market innovation.

Figure 1: The Third Party Relationship Lifecycle
The complexity of the third party space is evident, in part, from the stories of third party breaches that dominate the news. Among 450 global breach investigations, 63% are linked to a third party component, where a third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers (Trustwave Global Security Report, 2013). The complexity and pace of the risk landscape are clearly outpacing industry responses.

Key elements for a solid third party risk management program involve effective design, communication, control and monitoring of policies and processes, third party and system inventories, contracts, risk tiering and assessment techniques, ongoing oversight, tools and technology and awareness of the threat, regulatory and industry landscapes.

Policies should be guided by C-Suite and Board level input and written for the individual enterprise landscape. Policies must address the complexity of the business relationships and identify key controls. Setting third party foundational requirements that are aligned with relevant organizational goals, as well as relevant regulatory guidance and industry best practices will help define your organization’s risk appetite. Consistent processes and messaging are imperative for good functioning of your governance model and for longitudinal evaluation of the effectiveness of your program. Good planning at this level will also lead to higher compliance levels, due to an increased understanding of the requirements and goals that all stakeholders need to meet.

Procurement, purchasing and sourcing are all critical players in both development and ongoing program success. Involvement of these departments/teams from the start of planning and vendor sourcing will allow your organization to:

  • Become increasingly nimble and therefore support innovation and speed to market; and
  • Be more consistent by applying predetermined risk criteria to all third party relationships throughout the third party relationship lifecycle.

For inventories, reach out to all your business units and corporate functions that have knowledge of or access to third parties dealing with your organization. This may include, but should not be limited to, key business units, procurement, vendor management and finance. Often finance will have the most complete list, as they may capture third parties who fly under the purchasing/procurement radar.

Completeness is the key to a good inventory and the inventory must be maintained to ensure that regular, accurate updates and reporting are available to stakeholders within the organization. While shrinking your supplier inventory can be efficient and result in cost savings, it can also expose an organization to potential concentration risk.

Pre-selection due diligence activities should include a process to rank potential third party suppliers based on consistent risk criteria. Those criteria are generally based on the risk posed to the outsourcing organization relative to the type of services and exposure of data unique to a given third party’s role with your organization. High ranked (Tier 1) third parties would receive a higher level of initial and ongoing control assessments than lower ranked (Tier 2 through Tier 4) third parties.

Identifying key technologies and classification of data involved is at the heart of a strong tiering system. For instance, Personally Identifiable Information (PII), Protected Health Information (PHI), Card Holder Data (CHD) and Confidential, Intellectual Property and Sensitive (CIPS) data that are touched by your third parties would trigger high risk tiering and therefore a deeper level of assessment. The scope and frequency of assessments must be thoroughly addressed and should be based on the third party risk rating ranking within your organization’s standard corporate requirements.

Risk tiering considerations are unique to third party risk and also have product/service inherent risks.

Unique Third Party Risks

  • Financial – difficulties and/or failures.
  • Strategic – not aligned with business objectives.
  • Reputation – impact to brand and your reputation.
  • Country – located in a sanctioned country.
  • Credit – inability to make obligated payments.
  • Quality – inability to deliver product/service in line with specs.

Product/Service Inherent Risks

      • Cyber – confidentiality, integrity, availability of information/technology assets.
      • Compliance/legal/intellectual property – inconsistent actions and non-alignment with standards and frameworks.
      • Contractual – failure to meet contractual obligations.
      • Operational – failures resulting in impacts to operations.
      • Resiliency – inability to continue to provide.

Contract terms and conditions typically include standard clauses that take into account, including, but not limited to: price, escrow and payment schedules; confidentiality and intellectual property; service level agreements (SLAs); information security; incident response and notification; audit rights; disaster recovery; notification and approval for fourth party change and/or use; cyber insurance; termination/exit strategy; maintenance and assessment types and schedules; complaint handling; cross-border transfers and privacy. Ensure that remediation for any mitigating circumstances are tracked, resolved within agreed upon time periods and well-documented. Schedule onsite reviews, as appropriate to the global setting and regulatory climate.

A clear determination should be made during negotiations, in writing, as to the period over which assessments are to be made and/or if what types of events are considered assessment triggers. The type of assessment should also be agreed upon, such as the Shared Assessments Standard Information Gathering (SIG) Questionnaire and Shared Assessments Agreed Upon Procedures (AUP).

Figure 2: Suggested Application of Assessments for Third Parties Based on Risk Rating Rank

As part of due diligence, risk rating and contract development must take into account the eligibility of that third party and assessment of the controls relative to the product or service that will be provided.

Ongoing oversight is part of a holistic program with point in time assessments being the most common historically. There is a fast growing trend toward continuous monitoring, which is advancing along with the technology required for ongoing, transparent scoring of key indicators for third parties. Using a third party risk software solution to evaluate and score third party risk both for initial due diligence and for ongoing monitoring and incorporating those results into your Enterprise Risk Management (ERM) solutions is a way to leverage technology to achieve a more robust and effective TRPM program.

TOP 10 TPRM CONSIDERATIONS:

      1. Sponsorship and governance that has full Board and C-Level support.
      2. Scope that is clearly defined in breadth and depth.
      3. Complete, regularly updated inventory of third parties, contracts, systems, data, control assessments, etc.
      4. Policy that includes specified risk criteria and alignment of control policies with all parties – business units, information security, physical security, business resiliency/disaster recovery, human resources, privacy, compliance, third party and operational risk management.
      5. Process for pre-selection, contract, ongoing oversight, termination, embedded risk metrics.
      6. Technology and tools that are crisp, functional, and designed for quick adaptation to a changing threat landscape.
      7. Reporting that provides tracking, risk monitoring, scorecards, etc.
      8. Skills and expertise that is clearly defined, qualified, certified and disciplined.
      9. Education that provides employees, procurement and third parties with clear, consistent information and messaging.
      10. A high level of regulatory requirement and industry best practices standards awareness, including Shared Assessments, AICPA, Cloud Security Alliance, and Payments Card Industry (PCI).

In summary, leverage technology solutions, support end-to-end processes and documentation, identify critical records and integrate your solutions with business unit goals. Work to ensure that your staff and assessors are trained at appropriate levels and have defined roles and responsibilities. Work to develop, capture and report key metrics. And train third parties in policy awareness and regulatory requirements that are specific to your relationship.

By involving business and sourcing units enterprise-wide in your program design and implementation, you can achieve a more adaptive and easy-to-use program that will serve both your employees and your providers. Stakeholders span the organization, from the Board of Directors and C-Level executives, to business units, purchasing, human resources, control groups and technology.

Charlie Miller, is a Senior Vice President with The Santa Fe Group, Shared Assessments Program, with key responsibilities that include managing and expanding the Collaborative Onsite Assessments Program and facilitating regulatory, partner and association relationships. Charlie was previously the Director of Vendor and Business Partner Risk Management at AIG, where he managed regulatory and governance activities for the organization’s enterprise vendor risk management program.

A New Pathway for Risk Manager...

Adam Greene 09-15-2016

Special expertise and training is required to manage risk in this outsourced economy. Studies consistently demonstrate a disconnect between regulatory and industry standards for third party risk manag[...]

Special expertise and training is required to manage risk in this outsourced economy. Studies consistently demonstrate a disconnect between regulatory and industry standards for third party risk management (TPRM) and a lack of holistic, proactive program design and implementation. This gap is placing organizations at acute risk.

Therefore, Shared Assessments developed the Certified Third Party Risk Professional (CTPRP) program in 2014 to meet the need for this expertise both in house and at the third party level. The Shared Assessments CTPRP Program is growing at a rapid pace, having awarded more than 500 CTPRP certifications since the program launch, and increased opportunities for training and recertification will continue each year.

In order to earn the CTPRP certification, individuals must hold a minimum of five (5) years of risk management professional experience. CTPRP trainers are witnessing an increase in the number of individuals with varying professional backgrounds now involved with TPRM who are hesitant to participate in critical CTPRP training due to a lack of relevant professional experience. The Associate CTPRP designation now offers a solution for those individuals who are building their skill sets, but may not have qualifying experience at the time of the CTPRP workshop. The Associate CTPRP designation also provides a good opportunity for university graduates without much real-world experience to obtain industry training while they search for a job in a related field and earn the professional experience.

The Associate CTPRP designation provides an opportunity for individuals newer to third party risk management to leverage the course and exam for training purposes, earn the Associate CTPRP designation and apply for the CTPRP certification once the requisite experience is earned. The Associate CTPRP designation does not contain an expiration date which allows holders to apply for the CTPRP certification at any time once the professional experience requirement is met.

Data is getting harder to protect, and the third and fourth party service providers are being seen by hackers as a way to gain access to outsourcing organization data. This Associate CTPRP designation provides a workplace advantage showing professional credibility and TRPM expertise, demonstrating that risk professionals with this certification are trained in TPRM concepts and principles and their practical application. This allows Associate CTPRP holders to go forward and gain additional real-world experience while better managing vendor risk by introducing more rigorous standards into their third party risk management program assessments and receive professional credibility, recognition, and marketability.

Click here to learn more about the CTPRP.

For more information, please contact ctprp@santa-fe-group.com

At the Heart of the Cyber Secu...

09-07-2016

Three recent studies demonstrate that organizational and IT department leadership sit squarely at odds with several important challenges to improving IT-related risk postures: Predictions that organ[...]

Three recent studies demonstrate that organizational and IT department leadership sit squarely at odds with several important challenges to improving IT-related risk postures:

  • Predictions that organizations do not plan to increase the level on hand security expertise;
  • A well-documented and looming shortage of cybersecurity and IT professionals; and
  • Just 18% of employers reported willingness to invest in IT training to help protect against cyber attacks this year. ((The annual report on IT budgets and tech trends. Spiceworks. 2016; Occupational Outlook Handbook, 2016-17 Edition: Information Security Analysts. Bureau of Labor Statistics, U.S. Department of Labor. 2016; U.S. Federal Cybersecurity Market Forecast 2017-2022, Tabular Analysis. Market Research Media, Ltd. June 2016.))

ISACA and RSA Conference conducted a study that looked at mid-to-large sized organizations across North America, Europe Middle East and Africa (EMEA), Asia, Latin America and Oceania in a wide range of industry verticals. They report:

  • 74% of respondents expect to experience a cyber attack in 2016;
  • 30% of organizations that experienced phishing attacks (60% of the total respondent base) report such attacks happen on a daily basis;
  • For organizations with high staff turnover, IT-related security issues are particularly troublesome;
  • Nearly 65% of all entry-level cybersecurity applicants lacked the requisite skills for that position; and
  • On-the-job training was the most widely applied means of addressing this issue (65% of organizations). ((State of Cybersecurity: Implications for 2016. ISACA and RSA Conference Survey. 2016.))

IT market research of mid-to-small sized company IT professionals in international venues (EMEA 41% and US 59%) examined security practices and included inquiry into whether organizations have a third party cybersecurity expert either an in-house or on call. The results demonstrate that organization leaders are not effectively prioritizing information security:

  • 80% of respondents reported at least one security incident last year;
  • Just 29% of respondents reported having a cybersecurity expert in their IT department;
  • A mere 7% have a cybersecurity expert on their executive team;
  • A stunning 55% reported having no regular access to any IT security experts, either internal or third party; and
  • Of those that reported having IT professionals, 67% of those professionals say they have no security certifications. ((Cybersecurity skills gap? Most organizations lack IT security experts. Spiceworks. June 29, 2016.))

And finally, a 2016 Cisco report uniquely notes that executive managers’ confidence levels fell (from 64% in 2014 to 59% in 2015) when describing how up-to-date their security infrastructure was. And, while 97% of companies stated they deliver security training at least once a year, 43% of respondents waited until after a public breach to step up their security training. ((Mitigating the Cybersecurity Skills Shortage. Cisco Security Advisory Services. 2015.))

The disconnect that these studies indicate, wherein third party risk management (TPRM) programs are not executed in a holistic, proactive manner, creates a lack of cohesion and puts organizations at acute risk. “As the rate of incidents continues to escalate, the magnitude of related brand, reputation, and fiscal impact is driving organizations to address cybersecurity risk. ((State of Cybersecurity: Implications for 2016. ISACA and RSA Conference Survey. 2016)) These trends evidence that strong leadership will be required to address these issues. Without such commitment from leaders across the Board of Directors, through C-Suite and into executive management, businesses will face serious repercussions at all levels, including reputation and revenue.

