Effects of GDPR and NY DFS on your Third Party Risk Management Program

Size: px

Start display at page:

Download "Effects of GDPR and NY DFS on your Third Party Risk Management Program"

Angelica Simpson
5 years ago
Views:

CPE Reminders To receive CPE, you must be active for the entire webcast and

You will have 90 seconds to answer each poll.

Group participation will not receive CPE.

Upon conclusion of the program, please complete the final evaluation and your

2 CPE Reminders To receive CPE, you must be active for the entire webcast and respond to at least 75% of the polls. You will have 90 seconds to answer each poll. CPE is not offered for audio-only attendees or replay viewing. Group participation will not receive CPE. You must be logged in individually to receive CPE credit. Upon conclusion of the program, please complete the final evaluation and your CPE certificate will be available if you have met the minimum CPE requirements. Turn off all pop-up blockers to download your CPE certificate. Use Q&A to ask questions during the webcast. Grant Thornton LLP. All rights reserved. 2

For a Better Webcast Experience Use a wired internet connection from

For optimal viewing speed, close all other applications, including

, buffering, silenced audio) can be resolved by refreshing your feed

Use the Help button if you have technical difficulties.

3 For a Better Webcast Experience Use a wired internet connection from your local office and turn off your computer's Wi-Fi signal. For optimal viewing speed, close all other applications, including Outlook. Most technical issues (e.g., buffering, silenced audio) can be resolved by refreshing your feed using the F5 key. Use the Help button if you have technical difficulties. You can also call or contact GTWebcast@Level3.com Click the Resources button to download the presentation materials. Grant Thornton LLP. All rights reserved. 3

Today's Speakers Adam Schrock National Managing

, CIPP/US/E Manager Privacy & Data Protection E

6 Today's Speakers Adam Schrock National Managing Director Third Party Risk Management E adam.schrock@us.gt.com Dennis Frio Managing Director Third Party Risk Management E dennis.frio@us.gt.com Monique Altheim, Esq., CIPP/US/E Manager Privacy & Data Protection E monique.altheim@us.gt.com Brian Gawne Senior Manager Cyber Risk E brian.gawne@us.gt.com Grant Thornton LLP. All rights reserved. 6

Learning objectives Describe overall impact on third party risk management programs Define the key differences from other frameworks and regulations Identify leading practices for complying with the

7 Learning objectives Describe overall impact on third party risk management programs Define the key differences from other frameworks and regulations Identify leading practices for complying with the new regulations Analyze how to balance overlapping cyber security and third party risk regulations Explain how to avoid potential problem areas in reporting and compliance Grant Thornton LLP. All rights reserved. 7

Agenda Current State of Third Party Risk Overview of GDPR and DFS Regulations What steps

10 Regulatory trends GDPR and NY DFS are the latest regulations getting attention Continued focus on managing Cybersecurity and Privacy risks related to your third parties Information Sharing between public and private sectors getting another look Privacy of consumer information back in the spotlight Increasing the depth and breadth of due diligence requirements What We Are Hearing NY DFS Regulation To protect NY consumers due to the increasing Cyber threats. Likely other states will follow NY's lead. EU GDPR Regulation To increase the degree of data protection across EU nations. More comprehensive then prior EU privacy directives. Our Clients Cost of compliance has become an issue Due diligence requirements keep increasing What are the impacts on how we manage third party risk Grant Thornton LLP. All rights reserved. 10

11 Why the increased focus from regulators? Many organizations still lack effective programs 74% TPRM security assessments are ineffective 49% Organizations that don't assess security controls of TPs 31% Assess the effectiveness of their TPRM program 68% Third Party threat landscape is expanding (cloud) 78% Cyber attacks will significantly impact their risk profile Grant Thornton LLP. All rights reserved. 11

12 Why is this so difficult? Many organizations struggle to balance risk & business goals Balancing third party risks and opportunities to drive innovation and growth 74% Business innovation and growth New product development? Business imperative Third party risks inhibiting business objectives? Customer service differentiation? Program align with our core values? Business shift to the outsourcing? Growth opportunities Third party risks Meeting service levels agreements? Competitive advantages? Investments align with imperatives? Improved effectiveness & efficiency? Monitoring performance, risk, and compliance? Grant Thornton LLP. All rights reserved. 12

13 Polling question # 1 How far along is your organization in finalizing compliance for GDPR and/or NYDFS? A. Low: We haven't started or just reviewing the regulations B. Moderate: We are actively evaluating gaps to the regulation C. Advanced: We understand our gaps and are actively remediating D. I don't know if the regulations apply to my organization Grant Thornton LLP. All rights reserved. 13

