In 2019, data privacy dominated third party risk management (TPRM) activities, thanks to the European Union’s (EU’s) General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Data privacy concerns will continue to top TPRM priorities in 2020, but those lists will be overstuffed with other pressing matters, including resilience, nth party risk management, new and emerging operational risks, challenges stemming from the rapid convergence of information technology (IT) and operational technology (OT), vexing cyber-attacks and a range of improvement initiatives, starting with continuous monitoring.
This article offers a high-level summary of the most noteworthy 2019 TPRM issues and 2020 TPRM trends along with a set of “resolutions” for practitioners to consider pursuing this year to sharpen their third party risk management programs. The discussions that follow — which are relevant to TPRM practitioners, third party service providers, assessment firms and other TPRM principles — were generated based on interviews conducted with Shared Assessments Program experts in late 2019.
This commentary is intended to generate fresh thinking, ideas and approaches, not an authoritative set of TPRM instructions (more readily found in our Framework and Tools). Many of the issues raised are interrelated. Rising cyber-attack activity gives rise to new regulatory requirements. The adoption of advanced technologies, such as artificial intelligence (AI) and 5G, create new third party risks that require programmatic adjustments. And trends that dominated discussions in one year tend to carry forward the next year.
The observation and analyses that follow are designed to help practitioners apply their tools and knowledge in a more targeted, proactive, efficient and effective manner.
Last year it became clear that many TPRM activities required viewing through a data-privacy lens. TPRM professionals watched closely as the EU ramped up GDPR enforcement and as California legislators worked, at times confusingly, to finalize their groundbreaking data privacy and Internet of Things (IoT) security laws. Data privacy featured prominently among other key 2019 developments, including:
Phishing and ransomware remained staples of cyber-attackers’ expanding arsenals
The number of ransomware and phishing attacks increased significantly in each of the past three years according to several sources, including McAfee’s ongoing ransomware research and the Anti-Phishing Working Group’s Phishing Activity Trends Reports. More phishing attacks now contain payload in the form of malware. Automated attacks are becoming easier to launch, and bad actors found success in targeting smaller companies and public sector entities (including utilities and municipalities) in 2019. Smaller organizations tend to lack the resources and defenses necessary to keep pace with fast-changing cybersecurity risks.
Regulatory expectations continued to intensify
Once narrowly focused in the financial services sector, regulatory changes in recent years have applied to a broader collection of industries and companies. For example, GDPR, CCPA and forthcoming data privacy rules signal to third party managers in most industries that they need to effectively manage all their vendors’ data privacy commitments. Escalating regulatory expectations challenge TPRM functions in many ways, including:
- Regulators are demanding higher levels of compliance specificity;
- U.S. and global regulators are aggressively enhancing existing rules and developing new regulations;
- More regulations apply across multiple industries; and
- Emerging factors such as cloud computing and Internet of Things (IoT) are only beginning to be addressed in regulation.
In addition to getting their compliance management processes in order, organizations should keep tabs on court decisions and enforcement actions related to GDPR and, starting in June, the CCPA. If fines for violations of these rules become more onerous, as seems likely, companies should consider sharpening their GDPR and CCPA compliance programs, from both an internal and TPRM perspective.
More data privacy rules are coming down the pike, and these rules will apply to a broader range of privacy risks, such as IoT and cloud-based services. (Last year, the passage of California’s IoT rules were largely obscured by CCPA’s long shadow.) At least a dozen U.S. states are considering their own versions of the CCPA. While federal legislators have expressed a desire to craft a U.S. version of GDPR, progress on a sweeping federal law seems unlike in a highly divisive election year. That raises the specter of companies complying with numerous state-level data privacy laws, each posing a unique tangle of compliance requirements.