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.

EU’s GDPR – Privacy as...

08-31-2016

While the expanded regulations and new accountabilities of the European Union (EU) Regulation 2016/679, better known as the General Data Protection Regulation (GDPR) are daunting in scope, they do pro[...]

While the expanded regulations and new accountabilities of the European Union (EU) Regulation 2016/679, better known as the General Data Protection Regulation (GDPR) are daunting in scope, they do provide significant opportunities as well. ((Official Journal of the European Union. L 119. 4 May 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC)) For instance, while demonstrating privacy by design will be an ongoing organizational obligation, complying with the new regulations and then being able to use that as a marketing strength to increase consumer trust through a privacy certification represents a budding advantage in the marketplace. ((In the US, privacy is a consumer rights and trust issue that is legislated at the sector level by both states and the federal government. Since the second World War, in the EU, privacy has been considered a human rights issue in which privacy is an inalienable right of all EU citizens. To learn more about the fundamental differences on the concept of privacy between the EU and the US, see Shared Assessments blog: EU’s GDPR and the EU-US Privacy Shield: Where Are We and Why Are We There?)) Privacy certifications are offered by private companies, currently for the EU Privacy Shield program that went into effect August 1, 2016 as the successor of the EU US Safe Harbor Program.

Consumers are realizing and better understanding the extent of the privacy they have relinquished in their online lives and the value of their individual data. As consumers have become more concerned about their online footprint, the likelihood is growing that they may begin differentiating products and services on the basis of privacy. There has been increased activism and EU courts have been finding more on the side of individual privacy, as in the ‘right to be forgotten’ cases. ((Factsheet on the “Right to be Forgotten” ruling (C-131-12) European Commission. ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf. 2016.))

As GDPR applies to any entity that touches data on EU citizens, even if that entity did not collect the data itself, it is important to understand that fundamentally this is a regulation that is extra territorial, meaning that it applies equally across international boundaries. Organizations that want to enter or remain in the market where they touch data of EU data subject, including data processors, will be obliged to follow these rules.

The new regulations provide organizations with the opportunity to:

  • Manage from the viewpoint that privacy is not only law in the EU, but can be applied as best practice standard.
  • Work within a consistent set of principles.
  • Use the requirement for proof of privacy by design for consumer engagement.
  • Be proactive toward meeting and managing processes related to information management.

The GDPR sets up consistent mechanisms within the following hierarchy:

  • The European Data Protection Board (EDPB) has legal status backed by the Court of Justice of the European Union (CJEU) and the national courts.
  • The EDPB oversees each nationally appointed data protection authority, which in turn supervises the ‘data controller’ – the organization that collects data from EU citizens.
  • The data controller has duties to protect the rights of the individual data subjects, as well as to ensure that its third party data processors are also GDPR-compliant.
  • The data controller’s responsibilities also extend to other interested third parties, including Member state authorities, private sector stakeholders, and privacy, data protection and consumer’s organizations.

Organizations can begin their movement toward being GDPR-compliant through a process of open minded self-assessment, planning and design, and implementation, not only of your own organization but also in outreach for every party with which you do business, before the May 25, 2018 effective date of the regulation.

  • Self-assessment should include data mapping – know where your data is and what is being done with it – legal advisement, IT tech process examination, training for front line staff, understanding access issues, such as automated decision making, data portability, etc. and vendor security and budgeting for addressing risks and any identified gaps both internally and with third parties).
  • Planning needs to include evaluating and designing for managing vendor risk, training, data classification by use type and risk rating of vendors, proper data access and auditing processes, as well as consensus building around planning and implementation both internally and externally among partners and other stakeholders.
  • Implementation must include:
    1. Pre-implementation Privacy Impact Assessments (PIAs) as well as PIAs on an ongoing basis for high risk activities;
    2. Appropriate vendor vetting due diligence;
    3. New processes and capabilities surrounding the ‘right to be forgotten,’ ‘data portability rights’ and breach response notifications;
    4. Formal GDPR assessments to ensure gaps both internally and with third parties are closed and remain closed; and
    5. Record keeping that is GDPR-compliant.

GDPR can be viewed from two perspectives, as a stringent compliance exercise or as good business practice. From a third party risk management perspective, it will be utterly essential that organizations carefully contract for and monitor the GDPR readiness of their partners and vendors to demonstrate that they have met all the requirements throughout the supply chain. Those organizations that proactively manage for GDPR compliance through improved data protection and accountability may enjoy greater consumer acceptance and be more resilient going forward. It is likely that we will see additional supports from industry based codes of conduct, seals and certifications of compliance that indicate organizations are meeting the increased requirements for their vertical’s product and service delivery. Binding corporate rules, rules that apply globally to all parts of an organization, will continue to be one of the mechanisms specified under GDPR that prove organizations have good practices. Privacy Shield certification for firms that may touch subject data would also be among practices that would allow organizations to assure consumers and regulators that they are following GDPR. ((This article is based, with permission, on the Shared Assessments Member Forum presentation: The EU – GDPR Paths to Compliance made July 5, 2016 by Ralph T. O’Brien, CIPP/E, CIPM, CiISMP, MBCS, Senior Consultant for the EMEA region at TRUSTe.))

Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.

The World is Looking to the US...

08-30-2016

As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to[...]

As more organizations here in North America and overseas increasingly utilize third party vendors with a global presence to perform critical functions, process key transactions and provide exposure to sensitive proprietary information, those organizations with mature third party risk (TPR) programs are receiving a loud call to provide assistance to those new to the TPR field.

This issue is also not a US-centric challenge; organizations globally are struggling with standardization as well. In my recent travels speaking to various industry groups regarding the importance of performing due diligence on third party vendors within the US, the United Kingdom and Canada, I began to witness first-hand how this topic is increasingly on the minds of all those at the C-suite and board levels, regardless of industry. I have conversed with dozens of senior executive professionals who have made one thing abundantly clear; which is that if you are in a regulated industry, the regulators are very serious when they say they are coming to check on your organization’s cyber and business resilience strategies, including your strategies that involve vendors.

Speaking in June at a Centre for Financial Professionals (CEFPRO) conference in London, Robin Jones, of the UK’s Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) discussed the fact that innovation in technology is receiving the strongest emphasis in the prudential specialists’ unit and that the unit is focused on those issues that surround events that involve an organization’s third parties. ((The Prudential Regulation Authority (PRA) is responsible for the prudential supervision and regulation of banks, building societies, credit unions, insurers and investment firms.
)) He further added that his unit is paying renewed focus on technology resiliency and outsourcing (termed “TRO”) and that the FCA’s Cyber Risk Team is monitoring these elements for soundness and risk.

Jones further indicated the risk spotlight for his group includes:

  • Technology and association risks.
  • Cyber risks.
  • Monitoring the growth of Fintech product innovation and new ways to deliver services, which is defined by the FCA as a “new bank unit” that brings both benefits and risks along with innovation, including risks associated with use of the Cloud.
  • Ensuring financial organizations are aware of UK guidance, such as the FCA’s SYSC 4.1: Business Continuity and SYSC 8: General Outsourcing, which includes transition to new suppliers and concentration risk.

Jones additionally noted that the FCA will continue to review financial organizations to “ensure appropriate risks are identified and managed” at both the organization and third party processors levels.

So serious and important is this matter that one head of procurement from a large British bank pointedly said to me after my presentation, “We are looking to you (i.e., the US) for guidance on this topic.” A moment of clarity set in indicating the United States is leading the way in third party risk tools, techniques and strategies, and has been for quite some time. The call from our cousins across the pond – as well as other internationals – must be heard and we, for the good of all industry, must be willing to assist in sharing ideas and collaborating on strategies to address this important type of risk.

I received a similar reception speaking at various engagements in Canada, which included the International Association of Privacy Professionals (IAPP) Privacy Conference in Toronto and the Payments Canada conference in Calgary. Organizations from a variety of industries at both conferences additionally evidenced that they were either unaware of third party risk completely or, for those who understood it, were challenged as to how their roles can assist in mitigating this risk. Various participants at the CEFPRO conference shared that they produced their own internally customized solutions of approaching third party risk, but no evidence of standardization could be detected. And, while guidance is sought from regulators by industry members, it was interesting to note that an onsite poll taken at the CEFPRO conference indicated that attendees prefer government to publish principles instead of rules, by an enormous margin of 70% to 30%.

For the good of both industry and consumers worldwide, it is our duty to assist organizations new to third party risk by adopting and promoting standardized strategies, tactics and tools that are of benefit to all of us, to ensure that third party exposed processes and data are truly handled with care.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Originally posted on the Huffington Post blog.

Casting the Net for Third Part...

07-26-2016

The summer of 2016 has been one of media challenges, and breaking records for heat waves across many states. Slow moving boats, relaxing fishing in normal idyllic mid-summer breaks have been swept asi[...]

The summer of 2016 has been one of media challenges, and breaking records for heat waves across many states. Slow moving boats, relaxing fishing in normal idyllic mid-summer breaks have been swept aside by a flurry of activity within the sea of third party risk. This past week in Boston, the Shared Assessments Program Steering Committee met to review and plan out the remaining 2016 activities for release of tools, white papers, and working group activities. Boston ship yards were in full view from our planning meeting room as the team focused on the continued advancement of maturity for third party risk management across multiple industries.

The spotlight on third party risk management has expanded considerably since the release of the OCC framework with a heightened focus on corporate governance and regulatory compliance. Resource challenges have been seen in implementing oversight for third parties, by casting the net too wide and treating all third parties in the pool of vendors alike. Just like in fishing, size does matter, and effective resource allocation focuses on the areas of focus – bigger risks = more oversight.

At the Shared Assessments Program meeting, Ernst & Young shared insights from their recently released Third Party Risk Management Survey from June 2016 that highlighted key trends from the prior report:

  • 71% of financial services respondents conduct Regulatory Compliance reviews, pre-contract – up from 47% in 2014
  • 43% of the financial services companies surveyed report the status of critical third parties to their Board of Directors, up from 26%
  • 39% reported that third parties face some type of risk assessment, up from 19% in 2014
  • 85% stated that less than 25% of their vendor population posed consumer protection risk

The resulting shift in pre-contract compliance reviews has triggered the need for enhanced compliance documentation, typically not just regarding traditional IT controls, but a greater review of feature functionality in terms of triggering specific regulatory compliance obligations. Similarly, assessing the governance model of an overall third party service providers “approach” to managing regulatory compliance risk is just as critical a methodology than reading the statutes themselves. The increase in the depth and breadth of the types of controls being assessed requires an approach to risk management that can scale.

LEVERAGING INDUSTRY COLLABORATION

The Shared Assessments Program was based on the foundation that efficiencies can be found with robust tools that not only provide a comprehensive set of standardized questions for vendors, but an objective set of test procedures to test key controls in an on-site assessment. The scope of questions is based on mapping activities back to the source regulatory drivers, providing a tool set that can be adapted based on the type of services being provided to a regulated entity.

Acceptance of industry tools has grown, as 28% of EY respondents adopted Shared Assessments tool up from 24% in 2014. In fact as the scope of external audit engagements has shifted with the SOC 1, SOC 2, and SOC 3 standards, the expanded control set and testing is a benefit for both the financial institution receiving a report and the service provider distributing a report. 71% of the survey participants stated that a SOC 2 is useful in reducing or removing third party reviews, up from 52% in 2014.

The Shared Assessments Program also manages an on-site assessment test procedure, called the Shared Assessments Agreed Upon Procedures (AUP) that creates independent testing of the key controls from ISO standard domains.

One of the hotter topics in the Wicked Tuna rocky landscape for third party risk is fourth party management. 90% of organizations surveyed said they identify or maintain an inventory of fourth parties and place reliance on controls of the third party to oversee their own vendors/service providers which increased 36% to 75%. The downstream usage of technology outsourcing and business process outsourcing requires a different data mapping technique to prioritize risk assessment efforts to the Big Fish.

ADAPTING OUR OWN CLIENT DUE DILIGENCE PROGRAM

As our Deluxe product suite has expanded beyond traditional check printing services and into Marketing And Other Services (MOS), our approach to responding to client due diligence requests has matured. Deluxe has created a comprehensive compliance packet based on the compliance artifact recommendations provided by Shared Assessments, FFIEC expectations, and regulatory guidance. In fact our client acceptance rate of our comprehensive compliance “packet” is at 89% vs. completing ad-hoc requests.

