party - Blog - Global Risk Community2024-03-29T13:43:31Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/partyWhat Can CISO’s Do to Mitigate Security Risks Posed by Third Party Suppliers?https://globalriskcommunity.com/profiles/blogs/what-can-ciso-s-do-to-mitigate-security-risks-posed-by-third2020-01-21T06:31:36.000Z2020-01-21T06:31:36.000ZKirsty Donovanhttps://globalriskcommunity.com/members/KirstyDonovan569<div><p>In today’s hyper-connected digital age, it’s not unusual for medium to large-sized companies to have hundreds, or even thousands, of third-party suppliers.</p><p>This can range from product suppliers, to billing processors, to cloud providers, and a variety of different services.</p><p>This large volume of suppliers can pose a challenge for Chief Security Information Officers (CISO) to properly manage risk, especially when personal or confidential data is shared.</p><h3>A Risky Misconception – Understanding Supplier Risk Profiles</h3><p>Many businesses think that if they outsource the service, they automatically outsource the risk too. This simply isn’t true.</p><p>The procurement and security departments need work together to:</p><ul><li>understand what the risk profile of the supplier is</li><li>ensure that the risks are carefully translated into contracts, on-site audits</li><li>identify and monitor how the supplier can manage risk to the required level.</li></ul><p>We’ve identified 5 steps to help companies mitigate the risk caused by outside suppliers.</p><h3>1. Build a Structural Picture of the Organisation</h3><p>According to Nick Frost, Director of CRMG, all too often security providers get distracted by the main security challenge – i.e. the immediate risk to the primary business. To mitigate supplier risk, they need to gain a deeper understanding of the business processes, the services the business uses and how data is handled across the supply chain.</p><p>This can be a complex process, especially when there are multiple levels of suppliers. CISOs need to know whether the risk lies in a tier 1, 2 or even tier 3 supplier. To do this, a full structural outline needs to be drawn up that charts the flow of data and information all the way through the various supply chains.</p><p>As companies and suppliers become increasingly more interconnected through network sharing, cloud storage, API’s, etc., the need for security oversight becomes even more critical.</p><p>CISOs need to nail down exactly what type of data is being shared and where it is going. For instance, if Personally Identifiable Information (PII) or confidential business data is being shared, it can create a huge risk if left unmanaged.</p><h3>2. Create a “checklist” Triage Approach to Risk Management</h3><p>CISOs can be overwhelmed with the amount of information that comes in from suppliers. A system needs to be devised to assess the risks posed by suppliers, especially when handling sensitive data. Red flags need to be raised when suppliers handling the riskiest data don’t meet certain levels.</p><p>When there are 1000’s of suppliers in the supply chain, CISOs need to hone-in on the priority ones, i.e. the suppliers that can cause the most disruption to operations or pose the greatest data risk. Andrew Wilson, a Principal Consultant at CRMG, suggests a triage approach, with a checklist of security requirements drawn up for each critical supplier.</p><h3>3. Risk-aware Onboarding</h3><p>The best way to mitigate risk from the outset is to make sure that contracts reflect the security issues at hand. It’s a good idea for CISOs to establish close relationships with the legal and procurement departments.</p><p>For instance, the procurement team can say “Here, we have this MSA (Master services agreement), this is the type of product or service on offer.” CISOs can then do their risk assessment based on that information, then sit down with procurement and highlight which controls are missing, which aren’t necessary, etc.</p><p>It’s important to remember that when the legal team goes into discussions with a potential supplier, there will be a contract negotiation. There will be certain clauses that the supplier will want to redline out. It’s important that the legal and procurement team know exactly which are the “nice to have” clauses (i.e. can be sacrificed) and which are the non-negotiables – the must-have clauses to ensure that the required security level is met.</p><p>This avoids the situation where CISOs are brought in too late, i.e. after the contract is already in place, and they realise that the vendor has poor security posture. It’s far better to realise this before the product or service is purchased and contracts drawn up.</p><h3>4. Update Risk Profiles as Services Change</h3><p>Services provided by suppliers can easily change over time. This means that the type of data being shared may change too. Often, business people aren’t aware of the consequences that adding different data types can have.</p><p>For example, cloud providers are great for storing general data and information, but if you start to store confidential data, PII data, information about mergers and acquisitions, etc. the risk profile changes drastically. The original contract may not address this risk. Therefore, periodic risk profile assessments are a good idea.</p><h3>5. Consider “Exit Strategies”</h3><p>Organisations also need to consider exit strategies, or “divorce arrangements”. When companies finally part ways with a long-term supplier, they may hold a lot of sensitive data. CISOs need to find a way to mitigate this risk. They need to come up with a way of staying on good terms with the supplier and managing a secure transfer of data to the new party. Again, a checklist approach can work here, to ensure that all potential risk is carefully managed.