TPRM professionals now need to track how a range of standards-setters are integrating data privacy into their guidance. The International Organization for Standardization (ISO), for example, relied on GDPR to enhance some of its widely used information security management and controls standards. ISO’s “PIMS” extension” contains a hefty dose of additional guidance on privacy information management systems (PIMS) applicable to both controllers and processors of personally identifiable information (PII).
Finally, it is important to keep in mind that data privacy represents the most notable — but far from the only — regulatory area that created new third party risks and management challenges last year. Foreign Corrupt Practices Act (FCPA) risks remain a major source of third party risks, for example, and ongoing adoption of cloud technology, AI and 5G are likely to do the same.
IT converged with OT
In recent years, the IT-OT convergence marked a source of increasing OT risk as more and more devices within OT systems and industrial controls systems (ICS) were connected to IT systems and networks. While this convergence drives significant efficiency improvements, greater business agility and data analytics advances, it also exposes OT environments to more cyber-attacks, including ransomware and other digital intrusions. These threats, which can lead to major supply chain comprises and staggering revenue losses, can be spread by third party products, integrators and service providers. The most formidable impediment to managing internal and third-party OT risks currently boils down to a lack of awareness and understanding.
This is understandable, given the significant differences between information technology (and cybersecurity) and operational technology. The Shared Assessments Operational Technology Risk Management Working Group was formed last year to fill these knowledge gaps by:
- Identifying and disseminating the challenges that organizations face in managing OT risks;
- Developing methods and tools for standardizing OT due diligence activities; and
- Designing and improving a range of best practices to address OT risk management challenges.
Financial services institutions, asset management firms and insurance companies modeled what awaits other companies
Given their reliance on data and third parties, extensive regulatory requirements, and attractiveness to cyber-attackers, large financial services intuitions, insurance companies and asset management firms traditionally have led the way when it comes to testing and implementing leading TPRM practices. This continues to be the case, and third party risk managers in other industries are wise to monitor regulatory developments and to emulate risk management practices in those sectors.
Last year, for example, financial services regulators moved to integrate resilience and business-continuity testing into third party risk management requirements. Additionally, the Federal Deposit Insurance Corporation’s (FDIC’s) June 2019 update to its Consumer Compliance Examination Manual had major implications for third party risk management (TPRM) professionals’ fraud prevention activities in the financial services sector. Those revisions to the manual notably include the addition of 21 pages of new guidance on third party risk management considerations and activities in the manual’s Deceptive Practices section.
Financial regulators and insurers grappled with data privacy, information security and TPRM issues related to climate change, concentration risk, the autonomous monitoring of policyholder behavior (e.g., drivers), and cyber insurance.
Most of these 2019 trends will continue to evolve and influence TPRM activities this year. The most notable trends we expect to have implications on companies and their third parties in 2020 include the following:
A new privacy compact requires major operational adjustments
GDPR and CCPA have ushered in a new era of data privacy, one that has major implications on third party risk management. In the past, third party risk managers focused on data from an IT security standpoint: Is the data secure, encrypted in transit and stored in a risk-intelligent manner?
In addition to those requirements, third party risk managers now need to ensure that vendors can properly manage all the privacy commitments that are made when their company collects data from individuals. Fulfilling this new obligation requires major operational changes. Many companies and third parties need new policies, procedures and processes for keeping data longer, and for tagging and organizing the data according to specific privacy-compliance requirements. Companies need to create and maintain an accurate inventory of all regulated data shared with third parties while monitoring how vendors comply with new privacy requirements on the regulated data.
Resilience rises to the top of priority lists
“Resilience” seems like a safe bet to qualify as a finalist for 2020’s business word of the year. The term is increasingly being applied to third party assessments — and codified by global regulators such as the U.K.’s Prudential Regulatory Authority (PRA), which views “operational resilience as “a vital part of firms’ safety and soundness” and “important priority for the PRA.” The PRA is in the process of integrating operational resilience into its regulatory framework with the intention of steering “firms to be resilient in their adoption of new technologies.” Financial regulators are looking at resilience requirements to help reduce systemic risks when cyber-attacks occur. Resilience describes the set of controls, processes, steps and technologies that are in place to help companies and vendors prevent and respond to unexpected threats with the least possible disruption and quickest return to normal operations.
