As a follow up to the 8th annual Shared Assessments Summit, the themes of governance continued to focus on third party risk, when I conducted a webinar hosted by the New York Stock Exchange (NYSE) Governance services and sponsored by Prevalent.
The focus on third party risk has shifted from a line manager to the C-Suite and Board of Directors, requiring organizations of all sizes to enhance their third party risk management program maturity.
The current landscape for protecting data today requires third party risk programs to evolve to “The Next Generation” of third party risk oversight. While the name “The Next Generation” may bring up memories to Star Trek fans debating which era in the television series is the fan favorite, I’m in the core Star Wars camp who was wowed by the technology, vision, and sequencing in the Star Wars trilogies.
Each new generation of movie fans saw new gadgets, new threats, and new technology, including new bad guys to battle in the digital landscape. Industry events over the past year have shifted our technology point of view, and require a new level of acumen, strategy, and response. From cyber security breaches, to vulnerabilities with funny names; the rise of social media influence is changing how organizations plan for third party risk. Big brand companies are facing a Cyber battle – with Death Star like precision, but without the full suite of tools and gadgets to help their companies defend the company brand. What was once a supply chain or IT Security vendor risk program has become a broad, umbrella governance model managing risks holistically.
Evolving third party risk focus areas:
- Expanded Control Considerations: The focus has shifted to depth, breadth, and security maturity of controls. The next generation goes beyond “Trust but Verify” to assess and ensure governance on security policy exceptions. Open source technology is pervasive and requires new levels of rigor for application security and infrastructure oversight. Heightened threat landscape brings vulnerability management to the next generation of white hat hackers.
- Cloud Computing: Risk Assessment considerations need to shift from the older generation to the new generation of cloud technology. The acceleration of cloud computing erodes the old school concepts and practicality of perimeter security. The next generation third party risk professional needs to be equipped to understand the details of cloud layers, types of service models, and data/client resource segmentation.
- Regulatory Compliance Factors: Non-IT risks for consumer protection and operational risk take third party risk from “vendor audits” to continuous monitoring of critical suppliers. The next generation of third party risk requires the incorporation of regulatory monitoring, regulatory research and analysis, and compliance management systems to address compliance readiness.
- Professional Ethics & Business Factors: Oversight of ethics and compliance starts within the company culture. Business conduct and codes of ethics need to be in synch with marketing practices and selling models. The next generation of third party risk requires oversight on new business activities to ensure risk and compliance are addressed. Corporate social responsibility becomes a factor for reputation risk management within supply chains. Aggressive enforcement by CFPB, FCC, and FTC is accelerating the pace for organizations to address consumer protection compliance.
Even the traditional audit frameworks for governance are going to the next generation with the updated COSO Framework for Cyber Security Risk Assessments. The COSO dialog is asking senior leaders to be introspective and really ask strategic questions about their organizational maturity for governance.
- Are we focused on the right things?
- Are you proactive or reactive?
- Do we have the right talent?
On-site assessments are moving from binary to maturity based self assessments, including the approach for service providers to engage in collaborative on-site assessments with a set of clients to minimize resource contention handling third party assessments. The next generation of third party approaches must blend or layer the independent testing of controls – to provide assurance while maximizing efficiency in the third party risk process.
So whether you are a traditional Trekkie or in the Yoda camp, both genres valued the blending of technology with good old fashioned smarts with asking the right questions, trusting your judgment, and creating new battle plans. Each generation of the science fiction series, could not have foreseen the technology advancements in the last fifty years, but third party risk professionals will face the bigger challenges in the next five as technology and risk leaps at the speed of light.
Playback of the NYSE recorded event, The Next Generation of Third-Party Risk Management, is available on the Prevalent web site
Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs