The Ninth Annual Shared Assessments Summit boasted record attendance with 262 registrants and 39 world class panelists and presenters who gathered to address this year’s theme, The Changing Dynamic of Third Party Risk Assessment.
The swift evolution of third party risk threats presents challenges that outsourcing organizations have to meet. This year’s Summit provided two action-packed days of presentations and panels that addressed these issues. We also conducted six pre-Summit workshops with more than 100 attendees: SIG 101 and SIG 201; AUP 101 and AUP 201; Business Resiliency: What Your Third Parties Should Be Doing; Moving to the Next Level: Enhancing the Performance of Established Risk Programs. In addition, we held an informative Luncheon Case Study session each day. And, 77 individuals participated in a Summit-week Certified Third Party Risk Professional (CTPRP) workshop and exam.
Panels and presentations topics included: Global Big Data: Privacy and Information Security Challenges; Building Risk-Resilience in Today’s Changing Threat Environment; The Tension Between Security and Privacy in a Healthy Democracy; Panel Discussion with Regulators; and Global Challenges for Third Party Risk Management, to name just a few. Here’s what we learned during our discussions:
The Need for Ongoing Education:
The serious nature of the fragility of world economies, attacks on wholesale networks, ransomware and other infrastructure attacks, and block chain impact disruptions all demand that professional training and certification take center stage to ensure a competent and available base of qualified experts to meet the growing third party risk management challenges that organizations are facing at all levels. Such education must be structured in a way that is responsive to the intergenerational nature of the workforce and its varying management demands.
Importance of Tone at the Top to Building the Right Risk Culture:
The newly released 2016 study report, Tone at the Top and Third Party Risk, was commissioned by The Santa Fe Group, the managing agent of the Shared Assessments Program, and conducted by the Ponemon Institute. The study report examined the state of third party risk management from the perspective of C-level and senior executives, managers and consultants with executive roles within risk management processes. The study showed, and discussion at the Summit confirmed, the strong relationship between a positive leadership and ethical culture (Tone at the Top) and an effective enterprise risk management culture and optimized program, inclusive of third party risk issues. To enable the organization’s long term well-being, the C-Suite and Board should assume prominent roles both in resolving open issues and in communicating the fundamental importance of improving risk performance to improve their risk management environment and meet increasing demands (both marketplace and regulatory) for effective risk management structures and processes.
Managing for Best Risk Hygiene, Not Just for Compliance:
Establishing a direct information security line to the board is a critical element of best risk hygiene that can help raise awareness throughout the organization for building a risk management program that reaches beyond a check-the-box compliance approach and hits the mark for an informed risk perspective. Such efforts must include cyber hygiene, as evidenced by the top threats being data breaches, compromised credentials and insecure APIs.
Concern over the Human Element in IT Security:
The human element reverberates throughout risk management. The human element can catastrophically disrupt business for organizations both regionally and globally in the form of terrorism, political upheaval and hacking activities. And simple human resource problems can lead to major complications. For instance, overworked employees or undertrained staff can result in increases in errors and disruptive actions by disgruntled workers. Undertrained staff can also increase risk for cyber threats.
Cloud Security and the Change from the Internet of Things to the Internet of Everything:
The expansion into a world of Internet of Everything requires today’s board members, who often do not have a strong enough background in technology risk issues, to develop an ecosystem approach that includes not only third party risk management, but also involves managing a workforce that can adapt quickly to the rapid adoption of disruptive technology and apply big data solutions to cybersecurity and risk management. With cybercrime being more organized than ever and the points of data collection proliferating, protecting data in this space becomes ever more difficult and complex. In addition, many organizations do not know who their Cloud providers are. Currently, 14 billion devices are now connected, with projections for 40 billion by 2018. Outside of banking, some companies are considering establishing a board committee on technology. The US leads other countries, and the message to boards worldwide is to get ahead of threats; understand your vendors’ roles; and increase the flow of relevant information to your organization’s board.
Leveraging Resilience to Ensure Positive Outcomes:
Empowering governance, ensuring a direct line of responsibility within organizations and their vendors, automation for analysis for cyber resiliency in the areas of prevention, detection and response, as well as strong oversight processes can all help strengthen an organization’s defenses. By assessing what is happening in your organization and identifying and achieving the right balance of agility and security/privacy, your organization can improve its resiliency against risks that include human acts, natural disasters, malfunctions, and loss of services or equipment. One of the payoffs from improved resiliency is enhanced consumer trust, which makes trust a value enhancer instead of a value detractor.
More Rigorous Regulatory Scrutiny over Third and Fourth Party Risk Management:
The increased outsourcing of critical services produces a conundrum surrounding the multiple layers of vendors for many organizations. Fintech is especially on the horizon of recent regulator scrutiny. While the US leads in many best practices, including those led by both regulatory and industry guidelines, it lags behind the rest of the world in terms of data protection practices. The Shared Assessments Program members (led by the Regulatory Compliance and Audit Awareness Group) contributed to a response to the OCC’s March 2016 white paper on Responsible Innovation in Banking that directly concerns Fintech issues. The Program’s Regulatory Compliance Awareness Committee will continue to be an active voice in the discussions surrounding regulation and best practices development in this area.