</p><p></p><p>To find out more about Third Party Risk, you can listen to this podcast<span> </span><a href="https://www.crmg-consult.com/2019/11/27/crmg-podcast-how-to-manage-third-party-risk-when-you-have-thousands-of-suppliers/">here</a>.</p><p></p><p><strong>About the author</strong></p><p><img class="alignnone size-full wp-image-285" src="https://www.crmg-consult.com/wp-content/uploads/2019/08/Nick-Frost.jpg" alt="" width="112" height="112" /><br /> <strong>Nick Frost<br /></strong> Director, CRMG</p></div>How to Manage Third Party Risk When you Have Thousands of Suppliershttps://globalriskcommunity.com/profiles/blogs/how-to-manage-third-party-risk-when-you-have-thousands-of2019-12-30T16:07:09.000Z2019-12-30T16:07:09.000ZKirsty Donovanhttps://globalriskcommunity.com/members/KirstyDonovan569<div><div><div><span lang="en-us" xml:lang="en-us">Not so long ago, the idea of outsourcing critical business functions or IT systems</span><span lang="en-us" xml:lang="en-us"><span> to a </span><span>third party</span><span> supplier would have been off limits for many organisations because of the level of risk involved. However today, the use of </span><span>third party</span><span> suppliers </span></span><span lang="en-us" xml:lang="en-us">has</span><span lang="en-us" xml:lang="en-us"> increased exponentially, with many </span><span lang="en-us" xml:lang="en-us"><span>organisations</span></span><span lang="en-us" xml:lang="en-us"> outsourcing even core functions of their business. Why? Outsourcing can be financially attractive, efficient and provide competitive advantage.</span></div><div><span> </span></div></div><div><div><span lang="en-us" xml:lang="en-us">In delegating key processes to third parties, </span><span lang="en-us" xml:lang="en-us"><span>organisations</span></span><span lang="en-us" xml:lang="en-us"><span> </span>are potentially exposing themselves to huge amounts of risk, and while you might be able to outsource functions, you can never outsource business risks or reputation. It is common for information security to be last in the process of due diligence when selecting suppliers. So, when you have thousands of suppliers, and they have thousands of suppliers, how far should you go to assess and mange cyber risk?</span></div><div></div><iframe width="560" height="315" src="https://www.youtube.com/embed/I_mJ6rg-dUY?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></div><p><span>In this podcast, CRMG’s Nick Frost, Todd Wade and Andrew Wilson discuss the key risks associated with third party suppliers, how to manage the process of on-boarding suppliers. and how to filter through suppliers to assess those most critical to your business. Our team also discuss the importance of managing the relationships with third party suppliers and the need for an exit strategy in the event of a split.</span></p></div>GFMI to Host the 7th Edition Third Party Vendor Risk Managment Conference on February 12-14, 2018 in New York, NYhttps://globalriskcommunity.com/profiles/blogs/gfmi-to-host-the-7th-edition-third-party-vendor-risk-managment2017-12-08T21:19:57.000Z2017-12-08T21:19:57.000ZAmanda Pinkhttps://globalriskcommunity.com/members/AmandaPink<div><p>The <strong>7th Edition Third Party Vendor Risk Management for Financial Institutions Conference</strong> will bring together leaders involved in vendor risk management, procurement, data security, and contract management to apply practical strategies to evolve your current third party oversight program. Learn best practices in managerial strategy from industry leaders to streamline third parties with your business goals, ensuring the development of holistic governance strategies. Furthermore, maximize your due diligence process from the initiation of the contract, to the monitoring of the vendor life cycle, ensuring a comprehensive risk weighted approach is undertaken to create the best strategy for continuous oversight. </p><p></p><p><strong>Attending This Premier GFMI Conference Will Enable You To:</strong></p><ul><li><strong>Leverage</strong> technology to enhance oversight & risk assessment of vendors</li><li><strong>Augment</strong> vendor risk management programs to develop a seamless third party management framework</li><li><strong>Tailor</strong> risk weighted assessments to identify the critical vendors</li><li><strong>Understand</strong> the supervisory priorities for third party risk management</li><li><strong>Minimize</strong> 4<sup>th</sup> party risk to ensure business continuity</li></ul><p></p><p><strong>Key Speakers Include:</strong></p><ul><li><strong>Caree Wagner</strong>, Managing Director, Operational Risk Management, <strong>BNY Mellon</strong></li><li><strong>Nasser Fattah</strong>, Managing Director, <strong>Bank of Tokyo Mitsubishi</strong></li><li><strong>Ken Walker</strong>, Managing Director, <strong>State Street Global Exchange</strong></li><li><strong>John Gilbride</strong>, Executive Director, Corporate Third Party Oversight, <strong>JP Morgan Chase</strong></li><li><strong>Roger Parsley</strong>, Director, Head of Third Party Risk & Control, <strong>Deutsche Bank</strong></li><li><strong>Michael Casey</strong>, Head of Outsourcing & Supplier Risk, Americas Region, <strong>UBS</strong></li></ul><p>For more information, please visit: <a href="http://bit.ly/2AoPYnm">http://bit.ly/2AoPYnm</a> or you can contact Amanda Pink at <a href="mailto:amandap@marcusevansch.com?subject=Agenda%20Request:%2012th%20Annual%20Liquidity%20Management%20(Supply%20Chain%20Brain)">apink@gfmi-global.com</a></p><p></p><p><strong><em>GFMI</em></strong> <em>conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers.</em></p></div>Incorporating Third Party Risk into Your Enterprise Risk Strategyhttps://globalriskcommunity.com/profiles/blogs/incorporating-third-party-risk-into-your-enterprise-risk-strategy2015-06-09T20:18:45.000Z2015-06-09T20:18:45.000Zmarcus evans N.A. Conferenceshttps://globalriskcommunity.com/members/marcusevansNAConferences<div><p><i>Interview with Aretina Trepczyk, Vice President, Enterprise Risk Manager at Umpqua Bank</i></p><p><i> </i></p><p>The increased regulatory pressures on third party vendor risk have increased focus on this key area of operational risk. And, despite institutions implementing changes to their third party risk strategies, many programs still need to be optimized and enhanced to ensure strong due diligence of vendors and minimize the risk exposure to the enterprise. Institutions need to incorporate their third party risk strategy into overall enterprise risk to ensure they effectively manage risk, whilst adding value to the organization.</p><p> </p><p>Ms. Trepczyk, Vice President, Enterprise Risk Manager at Umpqua Bank recently spoke with GFMI about key topics to be discussed at the second edition of their <b>Third Party Vendor Risk Management for Financial Institutions Conference, September 21-23, 2015 in San Francisco, CA.</b></p><p> </p><p><b>Why is third party risk such a key issue for financial institutions at this time?</b></p><p><b> </b></p><p><b>AT:</b> Increased regulatory expectations are a driving force behind third party risk being a key issue for financial institutions. Banks can be held liable if third parties are not meeting regulatory requirements, and therefore, there is a need for stronger on-going monitoring and oversight. Additionally, many of our third parties have access to customer information, which must be protected against unauthorized use. To add to the complexity of this issue, many third parties that financial institutions have historically done business with do not currently have the technology or process infrastructure to meet these increased expectations and it can sometimes be difficult to exit these relationships.</p><p> </p><p><b>How can you ensure sustainable third party risk management?</b></p><p> </p><p><b>AT:</b> Given the sheer volume of third parties that most financial institutions work with, third party risk management cannot be a one size fits all approach. To have a sustainable program, risk management activities should be tailored to the specific risk associated with the third party’s activities. This is why performing thorough due diligence and taking the time to complete a comprehensive risk assessment of the third party is essential. For example, you may find that a particular third party represents high consumer compliance risk but low financial risk. In this case, you would want to keep monitoring activities focused on compliance and perhaps a detailed financial review is not needed. Utilizing such an approach helps ensure limited resources are focused on the right things.</p><p> </p><p><b>How can third party risk management bring value to the organization?</b></p><p> </p><p><b>AT:</b> Third party risk management can bring value to the organization by providing timely risk intelligence that helps key stakeholders make decisions on entering into a new or renewing an existing third party relationship. In order to be successful in this, risk management needs to get involved early on in the process and stay engaged during the life of the relationship.</p><p> </p><p><b>Why is it important to streamline your third party risk program to follow your ERM programs?</b></p><p><b> </b></p><p><b>AT:</b> The risk associated with third parties should funnel up to the risks that are tracked at an enterprise-wide level and should fit into your overall risk appetite. This helps Senior Management and the Board make the connection on how third parties can impact the bank’s overall risk profile. If you ignore third party risk in your overall ERM program, you may not have a comprehensive picture of the risks facing the institution.</p><p> </p><p><b>What do you think attendees will gain from attending this event?</b></p><p><b> </b></p><p><b>AT:</b> Best practices and real life solutions on how to approach current third party risk management issues. </p><p> </p><p><i>Aretina Trepczyk is the Enterprise Risk Manager for a large community bank in Portland, Oregon. Her current role includes managing the Third Party Risk Management function as well as Enterprise Risk Management and Continuous Monitoring. Aretina brings 15 years of experience in both Risk Management and Internal Audit. She is also a CISA and has a strong background in Information Technology which has helped strengthen her Risk Management skills. Additionally, Aretina is working on implementing her second GRC program which will be used for her Enterprise Risk assessment and monitoring, Third Party Risk due diligence and ongoing oversight, and Continuous monitoring testing.</i></p><p><b> </b></p><p>At this <b>GFMI</b> conference, the practical case study presentations focus on the effective management of risk, whilst adding value to your organization. Our speaker discussions will help financial institutions optimize their management of fourth parties, and ensure efficient ownership of third party risk, to effectively manage all third party relationships and reduce the overall risk to the enterprise.</p><p> </p><p>For more information, please click here to download the <a href="http://www.global-fmi.com/CMU150_AT_intvwlink">conference agenda</a> or contact Tyler Kelch, Assistant Marketing Manager, GFMI at 312-894-6310 or <a href="mailto:tylerke@global-fmi.com">tylerke@global-fmi.com</a></p><p><b>About Global Financial Markets Intelligence</b></p><p>GFMI is a specialized provider of content-led conferences for the financial markets. Carefully researched with leading financial market experts, our focused quality events deliver key bottom-line value through targeted presentations, interactive discussions and high-level networking opportunities. </p></div>