Nth party risk management emerges
When a company’s data is shared with a third party, it often sparks a spider web effect — the subsequent sharing of that data with the third party’s subcontractors and those subcontractor’s vendors. While some U.S. regulatory bodies have begun to examine “fourth party risks,” rules-makers in Europe and other parts of the world already have zeroed in on what they refer to as “nth party risk” and “chain outsourcing.” In the U.K., for example, regulators are examining how deeply into the outsourcing chain companies need to manage nth party risk. That focus should increase in 2020. Any rules generated from that scrutiny will pose compliance challenges given that a company sharing data with its third party rarely has contractual agreements concerning that data with its third party’s web of subcontractors.
Operational risks expand
A flurry of regulatory activity, the ongoing globalization of supply chains, shifting public and stakeholder perceptions and priorities, climate change and other drivers of external change are giving rise to new operational risks. Operational and enterprise risks within third party partners have expanded to include money laundering, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, human trafficking risk in the supply chain, and concentration risks. In November, the Federal Reserve Bank of San Francisco hosted a conference that explored how to quantify the climate risk faced by households, companies and the financial system. Presentations at that event — which focused on the potential implications of climate change for monetary, supervisory, and trade policy among related topics, along with other regulatory pronouncements — suggests that regulators will intensify their focus and climate-related risks in 2020.
Cyber-attacks get personal
Russia’s hacking of the 2018 U.S. election along with the recent increase in cyber-attacks on smaller organizations indicate that these incursions will also get more targeted, and more personal, in 2020. A highly partisan environment and the U.S. Presidential elections will motivate more and new types of cyber-attacks. It seems likely that privacy breaches will become more of a concern for companies to control and manage — a challenge on par with those that data security breaches pose. We expect to see a continued increase in “doxing,” whereby criminals motivated by politics or social beliefs obtain and publicly broadcast personal data and information about a corporation or individual to inflict reputational damage. We also expect to see attempts by one or more nation states to hack the 2020 elections, a major breach in the defense industry by a nation state through a third party, and more attempts to hack (and leak) U.S. intelligence data. In short, 2020 is shaping up to be a particularly ugly year from a cyber-attack perspective.
Given those issues, it makes sense for TPRM professionals to consider taking the following actions:
- Expand your third party risk management tool kit: Numerous frameworks and tools support third party risk management. As third party risk managers strive to convey the need for the additional resources to develop and sustain a robust TPRM program, it is crucial to recognize that the most effective tools continually evolve to keep pace with changing risks and a range of factors that influence third party risks. The Shared Assessments Third Party Risk Management Toolkit is continually updated. The 2020 Toolkit is specifically designed to help enable organizations around the world to meet new and evolving regulatory compliance demands, and to address evolving physical and cyber risk. The current Toolkit features expanded third party privacy tools for GDPR and CCPA; new operational risk content on emerging and expanding third party risk scenarios such as money laundering, trafficking, anti-trust, anti-bribery, international compliance, call center security, payments compliance, ethical sourcing, and human trafficking risk in the supply chain. This resource also features enhanced configuration options that allow both outsourcers and service providers to streamline assessments.