To assist our clients with ongoing monitoring and streamlining the process, my team has enabled automation so that requests can be fulfilled using a secure online portal for compliance documentation. Customer feedback has been positive due to the elimination of zipped files, emails, and managing the size of attachments. External audit reports have been enhanced this year to deliver both a SOC 2 report and a Shared Assessments AUP report. Both show independent testing of specific controls – the combined scope helps clients place reliance on this audits, and the demand for a custom audit engagements has been reduced – freeing up resources to focus on other risk management functions.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

What the UK Brexit Vote Could ...

07-21-2016

It has been a month since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien[...]

It has been a month since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien, Principal Consultant EU at TRUSTe reviews the options.

In the short term the UK Data Protection Act 1998 is still the law of the land, a law that implements the older EU privacy directive EC/46/95 into UK national law. The UK ICO will continue to advise and enforce privacy upon global organisations, and individuals still have the privacy rights afforded by the 1998 Act. Whilst the UK Data Protection Act 1998 and Directive EC/46/95 contain themes and principles that are common to the new privacy paradigm of the General Data Protection Regulation, the GDPR introduces new rights and obligations that are not reflected in current UK law.

In the medium term, the GDPR has been approved by Europe and will be enforceable by May 2018. Even if the UK invokes Article 50 and starts the two year leave count down today, that date will take the UK past that deadline and the GDPR becomes directly enforceable into national law.

In the longer term the UK will need to work out an exit strategy of some kind, including what parts of the EU legacy will continue to apply post leaving the EU, and on what terms it will continue to trade with Europe.

Option 1 – European Free Trade Association Membership and bilateral agreements

The UK could remain membership of the European Free Trade Association (EFTA), but drop its membership of the European Economic Area and EU member state status. The UK would then negotiate a set of agreements bilaterally for specific market segments with the EU to retain access to the EU Single Market (such as Switzerland today). The UK would not be bound by EU legislation as a result, but may be obliged to have certain laws by these agreements. The UK pays no EU fees, but pays fees to the EFTA. In terms of privacy law the UK would continue to be bound by the Data Protection Act 1998, but may be required by the bilateral agreements to pass a revised Data Protection law to bring it into line with EU law (such as the GDPR requirements), or indeed agree to be directly bound by the GDPR itself in order to allow data transfers between the EU and the UK.

Option 2 – European Economic Area Membership (including EFTA)
The UK could leave the EU, but retain memberships of the EFTA and European Economic Area (EEA). This is how Norway, Iceland and Liechtenstein currently deal with the EU. As a member of the EEA, the UK would have to pay membership fees, and be compliant with EU laws, but have no voting rights within the EU. In terms of Privacy law, the GDPR would continue to have direct effect and applicability as if it were an EU member state, however the UK would have no voting rights on future amendments.

Option 3 – Entering into a Customs Union
The UK could follow the Turkish model and form a customs union which allows it to co-operate with the EU in certain trade categories. It would not be required to follow EU trade policy. It would not pay membership fees, or have any right to help shape EU laws. This would be a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 4 – Free Trade agreement
By taking this option, the UK drops out of the EU single market. It would not pay any membership fees, or have any right to help shape EU laws. It instead negotiates a single free trade agreement with the EU. This is a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 5 – World Trade Agreement
The UK is already part of the World Trade Agreement, and could rely on this as a basis of trade, with no further ties to the EU. That means it would not be required to adopt EU laws, not contribute to the EU budget or, have any voting rights.
in terms of Privacy law, the GDPR would have no effect, and the UK would continue with its own legislation such as the Data Protection Act 1998. As the Act would be “inadequate” against the GDPR, the UK would have to seek additional assurances should it continue to process data on EU citizens (or market services to them), as such it would have to adopt an agreement similar to the EU-U.S. Privacy Shield or have its laws amended to be regarded as “essentially equivalent” to the GDPR.

Conclusion
In options 1 to 5 above, the UK remains bound by the GDPR or has to pass laws or agreements that ensure similar levels of protection to it. If the UK itself does not have laws or arrangements that ensure its “adequacy” to EU privacy law, then in order to continue to trade they would still need to prove adequacy on a business by business basis. Businesses would then have to individually adopt an international transfer mechanism once the UK pulls away from the EU that ensures adequacy with EU laws, such as Model Contract Clauses, Binding Corporate Rules, Explicit Consent or enact a type of international certification standard such as the EU-U.S. Privacy Shield.

Which ever way the UK turns now, and whatever the future holds for the country, it will continue to trade in a global economy which will have to include processing data and marketing services to EU countries and citizens. Whichever option the UK chooses from this point on, it remains clear that global businesses will have to either comply with, or prove itself adequate or equivalent to the new requirements of the GDPR. If the UK chooses not to do this, the barrier to trade will be untenable to global business and further investment in the country.

The advice to businesses is to proceed on that basis, and continue their GDPR preparedness, as part of their global privacy framework.

Ralph T O’Brien, CIPP/E, CIPM, CiISMP, MBCS, is Senior Consultant for the EMEA region at TRUSTe. Ralph has spent nearly two decades working at the intersection of privacy, security and risk management. He is currently writing and blogging on global privacy and security issues, serving on the Management Committee of the UK’s Data Protection Forum, he is on the committee to revise the British Standard for Personal Information management, BS 10012.

Originally posted on TRUSTe Privacy blog. Reposted with permission.

OCC Statement Release...

07-15-2016

The Office of the Comptroller of the Currency’s Office of Enterprise Risk Management released its statement this week on its National Risk Committee’s Semiannual Risk Perspective for Spring 2016. [...]

The Office of the Comptroller of the Currency’s Office of Enterprise Risk Management released its statement this week on its National Risk Committee’s Semiannual Risk Perspective for Spring 2016. The report examines risks facing national banks and federal savings associations and highlights the fact that strategic, credit, operational, and compliance risks remain top concerns.

The report covers risks facing national banks and federal savings associations based on data through December 31, 2015. It presents data in four main areas: the operating environment, bank performance, key risk issues, and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public. It includes discussion of low energy prices, the potential for rising interest rates and risks associated with banks partnering with marketplace lending firms, which are of concern and being monitored, as they may develop into broader system-wide issues.

Click here to view OCC 2016-79

Release of the 2016 Vendor Ris...

The Shared Assessments Program, in collaboration with Protiviti, is conducting our third annual benchmarking study on the components of a comprehensive vendor risk management program. We invite you to[...]

The Shared Assessments Program, in collaboration with Protiviti, is conducting our third annual benchmarking study on the components of a comprehensive vendor risk management program. We invite you to take part in this survey.

The survey should take only 5-10 minutes for you to complete. You do not have to be a member or user of the Shared Assessments Program Tools to participate in the survey.

Participants will be provided with a detailed report of the survey results, which can then be used to assess and refine your own third party risk management program.

The survey closes Friday, July 29th. If you have any questions, please contact Gary Roboff at gary@santa-fe-group.com or 914-478-9360.

Begin the Survey


About Shared Assessments and Protiviti
The Shared Assessments Program is the leading authority for third party risk management program development, assessment practices and professional certification. To learn more visit www.sharedassessments.org.

Protiviti is a global consulting firm that assists company worldwide in addressing critical challenges, including protecting and enhancing the value of the business with technology.

Record Shared Assessments Summ...

06-27-2016

The Ninth Annual Shared Assessments Summit boasted record attendance with 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic [...]

The Ninth Annual Shared Assessments Summit boasted record attendance with 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.

The swift evolution of third party risk threats presents challenges that outsourcing organizations have to meet. This year’s Summit provided two action-packed days of presentations and panels that addressed these issues. We also conducted six pre-Summit workshops with more than 100 attendees: SIG 101 and SIG 201; AUP 101 and AUP 201; Business Resiliency: What Your Third Parties Should Be Doing; Moving to the Next Level: Enhancing the Performance of Established Risk Programs. In addition, we held an informative Luncheon Case Study session each day. And, 77 individuals participated in a Summit-week Certified Third Party Risk Professional (CTPRP) workshop and exam.

Panels and presentations topics included: Global Big Data: Privacy and Information Security Challenges; Building Risk-Resilience in Today’s Changing Threat Environment; The Tension Between Security and Privacy in a Healthy Democracy; Panel Discussion with Regulators; and Global Challenges for Third Party Risk Management, to name just a few. Here’s what we learned during our discussions:

The Need for Ongoing Education:
The serious nature of the fragility of world economies, attacks on wholesale networks, ransomware and other infrastructure attacks, and block chain impact disruptions all demand that professional training and certification take center stage to ensure a competent and available base of qualified experts to meet the growing third party risk management challenges that organizations are facing at all levels. Such education must be structured in a way that is responsive to the intergenerational nature of the workforce and its varying management demands.

Importance of Tone at the Top to Building the Right Risk Culture:
The newly released 2016 study report, Tone at the Top and Third Party Risk, was commissioned by The Santa Fe Group, the managing agent of the Shared Assessments Program, and conducted by the Ponemon Institute. The study report examined the state of third party risk management from the perspective of C-level and senior executives, managers and consultants with executive roles within risk management processes. The study showed, and discussion at the Summit confirmed, the strong relationship between a positive leadership and ethical culture (Tone at the Top) and an effective enterprise risk management culture and optimized program, inclusive of third party risk issues. To enable the organization’s long term well-being, the C-Suite and Board should assume prominent roles both in resolving open issues and in communicating the fundamental importance of improving risk performance to improve their risk management environment and meet increasing demands (both marketplace and regulatory) for effective risk management structures and processes.

Managing for Best Risk Hygiene, Not Just for Compliance:
Establishing a direct information security line to the board is a critical element of best risk hygiene that can help raise awareness throughout the organization for building a risk management program that reaches beyond a check-the-box compliance approach and hits the mark for an informed risk perspective. Such efforts must include cyber hygiene, as evidenced by the top threats being data breaches, compromised credentials and insecure APIs.

Concern over the Human Element in IT Security:
The human element reverberates throughout risk management. The human element can catastrophically disrupt business for organizations both regionally and globally in the form of terrorism, political upheaval and hacking activities. And simple human resource problems can lead to major complications. For instance, overworked employees or undertrained staff can result in increases in errors and disruptive actions by disgruntled workers. Undertrained staff can also increase risk for cyber threats.

Cloud Security and the Change from the Internet of Things to the Internet of Everything:
The expansion into a world of Internet of Everything requires today’s board members, who often do not have a strong enough background in technology risk issues, to develop an ecosystem approach that includes not only third party risk management, but also involves managing a workforce that can adapt quickly to the rapid adoption of disruptive technology and apply big data solutions to cybersecurity and risk management. With cybercrime being more organized than ever and the points of data collection proliferating, protecting data in this space becomes ever more difficult and complex. In addition, many organizations do not know who their Cloud providers are. Currently, 14 billion devices are now connected, with projections for 40 billion by 2018. Outside of banking, some companies are considering establishing a board committee on technology. The US leads other countries, and the message to boards worldwide is to get ahead of threats; understand your vendors’ roles; and increase the flow of relevant information to your organization’s board.

Leveraging Resilience to Ensure Positive Outcomes:
Empowering governance, ensuring a direct line of responsibility within organizations and their vendors, automation for analysis for cyber resiliency in the areas of prevention, detection and response, as well as strong oversight processes can all help strengthen an organization’s defenses. By assessing what is happening in your organization and identifying and achieving the right balance of agility and security/privacy, your organization can improve its resiliency against risks that include human acts, natural disasters, malfunctions, and loss of services or equipment. One of the payoffs from improved resiliency is enhanced consumer trust, which makes trust a value enhancer instead of a value detractor.

More Rigorous Regulatory Scrutiny over Third and Fourth Party Risk Management:
The increased outsourcing of critical services produces a conundrum surrounding the multiple layers of vendors for many organizations. Fintech is especially on the horizon of recent regulator scrutiny. While the US leads in many best practices, including those led by both regulatory and industry guidelines, it lags behind the rest of the world in terms of data protection practices. The Shared Assessments Program members (led by the Regulatory Compliance and Audit Awareness Group) contributed to a response to the OCC’s March 2016 white paper on Responsible Innovation in Banking that directly concerns Fintech issues. The Program’s Regulatory Compliance Awareness Committee will continue to be an active voice in the discussions surrounding regulation and best practices development in this area.

More from the Ninth Annual Shared Assessments Summit…

Special Thanks to our Knowledgeable Speakers
This year’s Summit brought together third party risk management thought leaders from across the nation. We extend our gratitude to all of these talented, dedicated speakers for their contributions to our workshops, panels and discussions:

  • Catherine A. Allen, Chairman and CEO, The Santa Fe Group, Shared Assessments Program
  • Jerry L. Archer, Senior Vice President and Chief Security Officer, Sallie Mae; CSA Founding Board Member
  • Seth Bailey, Director, Infor Security, Iron Mountain
  • Gloria C. Banks, Chief Compliance Officer, Synovus Financial
  • John Beattie, Principal Consultant, Sungard Availability Services
  • John Bree, Managing Director, Deutsche Bank
  • Gary Bruner, Director, Information Technology and Information Security, El Paso Electric Company
  • French Caldwell, Chief Evangelist, MetricStream
  • Nicole Clement, Critical Infrastructure Officer, Office of the Comptroller of the Currency (OCC)
  • Linda Tuck Chapman, President, ONTALA Performance Solutions
  • Jonathan Dambrot, CEO and Co-Founder, Prevalent. Inc.
  • Susan Ann Davis, Chairman, Susan Davis Communications International
  • Vicki Dean, Senior Vice President Member Relations, The Santa Fe Group, Shared Assessments Program
  • Dan Desko, Senior Manager, IT Audit and Risk Advisory, Schneider Downs
  • Kathleen Delessio, Risk Governance Analyst, Deluxe Corporation
  • Angela Dogan, Senior Project Manager, The Santa Fe Group, Shared Assessments Program
  • Brenda Ferraro, Global Information Security Director, Aetna, Inc.
  • E. Kelly Fitzsimmons, Co-Founder, Hypervoice Consortium; Managing Director, Custom Reality Services
  • Martin Freeman, Information Security Manager, Dealogic
  • Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program
  • Rocco Grillo, Executive Managing Director, Stroz Friedberg, LLC
  • Greg Hamilton, Senior Vice President and US Head of Vendor Risk, Santander Bank
  • Suzanne Hartin, Vice President, Operational Risk, Third Party Risk Management, Resiliency, Crisis Response, Capital One
  • Darin Hartman, Governance Analyst, Deluxe Corporation
  • Andy Hout, 3rd Party Risk & Compliance, Prevalent, Inc.
  • Shane Hasert, AVP, Business Compliance
  • Susan Kaufman, Principal Security Program Manager, Veracode
  • Susan Keating, President and CEO, National Foundation of Credit Counseling (NFCC)
  • Lin Lu, Managing Director, Regional Chief Information Security Officer Americas, Deutsche Bank
  • Chris McDonald, IT Advisory Director, KPMG
  • Bob Maley, Global Inspections Manager, Paypal, Inc.
  • Tony Manley, Director, Vendor Management, MERSCORP Holdings, Inc.
  • Shawn Malone, Vice President, Business Compliance, Radian Group, Inc.
  • Charlie Miller, Senior Vice President, The Santa Fe Group, Shared Assessments Program
  • Matt Moog, Senior Manager, Advisory Services, E&Y
  • Bennett Morrison, Vice President Product Management, SecurityScorecard
  • Jake Olcott, Vice President Business Development, BitSight Technologies
  • Kenneth Peterson, Founder and CEO, Churchill & Harriman
  • Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute
  • Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program
  • Donald Saxinger, Senior Examination Specialist Technology Supervision Branch, FDIC
  • Wes Shattler, Risk Director, FIS Global
  • Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation
  • Anita Statman, Retired Homeland Security Executive
  • Rod Turk, Director Office of Cyber Security and Chief Information Security Officer, US Department of Commerce
  • Caleb Whitmore, Founder, Chairman and Principal Consultant, Analytics Pros
  • Don Williams, Manager Operations, Churchill & Harriman
  • Bob Wilkinson, CEO and Founder, Cyber Marathon Solutions
  • Valerie Plame Wilson, Former United States CIA Operations Officer and Author

We are Surrounded by Industry Champions – VIP Reception Award Winners
The Shared Assessments Program has grown to accommodate more than 200 members, 14 software licensors and over 350 tool purchasers – all collaborating to use Shared Assessments Program content to manage third party risk and service provider oversight.

In keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrate several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. Special congratulations to the following individuals on a job well done:

  • Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation received the Shared Assessments Founders Award in appreciation for her years of dedicated service to the Shared Assessments Program, her involvement in the development committees and awareness groups, as well as her continuous contributions to key initiatives of the Program.
  • Seth Bailey, Director of Information Security, Iron Mountain received the Steering Committee Chair Award in recognition of his ongoing dedication in leading the Shared Assessments Steering Committee.
  • Lin Lu, Chief Risk Officer-IT, Freddie Mac received the Innovator Award in recognition of her outstanding contributions to the Shared Assessments Program, including her leadership in the international expansion initiative.
  • Brenda Ferraro, Global Security Director, Aetna, Inc.; Rocco Grillo, Executive Managing Director, Stroz Friedberg; and Kenneth Peterson, Founder and CEO, Churchill & Harriman received the Evangelist Awards. These awards were presented to these three exceptionally involved members of the Shared Assessments Steering Committee, who are always looking for innovative ways to grow the Program and continuously bring key partners into the Shared Assessments community.
  • Allstate received the Rookie of the Year Award in recognition of excellence in implementing Shared Assessments into an organization’s third party risk program. Allstate did a tremendous job of completely revamping their third party risk management program this year, and the Shared Assessments core staff was proud to be a part of the transformation.

Our Sponsors are the Best
Thank you to all of the industry leading sponsors and exhibitors who made this year’s Shared Assessments Summit!

PLATINUM SPONSORS

79

Prevalent-logo copy

GOLD SPONSORS

SecurityScorecard_Logo_Horiztonal
SecurityScorecard-Crop

SILVER SPONSORS

lockpath

BRONZE SPONSORS

copytalk
copytalk
33787cec-7428-4e56-a209-7484df8259c4

EXHIBITORS

Bitsight Logo (R) w Tagline (1)[1]

BRINQA LOGO[2]crop

castlehill_logo

CSA Logo

hiperos-logo

MCO

ProcessUnity-Inc.-300x57 (1)

riskrecon_logo_final_v2_riskrecon_logo_FullColor

riskvision_logo_large

2017 Summit Opportunities
Interested in being a sponsor or exhibitor at next year’s 10th Anniversary Summit? Contact Christopher Campbell at
christopher@santa-fe-group.com or 505-466-6434 to learn more.

Responsible Innovation The Key...

06-09-2016

The Office of Comptroller of the Currency (OCC) initiated a working group in 2015 to begin to assess the evolution of technology and innovation in financial services, resulting in publication of a whi[...]

The Office of Comptroller of the Currency (OCC) initiated a working group in 2015 to begin to assess the evolution of technology and innovation in financial services, resulting in publication of a white paper at end of Q1, and requested industry comments on strategic questions. The dialog will continue later this month, at an OCC sponsored Forum on Responsible Innovation in the Federal Banking System.

Now, to those of us in long term industry roles, the reputation of traditional banking evokes images of conservative, risk-averse and an operational focus. New technologies, mobile, emerging payments, tend to focus media headlines on new entrants to banking and the risk potential that these disrupters will displace traditional banks for capturing the financial needs of customers.

The technology evolution has shifted to new types of service providers, instead of the traditional “core processor” business model – cloud technology, smart phone apps, have changed how banks view third party relationships.

This new Finance + Technology space, or Fintech is growing rapidly. A recent industry report indicated that investment in financial technology has grown from roughly $1.8 billion in 2010, to $24 billion in 2015. The total number of Fintech companies has surpassed 4,000 between the U.S. and U.K., creating new niches for providing services to financial services companies.

Part of the concern is that new entrants may not understand the fiduciary obligations traditional banks have in our U.S. Payment System, and could create risks or unintended harm to consumers. However, the pace of technology will always be ahead of regulatory guidance, so different approaches need to be taken. Similar to how change was adopted in the “DOT COM” era of the 1990’s we are facing a new “Bubble” in the evolution of payments, cloud technology and customer experiences.

“Without change there is no innovation, creativity, or incentive for improvement. Those who initiate change will have a better opportunity to manage the change that is inevitable.”

William Pollard, a Quaker writer often quoted on change and innovation
I think that concept is astute in that there are tipping points where change takes us to the next level; and should not be resisted. Creating barriers to change will actually help disenfranchise traditional players in financial services. Pollard considered this theme by stating that

“Learning and innovation go hand in hand. The arrogance of success is to think that what you did yesterday will be sufficient for tomorrow.”

RESPONSIBLE GROWTH: COMPARING DEFINITIONS

Like most writers and bloggers, we like words and how words work together to create messages or themes. In breaking down this concept of responsible innovation, let’s look at each word separately. Instead of taking a Black’s Law Dictionary approach, I started with www.dictionary.com for the leading definition of each word:

Definition of Responsible: Answerable or accountable, as for something within one’s power, control, or management (often followed by to or for)

Definition of Innovation: Something new or different introduced
I like the synergy that responsible conveys a message about accountability, but balances that oversight message with what a person or organization can actually manage or achieve.

Innovation is not just about ‘big ideas’ that create the next patent, but can be simple concepts that introduce new functionality, new ideas, or something different. Technology alone is changing our perception of innovation with gadgets, devices and internet connectivity. The “internet of everything” is changing our expectations for innovation as consumers and as banking customers. Risk and Reward tend to go hand in hand, but risk needs to be balanced with understanding the implications and potential for negative outcomes. The OCC defined Responsible Innovation in a way that balances these outcomes, with a focus on ensuring alignment to the business strategy of the bank or service organization.

OCC Definition of Responsible Innovation:

“The use of new or improved financial products, services, and processes to meet the evolving needs of consumers, businesses, and communities in a manner that is consistent with sound risk management and is aligned with the bank’s overall business strategy.”
THE OCC FRAMEWORK FOR RESPONSIBLE INNOVATION

The OCC Framework included these concepts or guiding principles:

  • Support responsible innovation
  • Foster an internal culture receptive to responsible innovation
  • Leverage agency experience and expertise
  • Encourage responsible innovation that provides fair access to financial services and fair treatment of consumers
  • Further safe and sound operations through effective risk management
  • Encourage banks of all sized to integrate responsible integration into their strategic planning
  • Promote ongoing dialog through formal outreach
  • Collaborate with other regulators

Key tenants in the starting dialog on Responsible innovation focus on messages that Risk should not impede progress; Technology can promote inclusion for underserved consumers; Demographics are changing customer needs; and that banks and Fintech companies can collaborate vs. compete. To demonstrate that outreach, the OCC started a strategic dialog on responsible innovation, by asking for industry collaboration and feedback on key questions:

    1. What challenges do community banks face with regard to emerging technology and financial innovation?
    2. How can the OCC facilitate responsible innovation by institutions of all sizes?
    3. How can the OCC enhance its process for monitoring and assessing innovation within the federal banking system?
    4. How would establishing a centralized office of innovation within the OCC facilitate more open, timely and ongoing regarding opportunities for responsible innovation?
    5. How could the OCC provide guidance to non-bank innovators regarding its expectations for banks’ interactions and partnerships with such companies?
    6. What additional tools and resources would help community bankers incorporate innovation into their strategic planning processes?
    7. What additional guidance could support responsible innovation? How could the OCC revise existing guidance to promote responsible innovation?
    8. What forms of outreach and information sharing venues are the most effective?
    9. What should the OCC consider with respect to innovation?

WEIGHING THE RISKS & OPPORTUNITIES FOR BANKERS

In thinking about these questions, I think it is important to weigh the risks and opportunities, and differences between national banks and community banks. The 2015 Community Banking in the 21st Century Research & Policy Conference published a study that estimated that compliance costs community banks $4.5 billion annually. But from an objective perspective of profitability, it can be said that they represented 22 percent of community bank net income in 2014.

That’s disproportionate and the regulatory burden is more difficult for community banks to manage while working to grow and adapt to technology and payments innovation.

