When someone who has operated across multiple risk and regulatory realms for three decades notes that companies and their vendors have been thrust into a new era of data privacy, it’s worth bearing in mind.
The Santa Fe Group Senior Vice President and CSO Brad Keller’s assertion gets more compelling when he describes how some of the far-reaching operational impacts that the new data privacy regulations will have on companies and their third parties in 2020 and far beyond.
“Under the California Consumer Privacy Act (CCPA) consumers have certain rights regarding what you can and can’t do with their data,” says Keller, a former trial lawyer and privacy/compliance officer who testified on behalf of the financial services industry at Congressional hearings related to the 1996 Health Information Portability and Accountability Act (HIPAA). “If you outsource your data center to a third party, for example, you now have to make sure that the third party can uphold all the data-privacy commitments you’ve made to the consumer. That requires looking beyond traditional information technology (IT) security controls into a wide range of operational issues.” Among other activities, that includes inventorying all regulated data and then classifying, tagging and monitoring that data.”
Privacy-driven operational challenges figure prominently among the following trends Keller expects to influence, challenge and disrupt third party risk management (TPRM) activities in 2020:
- New data privacy rules will require major operational adjustments: Traditional IT security requirements remain as important as ever thanks to evolving cyber-attack methods. In addition to those requirements, third party risk managers and their external counterparts must now manage all the privacy commitments that are made when their company collects data from individuals. This need was driven home in late 2019 when the International Organization for Standardization (ISO) enhanced some of its widely used information security management and controls standards. ISO’s “PIMS” extension” consists of guidance on privacy information management systems (PIMS) applicable to both controllers (i.e., outsourcers) and processors (i.e., vendors) of personally identifiable information (PII). Complying with new laws and adhering to new data-privacy standards requires new policies, procedures and processes for keeping data longer, and for tagging and organizing the data according to specific privacy-compliance requirements.
- More regulators will codify resilience: Keller expects more regulatory bodies to take a page from the Prudential Regulatory Authority’s (PRA’s)handbook by integrating resilience requirements into their rules. The U.K.-based PRA is integrating operational resilience into its regulatory framework with the intention of steering “firms to be resilient in their adoption of new technologies.” While U.S. regulators tend to frame resilience as a means sustaining internal operations to ensure ensuring systemic health (e.g., the financial system), rule makers in the European Union (EU) and U.K. also tend to view resilience in the context of consumer impacts (e.g., preventing outages that limit customers’ access to their bank accounts for extended periods).
- Third party risk managers will enter the spider web: Compared to their EU counterparts, U.S. regulators have spent less time examining fourth and fifth party risks. That will change, Keller notes as more domestic regulations begin to address “nth party” risks that lurk in fourth, fifth and sixth parties. These types of requirements would pose some immediate challenges, given that an outsourcer sharing data with one third party rarely enters into contractual agreements with that third party’s web of vendors.
- Third party risk management tool kits will need to be updated, continually. Keller led the development of Shared Assessments’ Vendor Risk Management Maturity Model (VRMMM) and the Certified Third Party Risk Professional (CTPRP) program, and he remains a firm believer in the need to continually update third party risk management frameworks, tools and training. While the current version of Shared Assessments’ continually updated Third Party Risk Management Toolkit features expanded third party privacy tools for GDPR and CCPA, it also contains a range of new operational risk content. This content focuses on emerging and expanding third party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain.
- Third party risk managers will need to avoid playing “30 Questions:” As third party risks intensify, third party risk managers contending with resource constraints face pressure to cut corners. “I’ve come across claims that you can assess whether a third party has sound security controls in 30 questions or less,” Keller reports. When he hears that type of assertion, Keller quickly runs through a few crucial high-level questions — on whether the vendor is a cloud provider, handling regulated privacy data and so on. “When you start a cursory list of the control areas that need to be in place, you quickly come up with 50 or 60 different risk areas. There is no way you can adequately assess even half of those risk areas with 30 questions. Plus, the recent data privacy laws have greatly expanded what outsourcers need to assess.”
Keller emphasizes that leading TPRM programs can operate in an efficient manner, but he urges risk managers to avoid shortcuts and omissions that can ultimately exact a much greater cost on companies (and careers).