Advanced Third-Party Risk Issues. Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight EffecAve and Ongoing?

Transcription

1 Advanced Third-Party Risk Issues Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight EffecAve and Ongoing?

2 Agenda Due diligence Contractual requirements Onboarding/ongoing monitoring Contract (natural term/closure or term for cause) When something goes wrong (breach, bankruptcy, other issues)

3 Due Diligence Risk Factors General control environment Strength of financial Turnover of management & employees Redundancy/business capability Outsourcing/reliance on subcontractors Push down contract requirements with government

4 Due Diligence What to Review Knowledge of laws & Risk management program of controls of procedures Training program

5 What counts for Due Diligence Assurance that a poten@al vendor is financially stable, ethically sound & has a strong corporate structure. Reviews should be tailored to the risk the vendor may present to your organiza@on. Performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor rela@onship.

6 Risks Auditors and regulators could impose revoke licenses to or take legal against your company if the vendor is not compliant to the standards. The press can also damage your company's if a vendor's lack of compliance is exposed. This could nega@vely affect investor ra@ngs, ra@ng agency scores, shareholders and more.

7 Types of Vendors Support Most intense review Review: Handling PII, compliance, legal, financial, corporate structure and stability, annual spend Technology Depends on type of product Handling of PII, security of systems (SSAE 16 or similar audit), financial, legal, corporate structure & stability, annual spend Financial, legal, corporate structure and stability Google search on all (news )

8 RFP When to do How to review Advice in advance Follow-through Build into contracts what promise in RFP and

9 CONTRACTS

10 Depends on Vendor Type: Support, Technology, Contractor Key regional differences Expansion of services or build Regulatory concerns

11 Key Provisions Services or goods Payment terms Reps and Exclusivity IP of Liability Security protocols Passthrough provisions

12 Special Contracts Business associate agreements Data processing agreements Employment

13 Prepare for the End end of the contract or issue with the Data held by the vendor known by the vendor clauses

14 MONITORING

15 External Data Sources Watch List Lookup Thomson Reueters World Check tool comprises of over 300 global watchlists worldwide, including OFAC. Watchlist findings can indicate if the vendor is working with any bad players or terrorist PCI Lookup If the vendor is used to electronically process, store or transmit credit or debit cardholder they are run through Visa and MasterCard s global registry of organiza@ons compliant with their security standards. Consumer Financial Protec@on Bureau (CFPB) Lookup The CFPB maintains a database of consumer complaints raised against organiza@ons opera@ng in the United States. Reviewing the entries in the CFPB provides insight to public percep@on of a vendor, as well as their ability to properly deliver services. Office of the Comptroller of Currency (OCC) Lookup A review of the data from the independent bureau within the Department of Treasury that periodically issues consent orders against regulated en@@es including cease and desist orders, monetary penal@es, and general findings. Financial Lookups Vendors receive a financial health review from several financial data sources to properly iden@fy any bankruptcy or solvency risk. All issues iden@fied in the external data review are logged within the vendor risk management plaform, decisioned, and tracked.

16 Vendor Required Updates 3 rd party Service Auditor Reports (SOC 1, SOC 2 or ISAE 3402) Breach No@fica@on Plan Business Con@nuity/Disaster Recovery Program Materials and Test Results Applicable PCI Aiesta@ons of Compliance Financial Package Proof of Insurance Policies and other program documenta@on Any other client requested documenta@on All evidence collected will be reviewed and any issues will be logged.

17 Internal Data Sources SLA s Have SLAs been consistently met, credits issued where appropriate? Deliverables Have deliverables met expecta@ons or had to be modified due to vendor requirements? Rela@onship How does the vendor interact with internal rela@onship managers?