In fact, a recent ABA Survey of Bank Compliance Officers stated that the regulatory burden limited the expansion of bank products and services due to compliance. The survey found that the increased costs of compliance have led nearly 50% of banks to reduce their offerings, which creates opportunities for non-financial disrupters to emerge

While the dialog will continue over the next quarter as the conversation expands with the public forum bringing banks, consumer agencies, regulators, financial technology companies together to expand the options and concepts for oversight in Fintech without creating barriers to innovation, here are some thoughts to consider from a service provider point of view:

  • Size Matters – Balance the needs and resource differences between national banks and community banks, but also for start-ups or mature service organization. The risk needs to be balanced with the type of service being provided to “right size” compliance obligations.
  • Know Your Customer – Banking organizations and service organization need to ensure they have mechanisms to monitor and assess changing customer needs. Consumers have become more demanding on what they expect, and that requires processes that can be adapted to pilot innovation and later operationalize the requirements into existing compliance management systems.
  • Leverage Industry Associations – Self Regulatory models have been successful in bridging the gaps between technology evolution and new regulations. Digital marketing is successful with collaboration on ad networks, just like Direct Marketing Association principles enable innovation in channel marketing.
  • Continue the dialog – Achieving responsible innovation will be an ongoing discussion between service organizations, banks, and regulators that can demonstrate how the framework can promote the dialog and not risk creating an “examination mindset” that diminishes traditional banking organizations from embracing innovation.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs

EU’s GDPR and the EU-US Priv...

05-31-2016

The past month has seen two major developments on the privacy front that will have worldwide consequences for entities that handle personal data. Except for the final implementation date, we knew what[...]

The past month has seen two major developments on the privacy front that will have worldwide consequences for entities that handle personal data. Except for the final implementation date, we knew what to expect from the latest iteration of EU data protection language. However, no preview was forthcoming regarding the contents of the eagerly awaited formal evaluation by the European Union’s data protection regulators of the EU-US Privacy Shield, which was announced earlier this year.

The May 4th publication ((Official Journal of the European Union. L 119. 4 May 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC)) of the long anticipated EU Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), set the clock for full implementation of the new standard by May 25, 2018. Among other things, the new Data Protection Regulation:

  • Expands the scope of data protection significantly;
  • Establishes new accountabilities (such as a 72-hour notification requirement in the event of a breach); and
  • Expands the rights of individuals (for example, it introduces the right to be forgotten and the right to not be subject to profiling in certain situations).

The GDPR covers any entity that touches data on EU residents, even if that entity did not collect the data itself. In our interconnected online world that expanded coverage scope has tremendous implications for most entities that collect, hold or process data.

Equally noteworthy – and with no advance preview – was the April 13, 2016 publication ((Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)) of the EU’s Article 29 Working Party opinion on the new EU-US Privacy Shield, an agreement that was announced with great fanfare after difficult negotiations on February 2 ((Statement of the Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)). The Shield’s negotiators on both sides felt comfortable that the language adequately provided for:

  • Strengthened obligations and improved enforcement in the commercial sector;
  • Clear limitations and safeguards on the access to personal data by the U.S. Government;
  • Improved redress and a mandatory arbitration mechanism to ensure enforceable actions; and
  • Annual reviews conducted by the EU Commission and US Department of Commerce ((EU-U.S. Privacy Shield. European Commission. February 2016. http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf
    )).

Despite a number of improvements, including what the US and EU both said is a first time limitation of the US government’s access to EU residents’ data, the Article 29 Working Party expressed a number of what it called “strong concerns” ((Statement of the Article 29 Working Party on the Opinion on The EU-U.S. Privacy Shield. Article 29 Working Party. Brussels. 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/press_release_shield_en.pdf)) about the Privacy Shield agreement. These concerns involved both commercial entities and access by public authorities to data transferred under the Shield, especially in areas related to national security. Among the biggest concerns were:

  • The Working Party believes that massive and indiscriminate collection of personal data originating from the EU is still possible, despite claims to the contrary by the US Office of the Director of National Intelligence (ODNI).
  • The Working Party believes that some key data protection principles, as outlined in European law, are not reflected or have been inadequately substituted by alternative notions. These principles include:
    1. ­

    2. The purpose limitation to data processing, the definition of which the Working Party says is unclear in the agreement.
    3. ­

    4. The data retention principle, which the Working Party Opinion says cannot be construed by the agreement’s current wording.
    5. ­

    6. Protections that should be afforded against automated individual decisions based solely on automated processing are not acknowledged.
    • The Working Party believes that the proposed Ombudsman role is not sufficiently independent and does not have the power to effectively exercise its duty. Also, according to the Working party, the language of the agreement is not adequate to guarantee a satisfactory remedy in case of disagreement. ((Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision. Article 29 Working Party. Brussels. Adopted 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf
      ))

    If the EU and the US don’t address the issues raised by the Working Party, observers suggest that the likelihood of legal challenges to the agreement will increase significantly, creating uncertainty for firms who wish to take advantage of the Privacy Shield.

    What is the Article 29 Working Party?
    Most US residents are not familiar with the inner workings of EU governance, so a little background in this situation may be helpful. The European Union Parliament established the Article 29 Working Party through the 1995 Data Protection Directive ((Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1442330397711&uri=CELEX:31995L0046)) and gave it a broad advisory charter to:

      (a) examine any question covering the application of the national [data protection] measures adopted under this Directive in order to contribute to the uniform application of such measures;
      (b) give the Commission an opinion on the level of protection in the Community and in third countries;
      (c) advise the Commission on any proposed amendment of this Directive, on any additional or specific measures to safeguard the rights and freedoms of natural persons with regard to the processing of personal data and on any other proposed Community measures affecting such rights and freedoms; and
      (d) Give an opinion on codes of conduct drawn up at Community level.

    It’s important to note that, under the new GDPR, the Article 29 Working Party will transition to become the European Data Protection Board, with more independence and more power. Its primary task will be ensuring the consistent application of the new regulation ((EU General Data Protection Regulation (GDPR). Chapter 7: Cooperation & Consistency, Section 3: European Data Protection Board, Article 68: Procedure. 14 April 2016. http://www.eugdpr.org/00. Also, among many other tasks, the new European Data Protection Board will advise the Commission on any issue related to the protection of personal data in the EU, as well as any proposed amendment of the GDPR. Some observers have described the Article 29 Working Party’s output as “soft law;” ((http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-newsletter-September-2011/Pages/Article29-working-party.aspx)) that is, the group’s opinions are persuasive but not binding on the European Commission, national regulators or European or national courts.

    That said, in the last 24 months the Article 29 Working Party has issued a number of opinions on a wide range of issues – everything from the Internet of Things (IoT), Cloud computing, the surveillance of electronic communications for intelligence and national security purposes, and even privacy and data issues relating to the utilization of drones ((Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision. Article 29 Working Party. Brussels. Adopted 13 April 2016. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm)).

    Part of the Working Party’s influence stems from its composition, which includes representatives of the data protection authorities from each member country, the European Data Protection Supervisor (currently, Giovanni Buttarelli) and the European Commission. That structure will carry over to the Data Protection Board. The Working Party’s current Chair is Isabelle Falque-Pierrotin, who is also Chair of the French Data Protection Authority.

    Differences in Privacy as a Concept: US versus EU
    In a recent interview with The Economist ((Data sovereignty: An interview with Giovanni Buttarelli. The Economist. April 7, 2016. http://www.eiuperspectives.economist.com/technology-innovation/companies-digital-transformation-and-information-privacy-next-steps-0/video/data-sovereignty-interview-giovanni-buttarelli
    )), Giovanni Buttarelli described one of the fundamental differences between the way we think about privacy in the United States and the way Europeans understand the concept. He noted that in the US we think in terms of users, consumers and subscribers. In the EU, individuals and persons are at the center of any notion of privacy.

    In the EU, individuals are guaranteed protection of personal data through the Charter of Fundamental Rights, adopted in 2000, but only acquiring the full force of law in 2009 through the Treaty of Lisbon. That language ((Charter of Fundamental Rights of the European Union. Official Journal of the European Communities. 2000/C 364/01. 18 December 2000. http://www.europarl.europa.eu/charter/pdf/text_en.pdf)) reads:

    Article 8

    Protection of personal data

    1. Everyone has the right to the protection of personal data concerning him or her.
    2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
    3. Compliance with these rules shall be subject to control by an independent authority.

    This strong, explicit data protection basis in EU law does not have clear equivalency in the United States, and that gap has been at the center of the data protection and privacy related friction between these two economic blocs for years. Seen in this context, it’s likely that discussions about the adequacy of the EU-US Privacy shield are not complete. That, of course, adds to the challenge for US companies who want to operate under the terms of the Shield Agreement.

    What Should We Do to Prepare?
    What should companies do to prepare for the EU’s GPDR May 25, 2018 effective date, and what should companies wishing to operate under the Privacy Shield do if the terms of the Shield may change or be challenged in the courts?

    One of the most important points to remember about the GDPR is its expanded scope. Even if your organization is based and processes information outside of the EU, if it holds data relating to the offering of goods or services to EU data subjects or monitors their behavior, your organization will now be directly subject to the new regulation.

    There are two years before the GDPR becomes fully effective, but planning should begin now. From a contextual perspective, one good place to start is by reading the Article 29 Working Party’s Opinion on the EU Privacy Shield Draft Adequacy Decision. No matter how the Privacy Shield issues are resolved, the opinion provides great insight into how EU privacy regulators think about topics and where they perceive gaps between what should be required under EU statute and what the US and EU negotiators have agreed to so far. That insight should provide real benefit to entities concerned about managing data privacy going forward, whether the existing Shield language is modified or not.

    And firms with operations within the EU should fully understand what’s changed in the GDPR’s language and that’s a lot. Even basic concepts, such as the definition of the word “consent,” have changed. “Consent” now means “a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. ((EU General Data Protection Regulation (GDPR) Chapter 1: General Provisions, Article 4: Definitions (11). 14 April 2016. http://www.eugdpr.org/))” This definition creates a significantly higher standard for establishing permission than the prior directive.

    Table2

    The GDPR has a number of newly defined terms, which will be embedded in EU law. In some cases, these definitions take common concepts and redefine them in ways that incorporate new requirements into working definitions for terms in common use today, but not defined in law (See Table 2).


    Table2



    The single most important piece of advice should be evident – don’t wait to start your GDPR implementation planning process. The magnitude of change, depending upon your specific set of circumstances, may be so great that 24 months will slip by in a blink.

    For more than 35 years, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) board of directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its board.

Wrestling with Vendor & I...

05-18-2016

I’m sitting in the bleachers watching my sophomore son wrestle in an all-day varsity tournament. As the bodies tangle, each wrestler is looking to expose and act on their opponent’s vulnerability[...]

I’m sitting in the bleachers watching my sophomore son wrestle in an all-day varsity tournament. As the bodies tangle, each wrestler is looking to expose and act on their opponent’s vulnerability.

As I thought about strategy I realized this process is similar to managing vendor risk. This week, the Shared Assessments Program is hosting its annual third party risk management Summit, with the theme The Changing Dynamic of Third Party Risk Management showcasing trends and threats of vendor risk.

To be a successful wrestler it requires the consistent execution of multiple techniques, while managing energy over time. Third Party Risk Management also requires that a business customize its vendor management program across business units, vendor types, and new acquisitions. Like wrestling, this all has to be done on a timeline and managed as efficiently as possible. Building a consistent and repeatable process is crucial for wrestlers and vendor risk managers to be successful.

Recently, I was fortunate to attend a panel discussion provided by Shared Assessments titled “Building Best Practices for Monitoring Third Party Incident Event Management Programs.” During this presentation I learned that “Just 43% of incident management professionals report their organization has a formalized incident management plan and only 9% deem their program to be “very effective.”. This is a frightening statistic and in wrestling terms, it will get you pinned fast at the Varsity level!

Fortunately, for the 57% that do not have a program in place, the Shared Assessments Panel provided some steps to build an effective Vendor Incident Management program. Those steps include determining and validating at both the internal and vendor level:

  • The need for an incident response team.
  • The types of expertise that team carries.
  • The documentation of each team member’s roles and responsibilities.

Organizations should set the goal of validating three interrelated segments of incident event management:

  • Pre-incident preparation (planning and testing).
  • Incident response that executes the plan and holds to its integrity.
  • An active response to lessons learned and retention.

The Shared Assessments Program partnered with the Ponemon Institute on a “Tone at the Top” look at third party risk, with survey results being released this week. In that survey 78% felt that cyber security threats would significantly increase third party risk and 59% either are not effective, or have not assessed third party controls to reduce risk.

To effectively execute proper wrestling technique, a repeatable process is required. This is also a requirement for an effective vendor incident response plan. The following graphic provided by the Shared Assessments panel is an example of an incident process lifecycle that includes process repeatability.

Blog Image

At any level in wrestling, your reputation is at stake. The most trained wrestlers are always defending their reputation against the smallest error, program gap, and strong competition. It’s a constant protection effort. Losses are part of the game, but it is how a wrestler recovers and moves forward that either builds or tarnishes their reputation. The same holds true for a business. While the process above will help a business build a mature vendor incident response plan, what are the steps a wrestler or business should take when a loss or breach has happened?

Each needs to begin with the eradication and recovery process. This would include identifying the cause, and its severity. The wrestler needs to be prepared for the prosecution from his peers much like the business must be prepared for the litigation and potential regulatory review. It’s also essential for both to resume operations once these steps are complete.

Remediation management is the next critical step. Policies and Procedures must be reviewed and this might include updates to contract language, education of consumers and staff, ensuring continued dialogue with the vendor, and ensuring the correct support personnel are involved.

Once the dust settles and remediation management is complete, it’s time to focus on the post incident contract response phase. This will include determining root cause, rebuilding trust with the vendor or contract termination, and potentially winding down and off boarding. The wrestler looks to see if he underestimated his opponent, similar to the business determining if it improperly scoped the vendor. For example, root cause may uncover that an unknown fourth party was the cause of the incident. It’s the responsibility of the business to thoroughly validate its vendors and their supporting vendors.

It’s clear that vendor risk management has a direct impact on a business’ reputation and ultimately its profitability.

Like a wrestler, businesses are constantly tangling with new opponents and challenges. The need for a repeatable vendor incident management process is key to having a mature vendor risk management program. The changing regulatory landscape requires a solid vendor risk management program. It doesn’t matter if the third party relationship is young or mature; businesses are now competing at the varsity level of vendor management.

Darin Hartman Darin Hartman is a Risk Governance Analyst on Deluxe Corporations Business Risk and Compliance Team.  Darin is located in Kansas City where he focuses on managing the risk, audit, and due diligence processes for Deluxe’s external client relationships.  Darin has been with Deluxe for 27 years, most recently holding positions in Reporting & Analytics and Business Risk & Compliance.

Reposted with permission from Deluxe Blogs

A Wonky April: A Collection of...

05-04-2016

Last month heralded many milestones and events for those of us who tend to a bit of the geeky side of watching the political and regulatory landscape. I started and ended the month of April in Washing[...]

Last month heralded many milestones and events for those of us who tend to a bit of the geeky side of watching the political and regulatory landscape. I started and ended the month of April in Washington D.C. – The District that heralded early cherry blossoms, and later snowstorms, a precursor hint to a blustery month.

I kicked off the month at the Global Data Privacy Summit, and ended with attending IBAT’s 24th annual Congressional Visit in conjunction with the Independent Community Bankers Association’s Washington Policy Summit. In between that book end of policy focused networking, even attending “TechProm”, the annual Center For Democracy & Technology (CDT) dinner, believe it or not substantive dialog on real regulatory topics started to happen. The Global Data Protection Regulation (GDPR) was finally approved; the HR 699 or the Email Privacy Act was amended and passed unopposed by the House for promoting email privacy rights while multiple proposals focused on reducing the regulatory burden for community banks.

As if this year’s wacky election cycle has created a media circus of all proportions, it got me to wonder in this Digital Age, how do we achieve practical solutions to real problems?

While the privacy and banking conferences focused on different problems; I saw common themes to implications to big data and the emergence of new definitions of privacy from these seemingly disparate vantage points. The pace of technology change makes creating meaningful regulations difficult to achieve. The sheer volume and complexity of complying with the vast array of requirements creates a cost burden that cannot be balanced between Wall Street, the Big Banks, and the community banks of Rural America.

I admit it – I’m a doodler or random note-taker when I attend conferences, or take classes. Sometimes, I jot down a long list of to-do’s or takeaways, but this past month, I tended to focus more on questions that got me to wondering how we navigate the barrage of changes driven by privacy and regulation.

  • Who are you may sound like a question used in authentication, but the burden to community banks for data collection, call reports, and lending, makes me wonder what regulators do with all of the information collected?
  • What is your personal definition of Personally Identifiable Information?
  • How private is your mobile device, when the Electronic Communications Privacy Act of 1986 allows access by law enforcement to data without a search warrant?
  • Why do new oversight rules in telemarketing still rely on the definition of a rotary phone as the only carve out from auto-dialer marketing compliance?
  • When you use your mobile devices, do you know where your data is and how many third parties access, process, or transfer your information to give you a personalized digital experience?

Alec Ross’s book Industries of the Future compared how our economy has evolved with a focus on understanding our nation’s assets. Raw materials and things we value have evolved along with technology transformation. Land was the primary resource during the Agricultural Age; Iron was the key element in the Industrial Age, while Data is the asset of the Information Age.

By the Numbers – Wacky Factoids

Privacy in the Information Age

  • 1021 is the ratio of how rapidly data is growing. If you look from the Cave Man age to 2003; and all the data the world collected; we are now equaling the same amount of data created every 2 days. It’s expected that within 4 years the world will go from 16 billion to 40 billion internet connected devices. Digital data collection will expand that ratio even faster!
  • Cybersecurity and breach fatigue have hit consumers. Last year data breaches created a combined theft of over 1 billion records of personal identifiable information. Ponemon’ s annual data breach survey showed that the average total cost of a data breach increased 23 percent over the past two years to $3.79 million. The average cost per record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015.
  • Roughly 40% of American households no longer have a landline phone. Enforcement in the telemarketing space is growing with 3,710 TCPA lawsuits were filed in 2015, representing an increase of 45% over 2014. That is the 8th year in a row where the number of TCPA suits increased from the preceding year.
  • About 26% of online U.S. adults use an ad-blocker service to block content. Players like Google and Facebook are considering testing models with pay for service that reduces the ad content on “free” services.
  • Banking in the Information Age

  • Four in 10 Americans haven’t visited a branch in the last six months based on Bankrate’s Financial Security Index survey released last month, which is higher than 18 months ago.
  • New regulation stemming from the financial crisis has cost the six largest US banks $70.2 billion as of the end of 2013. The Federal Reserve estimates that costs for community banks to be $4.5 billion.
  • Growing assets sounds profitable, until hitting that magic $10 Billion threshold. That’s when the CFPB oversight kicks in including costs of stress testing and caps on interchange revenues. Financial institutions need to long jump past that threshold to maintain profitability, adding to the potential for more M & A activity. Community banks are hit significantly with the complexity of mortgage compliance; displacing their ability to provide those services.
  • Financial technology is a 25.8 billion dollar industry, with $49.7 billion invested between 2010 and 2015. In just one year between 2013 and 2014 invested grew by a staggering 400 percent!
  • Forrester forecasts that American users will make $83 billion in mobile payments in 2016. Looking worldwide, 2 billion people in the world have no access to banking, but how many of them have a phone?
    • Snow showers in April may be rare, but they can create an avalanche of impact to the unexpected. The Data avalanche that is occurring in today’s Privacy and Banking space needs a thoughtful data governance plan. The power in the numbers is that as consumers become more empowered, they enforce privacy preferences for how they want to be contacted, how they want content shared, and how they want to participate in digital marketing. As technology morphs, the rise of FinTech is introducing disrupters who can bypass the traditional banking relationship, with digital payments. The sheer volume of data being collected in the digital landscape combined with the data collected by banks and regulators creates the need for a roadmap for information governance.

      The pace of technology change will allows be faster than the adoption of new regulatory frameworks. It takes policy wonks to monitor and analyze privacy and banking in the Information Age, but the time to adopt thoughtful regulation takes time. Key priorities need to take a risk-based approach to provide some relief to smaller organizations.

      So April was a wacky and wonky month, and as a long-term resident of the Twin Cities, and college student in the 1980’s Twin Cities music scene, I reflect back that April will always be a reminder that Sometimes it Snows in April will never be far from my memory.

      Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

      Reposted with permission from Deluxe Blogs

    2016 Tone at the Top and Third...

    04-27-2016

    The Shared Assessments Program sponsored a new study, conducted by the Ponemon Institute, which explores the role of executives in the risk management process in order to determine the role of Tone at[...]

    The Shared Assessments Program sponsored a new study, conducted by the Ponemon Institute, which explores the role of executives in the risk management process in order to determine the role of Tone at the Top in minimizing business risks within organizations. The new report, Tone at the Top and Third-Party Risk, is due to be released May 2nd and will be available for download on the Shared Assessments Program website. This continues the Shared Assessments Program exploration of the third party risk management landscape in our white papers and benchmarking surveys.

    The study examines the state of third party risk management from the perspective of C-level and senior executives, managers and consultants who have executive roles within risk management processes. This report stratifies findings by industry and respondent’s role within their organization, allowing for analysis at a deeper level, not only by sector, but also by the role individuals play within the risk management process and the ways in which that role ties setting and communication of “Tone at the Top” to effective third party risk assessment and management practices. Industries represented in the survey include communications (5%), defense and aerospace (2%), banking (20%), insurance (8%), health and pharmaceutical (12%), industrial (11%), retail (14%), transportation (5%), energy and utilities (9%) and education and research (6%).

    With third party outsourcing increasing dramatically as the norm, organizations are recognizing that for their control environment to be effective, it must be led by Tone at the Top that is well communicated enterprise wide. This study is part of a larger effort focused on the impacts of Tone at the Top and the setting of best practices among top-level management, as they relate to third party risk mitigation enterprise wide. Tone at the Top and Third-Party Risk digs into elements that Shared Assessments has been examining during its development of its recent white paper, In-Tune Tone at the Top, which responds directly to the need for robust Board and C-Suite engagement in driving management program development in light of escalating consequences of ongoing and highly publicized, vendor-related breaches and other incidents.

    This study provides information on the effectiveness of risk planning, third party assessments and new and evolving threats that will help in guiding improvements in the risk management environment. It provides insight into the third party risk landscape, what elements are expected to have the most significant impact on an organization’s third party risk profile and leading risk management objectives.

    Every organization can gain a significant return on their investment in vendor risk assessment by building common evaluation criteria assessments and standardized practices. To learn more, see the Shared Assessments Blog and Newsletter archive which offers ongoing discussion by industry thought leaders on best practices that inform the evolution of each industry sector’s standards surrounding a growing list of issues related to incident response and management across enterprises.

    Charlie Miller, is a Senior Vice President with The Santa Fe Group, with key responsibilities that include managing and expanding the Collaborative Onsite Assessments Program and facilitating regulatory, partner and association relationships. Charlie was previously the Director of Vendor and Business Partner Risk Management at AIG, where he managed regulatory and governance activities for the organization’s enterprise vendor risk management program.

    Press Release-White Paper Rele...

    04-07-2016

    FOR IMMEDIATE RELEASE MEDIA CONTACT Marya Roddis, Vice President of Communications O: 575.235.8228 marya@santa-fe-group.com White Paper Release: Financial Services Industry Call to Action Creati[...]

    FOR IMMEDIATE RELEASE

    MEDIA CONTACT
    Marya Roddis, Vice President of Communications
    O: 575.235.8228
    marya@santa-fe-group.com

    White Paper Release: Financial Services Industry Call to Action

    Creating True Efficiencies through Standardization, Cooperation and Public-Private
    Partnerships Focused on Critical Third Party Risk Management Issues

    Santa Fe, NM — March 15, 2016 — Shared Assessments is pleased to announce the release pleased to announce the release of its new white paper: Financial Services Industry Call to Action. The increased connectivity and complexity of critical infrastructure systems both nationally and globally puts economic and public security squarely at the forefront of risk management in every sector and industry vertical.

    This paper presents the opportunity that organizations now have to collectively raise the bar and establish effective industry-wide risk management solutions and how the benefits of such a collaborative strategy accrue for outsourcers and vendors alike.

    The financial services industry is in position to continue its leadership role in third party risk management, in order to improve the quality and efficiency of risk management programs at both the outsourcer and provider levels. As NIST Fellow Ron Ross notes: “I think some of our biggest failures today are in governance and leadership. We have tremendous security professionals. We have lots of frameworks, lots of controls. We have lots of risk assessments guidelines. But, to get all that body of work integrated into the mainstream. That’s the challenge.”