- Avoid shortcuts to sound hygiene: Creating and sustaining sound TPRM hygiene requires a couple of fundamental realizations. The first principle will be familiar to most practitioners: companies do not relinquish risk management responsibility when they outsource data management, processes or functions to a third party. This is the case whether a process is being performed by a services vendor or software is managed via the cloud. Second, it is increasingly important to recognize that there are no shortcuts to sound third party risk hygiene. As the number and nature of third party risks expand — and as internal resources and funding become more difficult to secure — there is a temptation to cut corners: Why can’t we cut in half the number of questions we ask that cloud vendor to save time and cut costs? While efficiency and streamlining can and should be achieved, shortcuts and omissions equate to a penny-wise-pound-foolish approach. Third party risk management requires the addressing of all relevant risk areas; when assessments skip crucial risk areas and questions, the ultimate cost of a resulting risk management lapse can far surpass the annual TPRM budget. It is also crucial for third party risk managers to develop effective business cases to secure the resources needed to effectively meet their fast-growing list of obligations. A robust case statement requires:
- Understanding the changes in the regulatory landscape and the risk environment;
- Doing the work of benchmarking the organization’s TPRM programs; and then
- Applying that knowledge to show that a positive impact can be achieved by improved risk management with the highest risk vendors.
- Embrace and expand continuous monitoring: Continuous monitoring represents a critical component of a sound third party risk management capability. The universe of information that needs to be monitoring has expanded in recent years thanks to the use of new and emerging technology among other factors. As a result, TPRM professionals should develop a consistent understanding around continuous monitoring practices. (This is a challenge that the Shared Assessments Program Continuous Monitoring Taxonomy subgroup is addressing via the proposal of a common taxonomy that categorizes the types of alert information that can be selected to be monitored.) Companies with leading continuous monitoring capabilities keep tabs on indicators in real time or near-real time and apply continuous monitoring to new risk domains such as IoT devices.
- Improve and expand collaboration: Phishing attacks remain a go-to weapon because they work. Human fallibility represents a top cybersecurity risk. Yet, human collaboration represents a foundational component of effective cyber security and third party risk management. As the nature of third party risk evolves, more experts and groups — companies and third parties, third parties and nth parties, data privacy and information security, operational technology and information technology and so on — to commit to collaboration. This requires TPRM leaders to encourage a growing number of stakeholders to establish governance and, increasingly, to get out of their professional comfort zones to better understand other stakeholders’ domains, concerns and risks.
- Recognize the rise of chief data officers: We expect more companies hire chief data officers in 2020 and beyond. We also expect these leaders to a level of C-suite influence on par with the credibility that chief information officers (CIOs) command. CDO positions will have combined responsibility for the privacy and security of data. Current chief information security officers (CISOs) who possess the necessary data privacy education and experience will be prime (but far from the only) candidates for the CDO seat.
- Take a closer look at cyber insurance: As the frequency and magnitude of cyber-attacks continue to increase, more companies will evaluate and invest in cyber insurance. Cyber insurance can help companies and their third parties mitigate exposure to losses caused by cyber security breaches. From 2014 to 2018, the portion of Marsh & McLennan’s corporate clients with standalone cyber insurance policies in force doubled from 19 percent to 28 percent, according the Wall Street Journal. This interest is driving more information security and third party risk managers to learn more about what these policies do and do not cover. Insurers that sell these policies are also necessarily taking a hard look at the cyber hygiene of their customers. As a result, we expect standards to continue to emerge in 2020.
- Advance public-private partnerships: TPRM professionals and leaders within critical infrastructure companies are well-aware of the importance of working closing with the federal government on risk and security matters. In the past year, we’ve witnessed more instances of companies reaching out to their public sector counterparts to inform them of cybersecurity breaches and share insights related to the nature of those attacks and what proved effective in their responses. More companies, regardless of whether they qualify as part of a country’s national security fabric or not, will follow suit due to the benefits of this information and practices-sharing.
As third party risk professionals seek to improve and expand their knowledge, capabilities and resources in the face of an unknowable future, it may be useful to keep in mind sci-fi author William Gibson’s observation that the future is already here, but it is unevenly distributed. Some companies and practitioners are ahead of the game, in other words, which makes collaborating with colleagues, peers and other experts extremely valuable.
Thanks to the Shared Assessments experts who contributed to this report: Tom Garrubba, Bob Jones, Mike Jordan, Brad Keller, Charlie Miller and Gary Roboff