18 Findings & Issues All matches or of risk stemming from the external data review, vendor control survey and evidence review are referred to as findings. When a finding meets the appropriate level of control weakness or gap, it becomes an issue. All issues from any external data review, vendor control survey or evidence review will be logged and decisioned. Issues can be decisioned in mul@ple ways: mi@ga@on, terminated vendor rela@onship, risk acceptance. All issues that are risk accepted are periodically reviewed to ensure that risk is s@ll appropriate to accept.

19 TERMINATION

20 to Change request strategy service Sue for breach

21 of Vendor Contract Normal Timing for Cause Insolvency/ Trigger Event Breach of contract of the business basis

22 Ramp Down Olen or neutral enviroment Periods for handing over / Ramp down + Ramp up Process of handing over Communica@on with new vendor Mo@va@ons for current vendor to cooperate with the new one

23 Transfer of Transfer of processes? Transfer of employees? Transfer of Data + Solware; IP-Rights and NDAs Right to withhold goods stored at loca@on in case of a dispute

24 Right to data portability Art. 20 GDPR Data subject Structured, commonly used and machinereadable form Right to transfer to third party Directly from one controller to another

25 WHEN SOMETHING GOES WRONG

26 Reality Things Go Wrong Seemingly innocuous events, changes, and failures can be of much bigger (but less obvious) third party problems Events can become incidents, and incidents can escalate into if not handled promptly and (e.g. FCPA!) Be Prepared! Conduct event handling and incident management scenarios Events can become real world to test and improve processes highlights need for alternate third to ensure of business / services

27 Best Establish internal policies for employees, what to do when something goes wrong with third party vendors Clear on who to alert or escalate to (VMO, Risk, IT, Legal?) based on the event or incident Assess type and severity of event, factoring in 3 rd party risk factors (country, type of service, impact on opera@ons, value of business) Does the event expose an unforeseen weakness that necessitates a re-assessment of the vendor s risk, or addi@onal due diligence? Triage and remedia@on processes for more serious incidents (or in higher risk situa@ons)

28 Are You Ready? 43% of incident management professionals report their has a formalized incident management plan. Only 9% deem their program to be very effec@ve. Incident Response: How to Fight Back: A SANS Survey Torres, A. SANS Ins@tute InfoSec Reading Room. August 2014.

29 and VMO Legal Compliance IT / IS Risk Finance Event News (reputa@onal risk) l Event No longer receiving services l Event Fail in SLA l Event Law enforcement no@ce Event / Incident Regulatory ac@on l l Event Business changes: staff, model, owner l l Incident Breach l l Incident Bankruptcy l l Incident Natural disaster l l Alert l Escalate

30 Regulatory 90% of reported FCPA cases involved about taken by third EY s 12th Global Fraud Survey.

31 Best - Serious Incidents Design a Triage process for more serious incident types (e.g. 3 rd Party bribery allega@on) Consider a Response Team that can be quickly assembled to coordinate ac@vi@es related to the incident Implement an Incident Management system to capture key facts, provide evidence Establish a defensible communica@ons trail with the third party (who, when, what, where, how, why) Be prepared to involve independent service providers (law firm, auditors, data collec@on) to provide local and global support No@fica@on may need to include CEO, Board, PR, etc

32 Incident Management Framework During Incident Containment Recovery Post Incident Business Management Post-Incident Contract Response Recovery

33 Incident Management System Incident Type of Incident Date Reported Reported By Date of Incident Nature of Incident Third Party Customer Internal Party Severity A robust Incident Management System should incorporate rules that will be driven by factors such as the Incident Type, Loca@on, and Severity to drive the workflow and ensure relevant data is captured. Tracking the par@es involved in the incident can help ensure not only that the relevant people are no@fied, but also assists in root cause analysis and remedia@on.

34 Post Incident Management Ending Manage within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage

35 Discovering News No longer receiving services Fail in SLA Law enforcement Regulatory Business changes: staff, model, owner

36 Special wrongs Breaches Bankruptcy Natural disasters

37 Managing Ending Manage within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage

38 QUESTIONS