Third Party Risk Portals and Repositories

Shared Assessments’ Best Practices Awareness Group weighed the pros and cons of Third Party Portals and Repositories. The portals and repositories under discussion are web applications controlled, owned, and managed by a third party where organizations upload and deposit due diligence documents for the purpose of sharing with other customers in an easy-to-use access point for their business partners.

When done right, portals and repositories help alleviate the vendor and outsourcer fatigue and aggravation associated with continually responding to common requests. However, as with all access points, shared portals are not without their risks. Here are the pros and cons – and some middle ground best practices and cautions pertaining to portals and repositories.

Cons of Portals

Tony Manley, a seasoned Third Party Risk Professional, took the “con” side of the point-counterpoint format for the discussion. Tony acknowledged that portals are useful and obviously widely used. Manley expressed why concerns around third party portals and repositories may outweigh the advantages of using them. The concerning elements around portals include:

1. No active control by document/information contributors over who can view and access confidential data posted on the portal. Consider:
   • What are the security issues of the portal?
   • How was the application built and by whom?
   • What firewalls are being used and how are they being monitored?
   • What technologies are in use for breach prevention, detection and notification?
2. Lack of knowledge about where data resides, particularly pertaining to disaster recovery sites – the more locations there are where the data resides, the greater the opportunity for data to be breached. Will you receive notice of confirmed or suspected breach from a portal provider?

3. No indemnification for loss of data. If confidential data is circulating beyond the portal due to a breach, and it causes the organization financial harm, is there an agreement in place for recourse?

4. Manley’s recommendation – due diligence document repository portals are very useful, but the safest route is to build and maintain your own and control access.

Other discussion participants acknowledged a con on the vendor-side. Some vendors reject response via portal or repository due to distrust and skepticism. For example, these organizations do not have the ability to control what sensitive information legitimate users may share across the pool of their client population.

To resolve these issues, Manley and other group members state it is most efficient and cost effective for TPRM programs to use internal management of the document collection process.

Pros of Portals

Kaelyn Lewis, Senior Risk Analyst at Rochdale Paragon, reviewed “the good side” of portals and repositories, including access to information that was previously considered too sensitive to share, such as PEN testing. She acknowledged that there needs to be more education around the sensitivity of data sharing across risk management teams. Lewis sees the greatest advantages of portals and repositories as:

1. Assurance that data is safeguarded – in an era of increasing availability of data and information, a portal/repository can give some assurance that information provided is safeguarded.
2. Transparency around information shared – for example, if email is used for the due diligence process instead of a portal, one vendor representative might send some information, while another representative might send a different set of documents. That leaves your risk program stuck in an information sharing role that may violate NDAs and could potentially result in inappropriate documentation being provided to the wrong client or for the wrong product, service or system in scope. When information is on a data site where access is on a validated basis (need to know), what can be shared is more consistent and clear.
3. Greater controls around data – access and permission controls, read-only access and file sharing capabilities, and watermarking with IP addresses can be implemented.
4. Reduction in assessment fatigue – the 24/7 nature of access and the validation processes that some portals employ provide relief for vendors on repetitive information requests, while allowing outsourcers to scope their examination based on each business unit’s needs.

The Middle Ground

The Best Practices Awareness Group found a common set of principles that rang true across their discussion. With third party portals and repositories, it is important to understand that responsibility for the data is shared between three parties – the party requesting the information, the party collecting/hosting/housing the information, and the party providing the information. Questions should be posed to vendors that cover the scope of concerns in the con point of view. Risk programs need a clear and documented understanding of how data is being secured, stored, and accessed. Third party vendors and their portals (or repositories) always need to be properly vetted.

Steps for vetting a third party portal/repository should include:

1. Perform a Risk Assessment.
2. Check Relevant Certifications – does the vendor have a SOC, ISO or SCA and recent vulnerability reports (network scans and penetration testing) they can provide?
3. Check Security Architecture Diagrams – check for where data is being stored, the platform architecture and controls, and compliance with regulatory requirements, including GDPR.
4. Review Incident Response Protocol – ensure it meets or exceeds your own organization’s requirements.
5. Ensure NDAs are in place and complied with – from an industry and portfolio perspective, this helps with measuring risk.

During the discussion, Best Practices Group members noted that even with a portal fully stocked with due diligence artifacts, a servicer sometimes still needs to respond to specific questionnaires or questions. To this end, as a workaround, many companies use a key control questionnaire of 10-25 questions. Based on responses to these questions, a deeper dive that feeds into the Standardized Information Gathering (SIG) Questionnaire can be created. Additionally, in companies with mature TPRM programs, steering committees or other governing bodies create adaptive enablement or an exception evidence process that can be utilized to meet this need.

Portals can be key relationship builders where the vendor can set the stage for comfort and assurance. Unresponsiveness risk is a heightened risk category itself. Throughout the due diligence process, any vendor that does not adequately respond to your inquires for risk assessment should be placed on your watch list and advise the business unit of this issue. If the vendor is not forthcoming with assessment information, it may indicate staff constraints or other concerns that reveal a risk hygiene posture that is not aligned with strong risk management.