    Toward this end, the Shared Assessments Program is urging all financial services institutions to:

    • Become more involved in cooperative relationships.
    • Adopt standardized, consistent, robust third party risk management methodologies.
    • Work collaboratively to perform onsite assessments and leverage the results.

    Will your organization join with us now to create important step function improvements in third party risk management to improve enterprise risk controls industry-wide?

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source in third party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: the Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico. For more information on Shared Assessments, please visit https://sharedassessments.org.

    ###

    It Takes In-Tune Tone at the T...

    Adam Greene 03-29-2016

    Good risk management is heavily process-dependent and without risk-focused leadership that enables effective structure and process security and operational risk activities may remain suboptimal. Share[...]

    Good risk management is heavily process-dependent and without risk-focused leadership that enables effective structure and process security and operational risk activities may remain suboptimal. Shared Assessments developed In-Tune Tone at the Top in direct response to the increasingly disturbing financial, reputational, legal and regulatory consequences that, in part, arise from insufficient Board and C-Suite engagement in driving robust risk management program development.

    “Despite the intensifying focus on the criticality of leadership to establishing and maintaining an organization’s risk culture, it is not clear that many of us think about Tone at the Top in a way that translates into organizational components we can see and understand,” notes Gary Roboff, Senior Advisor, The Santa Fe Group. Four key Tone at the Top elements have been defined as Management, Communications, Culture and Structure. ((Tone at the Top is Vital! ISACA Journal. 2009, Volume 3.))

    Currently, there is a pronounced gap in evaluation structures and processes that provide specific definitions, methodologies and tools for measuring these elements. Where suggestions have been offered for measuring tone, they do not offer the prospect of repeatable, reliable and consistent outputs. ((The tone at the top: ten ways to measure effectiveness. Deloitte Forensic Center. 2011. http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-ers-tone-at-the-top-12102011.pdf)) Without such objective measures, an organization cannot evaluate the efficacy of its leadership and the effect leadership has on managing risks.

    In some industries, compliance with regulatory and other standards may be the main driver and structure that leadership uses to strive for a more positive, stronger Tone at the Top in order to improve risk culture and performance. In these settings, a check-the-box routine may be established to meet the letter of the standard or guidance, without establishing risk sensitive values that are based on effective risk hygiene and ethical behavior.

    This is demonstrated in the findings of the 2015 Vendor Risk Management Benchmark Study, which reveal a regulatory expectation that is not being met by most respondents. No industry, including banking, approached a score of 3.5 (“Fully Determined & Established”) in any of the eight vendor maturity categories surveyed. ((2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program & Protiviti Examine the Maturity of Vendor Risk Management. Shared Assessments & Protiviti, Inc. June 2015.)) Analysis of this and other recent studies found that CIOs and CISOs polled rated their organizational tools, analytic abilities, skills and expertise as well below acceptable levels.

    In fact:

      • More than 70% of Boards lack high levels of understanding about and high engagement with information security risks relating to enterprise activities.
      • Only 29% of organizations rate management understanding of sensitive data and information as “excellent.”
      • Overall maturity ratings for program governance ranked at just 2.8 on a 5.0-point scale, demonstrating the need for significant changes in organizational culture.

    ((The Battle Continues – Working to Bridge the Data Security Chasm. Protiviti, Inc. 2015. http://www.protiviti.com/en-US/Documents/Surveys/2015-IT-Security-Privacy-Survey-Protiviti.pdf)), ((2015 Vendor Risk Management Benchmark Study: The Shared Assessments Program & Protiviti Examine the Maturity of Vendor Risk Management. Shared Assessments & Protiviti, Inc. June 2015.))

    A commitment to effective risk management demands effective engagement, communications and follow through from the Board level down and – also – from the organization itself to the Board. Organizations without a strong leadership risk culture must identify gaps and utilize constructive tools to improve their risk management environment and meet increasing demands (both marketplace and regulatory) for effective risk management structures and processes. Indeed, new FFIEC tools are directly addressing issues regarding the capability of an organization to evaluate the maturity of its own enterprise risk management program.

    In-Tune Tone at the Top is the first part of a two-part process for enabling executive management teams to reliably assess their risk cultures and top of the house risk tone. This paper is concerned with developing a measurable, repeatable approach to assessment of Tone at the Top elements and improving the risk culture at the most senior management levels of an organization, with particular sensitivity to third party risk management. The second part of this process, which Shared Assessments is undertaking in 2016, is to build a prototype tool based solely on binary indicators.

    In-Tune Tone at the Top provides background on the evolution of tone in a risk management context and discusses metrics that link leadership to effective enterprise risk management. This paper also proposes attributes that can be measured to reveal the broader picture surrounding an organization’s risk culture and suggests steps the Board and C-Suite can take to close any risk culture deltas an organization to respond to problematic risk cultures, if they are discovered during such an assessment. By examining the key attributes identified in the paper, it is possible to develop a structure that correlates regulatory and guideline expectations with quantifiable binary risk assessment measures, such as the presence or absence of specific topics in Board meeting minutes, the frequency of meetings and status updates to the Board on third party risk programs, etc.

    The maturity of an organization’s approach may also be evaluated by examining both the structure and the degree of independence of key internal risk functions. These functions create and administer policy, procedures, compliance regimes, etc. and include both internal and external risk auditing to ensure independent, autonomous functions that identify, report and remediate risks.

    Organizations that engender direct Board and C-Suite guidance for building and maintaining an effective, enterprise wide risk management culture are using drivers that improve organizational performance and therefore gain a clear competitive advantage. A Board and C-Suite that understand and believe in the strategic importance of strong risk management programs are most likely to develop a risk culture that pays material performance dividends.

    You can read/download the full Tone at the Top paper here.

    Shared Assessments Singapore R...

    03-22-2016

    I had the great pleasure to participate in an international roundtable in Singapore last week with Shared Assessments. The event was hosted by Deutsche Bank and was well attended with banking, servic[...]

    I had the great pleasure to participate in an international roundtable in Singapore last week with Shared Assessments. The event was hosted by Deutsche Bank and was well attended with banking, service providers, and local regulatory members in attendance. Prevalent and Protiviti, both members of the Shared Assessments Steering Committee, made the trip to support the Santa Fe team. Local Shared Assessments members included JPMC and Deutsche Bank. The conversation was extremely robust with a few key discussion areas that I would like to highlight.

    • Firms are looking for a better way to comply and reduce risk in real-time.
    • Asian regulatory requirements are more fractured and extremely regionalized, but are informed globally.
    • Privacy and data sovereignty continues to be a significant regulatory and technical hurdle, especially given new technologies.

    These themes seem to come together in interesting ways. First, the participating firms agreed that some of the manual, custom models currently in use need to be reviewed. They agreed that standardization of content as well as new assessment methodologies for getting the visibility they needed prior to contracting was necessary, but many agreed that it is hard to do this. We discussed the need for proper scoping, automation, and vendor threat monitoring as mechanisms to help deal with many of these inefficiencies. Shared Assessments and Prevalent both play a big role here. There was significant conversation about real-time risk models and how to effectively perform this in practice.

    Second, the regulatory environment was a significant part of the conversation. There are over 16 countries and over 100 regulatory bodies represented in the Asian market. This patchwork creates a highly fractured regulatory landscape with different regional regulatory hurdles and political issues. It was discussed that the primary focus of Shared Assessments’ efforts should be initially on Singapore, Hong Kong, Japan, Korea, China, and India. The Shared Assessments team had performed mapping to the primary third-party risk guidance from the Monetary Authority of Singapore (MAS) with the Shared Assessment program tools prior to the event and identified that most of the guidance control areas were covered well with the existing tools. Part of the discussion was to get better validation. In fact, several MAS members were in attendance and able to offer additional commentary around the need for each bank to meet the MAS guidance independent of any other requirements. It was noted that some of the requirements were also more prescriptive than their US counterparts. However, MAS regulators are communicating with other regional and global regulators. Being able to support the requirements in a standardized, sharable framework was highly desired. Of particular interest was support for collaborative assessment.

    Third, privacy and data sovereignty was a large part of the discussion, especially given new technologies like cloud and blockchain. The regulations to support the needs of data and IT ownership were significantly different across the region. While the use of cloud continued to be discussed, most agreed that additional cost and complexity might be introduced due to regional data sovereignty requirements, and that this was the cost of doing business. Having a model and guidance from the Shared Assessments program including education, certification, and tools to help with scoping, pre-assessment, contracting, and support for new technological advances was discussed.

    Lastly, the conversation went much deeper than anyone expected as many of the issues facing US banks is being similarly felt, in some ways with more complexity in the Asian markets. The three topics above started to come together as the discussion moved specifically on how to deal with these issues operationally. The needs of the firms to support multiple markets with significantly differing regulatory issues while managing technology changes posed implementation challenges and additional costs. Additionally, the ability for service providers to comply with requests and prepare for assessments could be fostered through the use of standardized content from Shared Assessments.

    The hope from this effort is that a local Shared Assessments community will be able to help inform the needs of the program tools, as well as provide education that can be tailored to the needs of the region. However, it might require supplemental or different tools. The next steps are to help get additional feedback and create a strong nucleus in Singapore that can help support the firms in attendance as well as others facing similar challenges. It seems that the market is prime for this type of support from Shared Assessments.

    Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., and was the 2015 Shared Assessments Program Chair. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

    Press Release-White Paper Rele...

    03-15-2016

    FOR IMMEDIATE RELEASE MEDIA CONTACT Marya Roddis, Vice President of Communications O: 575.235.8228 marya@santa-fe-group.com White Paper Release: A Guided Assessment – Providing Advancements in B[...]

    FOR IMMEDIATE RELEASE

    MEDIA CONTACT
    Marya Roddis, Vice President of Communications
    O: 575.235.8228
    marya@santa-fe-group.com

    White Paper Release: A Guided Assessment – Providing Advancements in Building Best Practices for Vendor Onsite Assessments

    Building new expectations and increasing transparency to assure good assessment practices

    Santa Fe, NM — March 15, 2016 — Shared Assessments is pleased to announce release of its newest white paper: A Guided Assessment – Providing Advancements in Building Best Practices for Vendor Onsite Assessments.
    .

    Shared Assessments has created a best practice assessment and scoping guideline practical for all outsourcing organizations, onsite assessment teams, managers and service providers, regardless of industry or assessment scope. Development of such a shared risk assessment process can afford rewards industry-wide. This guideline is unlike products and services development, which contain competitive value. Instead, the guideline and accompanying tool work in concert with existing onsite assessment tools and processes by providing a clear, consistent methodology designed to keep the assessment process on target.

    Use of this guideline and the accompanying tool:

    • Supports information security in combination with collaborative partnership building.
    • Creates a coherent, clear overview of the Pre-Visit, Onsite and Post Assessment planning and communications process that provides an advancement in building best practice awareness and increasing transparency for the assessment process.
    • Provides a clear framework that fosters better long-term relationships by ensuring assessment and monitoring are conducted in a manner where all parties see defined objectives and understand the value of each step.

    The Onsite Assessment Best Practices Guideline is complementary to existing innovations in third party risk assessment and management. To read the paper and for more information on Shared Assessments, you may go to: https://sharedassessments.org.

    About the Shared Assessments Program
    The Shared Assessments Program is the trusted source in third party risk management, with resources to effectively manage the critical components of the vendor risk management lifecycle that are: creating efficiencies and lowering costs for all participants; kept current with regulations, industry standards and guidelines, and the current threat environment; and adopted globally across a broad range of industries both by service providers and their customers. Shared Assessments membership and use of the Shared Assessments Program Tools: Agreed Upon Procedures (AUP); Standardized Information Gathering (SIG) questionnaire and Vendor Risk Management Maturity Model (VRMMM), offers companies and their service providers a standardized, more efficient and less costly means of conducting rigorous assessments of controls for IT and data security, privacy and business resiliency. The Shared Assessments Program is managed by The Santa Fe Group (www.santa-fe-group.com), a strategic advisory company based in Santa Fe, New Mexico. For more information on Shared Assessments, please visit https://sharedassessments.org.

    ###

    Program Tool Updates: Member-D...

    02-25-2016

    As the third party risk environment continues to require more from C-level executive and third party risk management professionals, Shared Assessments again takes the lead in providing powerful tools [...]

