On Demand Events

This committee exchanges ideas, shares best practices, and identifies collaboration opportunities related to insurance-specific TPRM needs. Areas of interest include, but are not limited to, the complexity of Nth party relationships, the impact of climate change on complex supply chains, regulatory requirements for insurance firms, the complexity of assessing risks surrounding their client product offering(s), and additional assessments of existing service providers including agents, brokers, and managing general underwriters (MGU). Schedulers for this committee have been issued to committee members. If you are not part of this committee, please register your interest using the link below.

This group fosters a vibrant community of Asset Management and Financial Institution professionals, dedicated to sharing experiences and insights. Our members collaborate to tackle challenges, explore risk trends, adapt to regulatory changes, and share best practices. Focus areas include program governance, policies, and methodologies as well as lifecycle activities such as sourcing, due diligence, control validation, and performance monitoring. Schedulers for this committee have been issued to committee members. If you are not part of this committee, please register your interest using the link below.

The Shared Assessments Insurance Committee discussed the importance of application-level encryption, with 84% of respondents requiring it. They debated key rotation, with 30% mandating annual rotation. The committee also explored the use of third-party assessments and certifications, noting that 20% accept them fully, while 30% use them partially. The conversation highlighted challenges in managing assessment questionnaires, with typical high-risk assessments ranging from 200 to 300 questions. The meeting concluded with plans to address data minimization efforts, AI programs, and regulatory changes in future meetings.

The meeting discussed the impact of AI regulations on third-party risk management. Key points included a recap of 2024 which included summaries as well as a review of the similarities and differences between the Executive Order, EU AI Act, and UK AI Laws. The panelist then defined AI Systems, AI Deployer, and AI Provider before several use case scenarios were explored on the different impacts these regulations would have on them. Use case examples included AI Deployer of a multinational bank organization with EU operations; : AI Deployer of a US-based Healthcare provider active in the EU Market, and AI Provider of a high-risk AI system. The committee then looked ahead into what might be expected in 2025 & beyond in the US, UK, and EU.

The Financial Services Committee discussed various topics, including the impact of the Bank of England's ruling on critical third parties, the importance of supply chain & geopolitical risk management, and the FFIEC's updated handbook. Key points included the need for proactive monitoring of critical vendors, leveraging data sources, and understanding the financial stability of vendors. The committee emphasized the importance of aligning third-party risk management programs with regulatory expectations and maintaining up-to-date policies. They also highlighted the necessity of involving senior management and compliance teams in analyzing and addressing regulatory changes to ensure compliance and resilience.

This meeting covered Microsoft's nuclear-powered data center. We discussed NIST standards for post-quantum cryptography (PQC), emphasizing the transition from RSA to ML Chem and ML DSA for key encapsulation and digital signatures. The conversation highlighted the rapid advancements in AI and the need for agile governance to balance innovation and regulation. The discussion also touched on the lessons learned from Y2K, the importance of asset management, and the potential risks and benefits of AI, drawing parallels to past technological fears and uncertainties.

The Shared Assessments Healthcare Committee discussed the rapid evolution of technology, particularly AI, and its impact on third-party risk management. Key points included the importance of aligning risk assessments with contractual terms and business impact analysis. The committee members shared their assessment volumes, with some performing over 500 assessments annually. They also discussed the use of AI tools to streamline the assessment process and the challenges of managing large volumes of assessment questions. The meeting concluded with a review of the committee's achievements in 2024 and plans for 2025, emphasizing the need for continuous improvement and adaptation to emerging risks.

The Shared Assessments Global ESG TPRM Committee discussed the consideration of rebranding from ESG to Sustainability, with 62% of respondents supporting the change. Gary Roboff, Senior Advisor, Shared Assessments, discussed the EU's new regulation on deforestation, emphasizing its importance for global supply chains. Rhonda Cook, Senior Advisor, reviewed Noteworthy News on ESG &TPRM. A Deloitte survey revealed that 66% of private company leaders view climate change as a high or very high risk. The US Department of Commerce unveiled the SCALE tool to assess supply chain risks, though it is not publicly accessible. Members expressed interest in AI’s role in Sustainability as a topic for future discussion in the Committee. Links to suggested reading are included in the Master Deck, attached. The meeting concluded with a ShopTalk on integrating sustainability into third-party risk programs, highlighting practical steps and challenges.

The Shared Assessments Insurance Committee discussed various topics, including the upcoming UK Summit on September 25, the 2025 US Summit in Fort Lauderdale, and the importance of AI in third-party risk management. They recapped data privacy, cybersecurity, liability, and generalized risks associated with autonomous vehicles (AVs). During open discussion on TPRM Insights, they highlighted the need for a risk appetite framework, the roles country risk and operational risk management play. The committee also explored the challenges of assessing vendors during proof-of-concept (POC) phases, suggesting early involvement and data minimization strategies. They noted the increasing number of third-party assessments, with some organizations performing over 500 annually, and the importance of continuous monitoring and cyber threat intelligence tools.

Jen Hancock highlighted the importance of the IAG guidance for navigating third-party risk and regulatory requirements. Chris Johnson introduced the Shared Assessments IAG gap analysis tool, which maps IAG to rescinded FRB, FDIC, and OCC guidance, helping identify new requirements and potential gaps. During the Open Mic for Members Participants noted the need to explore alternative methods of assurance / due diligence when direct assessments are not possible. The committee explored offshore delivery center controls. Feedback from organizations was they are implementing a combination of physical and technological controls for offshore delivery centers, rather than relying solely on physical security measures like "clean rooms” and a trend towards bringing more critical functions in-house or to captive centers to maintain tighter control over sensitive data and processes, rather than relying on third-party offshore providers. Lastly, participants highlighted the challenges of maintaining control environments and talent acquisition/retention for offshore locations, especially with the shift to more remote and hybrid work models during the pandemic.