More from the Ninth Annual Shared Assessments Summit…
Special Thanks to our Knowledgeable Speakers
This year’s Summit brought together third party risk management thought leaders from across the nation. We extend our gratitude to all of these talented, dedicated speakers for their contributions to our workshops, panels and discussions:
- Catherine A. Allen, Chairman and CEO, The Santa Fe Group, Shared Assessments Program
- Jerry L. Archer, Senior Vice President and Chief Security Officer, Sallie Mae; CSA Founding Board Member
- Seth Bailey, Director, Infor Security, Iron Mountain
- Gloria C. Banks, Chief Compliance Officer, Synovus Financial
- John Beattie, Principal Consultant, Sungard Availability Services
- John Bree, Managing Director, Deutsche Bank
- Gary Bruner, Director, Information Technology and Information Security, El Paso Electric Company
- French Caldwell, Chief Evangelist, MetricStream
- Nicole Clement, Critical Infrastructure Officer, Office of the Comptroller of the Currency (OCC)
- Linda Tuck Chapman, President, ONTALA Performance Solutions
- Jonathan Dambrot, CEO and Co-Founder, Prevalent. Inc.
- Susan Ann Davis, Chairman, Susan Davis Communications International
- Vicki Dean, Senior Vice President Member Relations, The Santa Fe Group, Shared Assessments Program
- Dan Desko, Senior Manager, IT Audit and Risk Advisory, Schneider Downs
- Kathleen Delessio, Risk Governance Analyst, Deluxe Corporation
- Angela Dogan, Senior Project Manager, The Santa Fe Group, Shared Assessments Program
- Brenda Ferraro, Global Information Security Director, Aetna, Inc.
- E. Kelly Fitzsimmons, Co-Founder, Hypervoice Consortium; Managing Director, Custom Reality Services
- Martin Freeman, Information Security Manager, Dealogic
- Tom Garrubba, Senior Director, The Santa Fe Group, Shared Assessments Program
- Rocco Grillo, Executive Managing Director, Stroz Friedberg, LLC
- Greg Hamilton, Senior Vice President and US Head of Vendor Risk, Santander Bank
- Suzanne Hartin, Vice President, Operational Risk, Third Party Risk Management, Resiliency, Crisis Response, Capital One
- Darin Hartman, Governance Analyst, Deluxe Corporation
- Andy Hout, 3rd Party Risk & Compliance, Prevalent, Inc.
- Shane Hasert, AVP, Business Compliance
- Susan Kaufman, Principal Security Program Manager, Veracode
- Susan Keating, President and CEO, National Foundation of Credit Counseling (NFCC)
- Lin Lu, Managing Director, Regional Chief Information Security Officer Americas, Deutsche Bank
- Chris McDonald, IT Advisory Director, KPMG
- Bob Maley, Global Inspections Manager, Paypal, Inc.
- Tony Manley, Director, Vendor Management, MERSCORP Holdings, Inc.
- Shawn Malone, Vice President, Business Compliance, Radian Group, Inc.
- Charlie Miller, Senior Vice President, The Santa Fe Group, Shared Assessments Program
- Matt Moog, Senior Manager, Advisory Services, E&Y
- Bennett Morrison, Vice President Product Management, SecurityScorecard
- Jake Olcott, Vice President Business Development, BitSight Technologies
- Kenneth Peterson, Founder and CEO, Churchill & Harriman
- Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute
- Gary Roboff, Senior Advisor, The Santa Fe Group, Shared Assessments Program
- Donald Saxinger, Senior Examination Specialist Technology Supervision Branch, FDIC
- Wes Shattler, Risk Director, FIS Global
- Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation
- Anita Statman, Retired Homeland Security Executive
- Rod Turk, Director Office of Cyber Security and Chief Information Security Officer, US Department of Commerce
- Caleb Whitmore, Founder, Chairman and Principal Consultant, Analytics Pros
- Don Williams, Manager Operations, Churchill & Harriman
- Bob Wilkinson, CEO and Founder, Cyber Marathon Solutions
- Valerie Plame Wilson, Former United States CIA Operations Officer and Author
We are Surrounded by Industry Champions – VIP Reception Award Winners
The Shared Assessments Program has grown to accommodate more than 200 members, 14 software licensors and over 350 tool purchasers – all collaborating to use Shared Assessments Program content to manage third party risk and service provider oversight.
In keeping with our efforts to recognize the industry champions who are joining together to minimize risk and make our world a safer place to do business, we celebrate several of our members who have accomplished so much in our shared quest to continue reducing risk and growing the Shared Assessments Program. Special congratulations to the following individuals on a job well done:
- Linnea Solem, Chief Privacy Officer, Vice President Risk and Compliance, Deluxe Corporation received the Shared Assessments Founders Award in appreciation for her years of dedicated service to the Shared Assessments Program, her involvement in the development committees and awareness groups, as well as her continuous contributions to key initiatives of the Program.
- Seth Bailey, Director of Information Security, Iron Mountain received the Steering Committee Chair Award in recognition of his ongoing dedication in leading the Shared Assessments Steering Committee.
- Lin Lu, Chief Risk Officer-IT, Freddie Mac received the Innovator Award in recognition of her outstanding contributions to the Shared Assessments Program, including her leadership in the international expansion initiative.
- Brenda Ferraro, Global Security Director, Aetna, Inc.; Rocco Grillo, Executive Managing Director, Stroz Friedberg; and Kenneth Peterson, Founder and CEO, Churchill & Harriman received the Evangelist Awards. These awards were presented to these three exceptionally involved members of the Shared Assessments Steering Committee, who are always looking for innovative ways to grow the Program and continuously bring key partners into the Shared Assessments community.
- Allstate received the Rookie of the Year Award in recognition of excellence in implementing Shared Assessments into an organization’s third party risk program. Allstate did a tremendous job of completely revamping their third party risk management program this year, and the Shared Assessments core staff was proud to be a part of the transformation.
Our Sponsors are the Best
Thank you to all of the industry leading sponsors and exhibitors who made this year’s Shared Assessments Summit!
2017 Summit Opportunities
Interested in being a sponsor or exhibitor at next year’s 10th Anniversary Summit? Contact Christopher Campbell at firstname.lastname@example.org or 505-466-6434 to learn more.