    As the third party risk environment continues to require more from C-level executive and third party risk management professionals, Shared Assessments again takes the lead in providing powerful tools to improve assessment-related economies and scalability for both outsourcers and providers.

    The January 2016 Shared Assessments Program Tools release provides another level of advance in third party risk assurance. The tools provide a tangible gain in risk management, improving the risk posture at the service provider level over using proprietary questionnaires.

    By meeting the recent surge in regulatory, consumer and business scrutiny and changes in the current threat environment in a “trust, but verify” standardized approach, Shared Assessments is seeing growing adoption of the tools globally. Importantly, these assessment tools serve organizations regardless of size or industry and help manage the entire vendor risk management lifecycle. The tools can be tailored to an organization’s unique interpretation of regulations, divisional needs and risk appetites.

    The updated tools employ tested strategies and processes and reflect the combined efforts of members, which informs the tools at the most robust level to allow for rigorous assessment and management of IT, security, privacy and resiliency risks. The tools’ focus on third party risk management helps professionals to implement a standardized and efficient program to take action on security threats and vulnerabilities that surround outsourcing of critical services, including issues associated with Cloud, mobile and fourth party security.

    The 2016 Program Tools have been aligned and updated in keeping with regulatory guidance and industry standards addressing, in part, enterprise-wide business continuity and operational risks as they relate to information security. ((Most recently including: FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. Federal Financial Institutions Examination Council (FFIEC). February 2015; Payment Card Industry (PCI) Data Security Standard: PCI DSS Designated Entities Supplemental Validation. Version 1.0. PCI Security Standards Council. June 2015; ISO 22301:2012 – Societal security – Business continuity management systems – Requirements. International Organization for Standards. May 15, 2012; NIST Cybersecurity Framework and Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards & Technology (NIST). April 30, 2013; AICPA Privacy Incident Response Plan. American Institute of Certified Public Accountants, Inc. New York. 2004. DOJ Instruction – Incident Response Procedures for Data Breaches. US Department of Justice. August 6, 2013; FCC Computer Security Incident Response Guide. Federal Communications Commission, Office of the Managing Director, Information Technology Center, Computer Security Program. December 2001; HIPAA Incident Response and Reporting. US Health & Human Services. September 2011; NERC CIP-008-5 – Cyber Security – Incident Reporting and Response Planning. North American Electric Reliability Corporation (NERC). July 9, 2014; NIST Special Publication 800-61 Revision 2 – Computer Security Incident Handling Guide. NIST. August 8, 2012; US-CERT Federal Incident Notification Guidelines. US Computer Emergency Readiness Team (CERT). Effective October 1, 2014.)) Included in this release:

    • The Standardized Information Gathering (SIG) questionnaire and SIG Lite use industry best practices to gather and assess information technology, security, privacy and data security risks (and their corresponding controls) in an information technology environment. It provides a complete picture of service provider controls, with scoring capability for response analysis and reporting. Enhancements to the 2016 SIG include streamlining of the instrument, as well as alignment with the ISO 22301:2012 international standard and the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience. Updates include new controls for hardware security, information security, mobile security and new, industry-relevant terminology. A new maturity field, containing five levels of maturity ranking to help provide an added dimension to the question response was added to the SIG and SIG Lite.
    • The Shared Assessments Agreed Upon Procedures (AUP), a tool for standardized onsite assessments, is used to evaluate the controls third party service providers have in place for information data security, privacy and business resiliency risk. AUP updates respond to the overwhelming number of security breaches that have occurred in the past two years. It has been reconstructed to cover regulatory guidelines and industry standards with guidance on incident response. For the 2016 AUP, Shared Assessments not only updated the tool based on current industry trends, changes and best practices, but also added an addendum for performing Collaborative Onsite Assessments (COA). The addendum is specifically geared to a collaborative assessment that profiles the full and complete control environment using a substantiation-based, standardized, efficient methodology. Developed through top-tier financial institutions to allow multiple outsourcers to collaborate and assess the risk controls of a single outsourcer, benefits of its use for a larger set of common service providers include consistency, rigor and efficiency.
    • The Vendor Risk Management Maturity Model (VRMMM) incorporates vendor risk management best practices into a usable model for assessing the current and desired future state of a vendor risk management program. The VRMMM helps organizations make well-informed decisions on how to assign resources to most effectively and cost efficiently manage vendor-related risks. New enhancements to the 2016 VRMMM include updates to align with the FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services, which addresses cyber resilience.

    Catherine A. Allen, Chairman and CEO of The Santa Fe Group notes that “applying the tools increases rigor, consistency and speed, resulting in cost savings in the control assessment process for both the outsourcing organization and the service provider. This, in turn, also allows organizations to redirect resources away from assessment costs and toward control and monitoring by limiting site visit and annual review man hours.” The AUP, along with the COA addendum, provides a robust, substantiation-based, standardized, efficient methodology. Its use is expected to yield a higher confidence that third party service providers are compliant and more likely to remain compliant. For more information about the Shared Assessments Program and the Program Tools, contact info@sharedassessments.org, or visit our website at www.sharedassessments.org.

    Marya Roddis is Vice President of Communications for The Santa Fe Group. She develops blog content and assists staff and members to document committee projects in white papers and briefings, as well as working on blog editing, press releases and other marketing documentation projects. She has worked as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services, and regional economic and business development.

    Tone at the Top: Risk Governan...

    02-19-2016

    Last week I had the opportunity to present at the 2016 Deluxe Exchange Client conference on the convergence of Risk & Governance today at Board and Executive levels of organizations. The theme focused[...]

    Last week I had the opportunity to present at the 2016 Deluxe Exchange Client conference on the convergence of Risk & Governance today at Board and Executive levels of organizations. The theme focused on how critical the “Tone at the Top” has become in enabling a more strategic conversation on risk & compliance in today’s market landscape. Over the past year, I have been the co-chair of The Shared Assessments Program Regulatory Compliance Working Group, which has been tackling this same topic. This week, a “Tone at the Top” White Paper has been released, by the Shared Assessments Program to share that dialog with a recap of today’s risk landscape and offers a strategic framework for consideration.

    TODAY’S COMPLIANCE LANDSCAPE

    Pre-attendees to our Deluxe conference were asked about the top issues in banking today. Retail Banking respondents top hot topics were 55% Digital Channels, 45% Share of Wallet, and 41% Millennials, while commercial bankers led with 75% Faster Payments and 54% Commercial Mobile. Across the board, all organizations were facing challenges with balancing cybersecurity; costs of compliance; consumer protection limitations; and technology acceleration. The pace of change in risk combined with shifts in digital technologies, have shifted the technology point of view.

    Heightened expectations across many compliance focus areas are driving more oversight for corporate governance, cybersecurity, regulatory compliance and business resiliency into the C-Suite. The tone at the top is not simply about corralling compliance topics under the Big Top, but understanding drivers and internal ringleaders needed to navigate the Compliance Circus.

    A NEW NORMAL: COMPLIANCE BEYOND IT CONTROLS

    While SOX compliance, PCI, and data breaches focus the conversation on IT controls, the new normal is a shift in governance, risk & compliance beyond IT. There is an increased focus on corporate governance, ethics, reputation risk, and business practices. The aggressive consumer protection enforcement action landscape has put a spotlight on areas of compliance typically not on the enterprise risk registry or risk dashboard. Compliance in operational risk and consumer protection can be open to interpretation as to what is ‘mandated’ vs. what is an industry ‘best practice’. The risk appetite of an organization is based on it culture, values, and norms, and what is acceptable to one organization may not be allowed in another company.

    These themes were visible in the results of a recent survey Thomson Reuters, who published the Top 5 Compliance Trends Around the Globe in 2016:

    • Creating a culture of compliance
    • Increased investment in compliance operations
    • Keeping pace with changing regulatory landscape
    • Monitoring third party risk
    • Encouraging whistleblower activity

    More than 1/3 of the organizations surveyed spend at least an entire day per week tracking and analyzing regulatory change. 70% expected regulators to publish even more regulatory information, with 28% predicting that volume to be significant. The pace of regulatory change felt in banking has been driven by Dodd Frank Compliance, and that journey is just past the 55% complete mark.

    SHIFT IN GOVERNANCE & RISK STRATEGIES

    These market drivers are shifting the risk dialog from risk elimination to risk management. Organizations appear to have a lower tolerance for risk remediation, requiring faster resolution timeframes. The role of risk management is expanding to broader topic areas. Communications in all directions, upwards, across management lines, to front line employees, has become more critical in developing the culture of compliance. The tone of the compliance culture is set by the messages from executives, but also the structures for governance oversight functions. Management reporting has shifted from a “once and done” annual exercise to an ongoing conversation with the Board, Audit/Risk committees and the C-Suite.

    Broadened accountability has changed the role of the risk/compliance professional within organizations. Further, the shift in governance changes the education and skill set of Board Of Directors, and respective committees to address the technology, operational risk, and regulatory landscape. Maintaining staff in line with the uptick in regulatory change has created gaps for many organizations in getting and keeping the right skill sets. The increased investment in compliance operations was shown in the Thomson Reuters survey that found that last year 71% of firms expected the cost of senior compliance professionals to increase due to the demand for skilled/knowledgeable staff. At the same time, 75% of compliance leaders expected that management will require more/much more attention to these matters.

    C-SUITE ACCOUNTABILITYFROM RISK ACUMEN TO RISK INTELLIGENCE

    Many organizations are leveraging a “three lines of defense” model to help navigate governance and compliance with the right balance of oversight. Cracking the whip in only one area is not effective.

    Organizations need to have accountable for front line compliance in the lines of business – the first line.
    Risk or Compliance teams play an oversight role with monitoring, risk assessments, spot checks, and setting policies and programs to address compliance – the second line.
    Assurance or Audit play that fully independent function for oversight, with communication to Board Audit Committees – the third line.
    Boards and Audit committees play a fiduciary role, and should have a “Noses in” and “hands out” approach to dealing with risk/compliance, holding the C-Suite and management accountable for the risk and the organization’s response. Implementing this approach requires formalization of the roles and accountabilities for all three lines of defense, with a common framework for measuring risk, mitigation tactics, with enhanced risk management reporting. Scorecards need to be more than data, but data that provides insights that influence actions.

    INDUSTRY COLLABORATION

    Finding common solutions to common challenges is a long standard approach within industry working groups. The Regulatory Compliance Working Group of The Shared Assessments Program has released a White Paper on Tone at the Top that includes a deep dive on the shifts in regulatory compliance and governance. The analysis, information sharing and collaboration on how organizations are modeling and adapting their organizational design is a key output of the paper. The dialog is just beginning to figure out how to balance the tone at the top on the risk/compliance hire wire with the actions below within an organization.

    Bottom Line, the Tone at the Top sends the message that drives the tone at the middle actions.

    Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation is a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

    Reposted with permission from Deluxe Blogs

    Will anticipatory compliance b...

    02-16-2016

    I was recently invited to speak on a panel regarding third party risk strategies for the Securities Industry and Financial Markets Association's (SIFMA) Internal Auditors Society. While there, I had t[...]

    I was recently invited to speak on a panel regarding third party risk strategies for the Securities Industry and Financial Markets Association’s (SIFMA) Internal Auditors Society. While there, I had the opportunity to meet and hear from two individuals who are well known and respected in their related fields: former US Attorney General John Ashcroft and noted author and cyber risk authoritarian MacDonnell “Don” Ulsch.

    John Ashcroft, in the keynote for this event, touched on topics ranging from homeland security and terrorism to cyber espionage. He delivered one commanding prediction; that financial institutions will need to prepare for “anticipatory compliance.” In other words, organizations will need to be prepared to show that their organization is actively anticipating, studying and acting on perceived threats.

    This makes sense on a couple of fronts.

    First, given the present state of the world, we are evidencing on an almost daily basis cyber threats from foreign adversaries, activist groups, crime syndicates and – yes – even from within our own walls. These can cause major disruptions to organizations, third party service providers and ultimately the consumers relying on the products and services that organizations provide. In addition to cyber threats, environmental and political events need to be added into the equation, as these can further affect our supply chains and third party vendors that support critical process.

    Second, as organizations are moving full speed ahead to hit their targeted goals, they may not always be taking the time required to see information on their radar that reveals possible business line threats. That means that they become locked into reactionary mode (e.g., putting o