15 GDPR Overview: Key Features The General Data Protection Regulation (GDPR) will come into force on May 25, The GDPR applies to organizations if they: (i) offer goods or services to EU residents; or (ii) monitor the behavior of EU residents (e.g., organizations that offer online businesses). For the most serious violations, privacy regulators will be able to impose penalties of up to 20m or 4% of global revenue (whichever is higher). Organizations will be under greater obligations to provide assurance to their boards, customers and regulators that their data protection processes and procedures are fit for purpose. We can help provide this assurance, and also explain what good data protection practices look like. Key features of the regulation Accountability New rights for individuals Fair processing notices Consent Data protection officers Wider scope Data processors Breach reporting Privacy impact assessments Grant Thornton LLP. All rights reserved. 15

GDPR Overview: Who is Impacted With the magnitude of enforcement potential, not to mention the reputational damage that comes from a breach of personal information, it is important to understand the

16 GDPR Overview: Who is Impacted With the magnitude of enforcement potential, not to mention the reputational damage that comes from a breach of personal information, it is important to understand the impacts to your TPRM program. Third parties are an important focus as the GDPR defines roles for organizations working with PII: Data Controllers is a person or organization who decides how data is to be stored and processed Data Processors is a person or organization which processes personal data on behalf of the Controller In other words, while the controller is the entity that makes decisions about processing activities, the processor is any entity contracted by the controller for carrying out the processing. Grant Thornton LLP. All rights reserved. 16

17 GDPR Overview: Impacts to TPRM Your TPRM program will have to evolve as the GDPR requirements have. Our clients are updating their programs in the following areas: Privacy Impact Assessment Contract Review Ongoing Monitoring Subcontractor Monitoring Most likely these areas are part of your program today but they will need to be tailored to reflect the specifics of GDPR. Privacy Impact Assessment: a data protection risk assessment to ensure the processor has the expert knowledge, reliability and resources to implement technical and organizational measures which will meet the requirements Contract Review: Contract is specific regarding the tasks and responsibilities of the processor including how and when data will be returned or deleted after processing and the details of the processing (e.g. nature, purpose, duration) Ongoing Monitoring: Ensure Processors are maintaining records of personal data processing conducted on behalf of the controller Subcontractor Monitoring: there are restrictions to the use of subcontractors without prior written consent and subcontractors will need to risk assessed to the same extent as the processor Grant Thornton LLP. All rights reserved. 17

18 GDPR Overview: Roadmap Plan, Execute and Run GDPR compliance will require support from executive leadership and collaboration from many functions within the organization. Now Now May 25, 2018 After May 25, 2018 Plan Execute Run Data inventory and mapping Identify Contract Inventory Identify subcontractors supporting EU privacy Update data protection risk assessment Review Contract language Update Ongoing Monitoring Requirements Identify subcontractors supporting On-going training Key performance & risk indicators Privacy automation Certification Grant Thornton LLP. All rights reserved. 18

19 Polling question # 2 What groups within your organization are driving GDPR compliance? (check all that apply) A. Chief Privacy Office B. Chief Information Security Office C. General Counsel / Legal D. Chief Compliance Office E. Chief Risk Office Grant Thornton LLP. All rights reserved. 19

NY DFS: Overview & Third Party Risk Impacts

21 NYDFS: Cybersecurity Requirements 23 NYCRR 500 The New York Department of Financial Services' (NYDFS) has prepared some of the most recent and far reaching financial services cybersecurity regulations NYDFS CYBERSECURITY REQUIREMENTS Cybersecurity Program Cybersecurity Policy Audit Trail Chief Information Security Officer Security Officer Pen. Testing & Vulnerability Assessments Access Privileges Application Security Risk Assessment Compliance due: Cybersecurity Personnel and Intelligence Third Party Information Security Policy Multi-Factor Authentication Limitations on Data Retention Training and Monitoring Encryption of Nonpublic Information Incident Response Plan Notices to Superintendent 180 days 1 year 18 Months 2 years The NYDFS proposed cybersecurity requirements are the first of their kind in the United States by any state or federal agency and are a response to a series of high-profile hackings of U.S. companies in recent years The cybersecurity requirements have a number of key, unique elements including establishing programs, policies, 3 rd Party management and notice requirements to DFS The cross-industry NIST Cybersecurity Framework 1 and the regulation are not explicitly aligned, although they do overlap in many areas Each Covered Entity shall notify the superintendent of any Cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information While the regulation is effective March 1, 2017, covered institutions have until February 15, 2018 to begin annually preparing and submitting a Certification of Compliance with the Cybersecurity Requirements Grant Thornton LLP. All rights reserved. 21

22 NYDFS Overview: Key Features of Section of the DFS requirements require written policies and procedures to ensure the security of Information Systems and nonpublic information that are accessible to third parties. The areas that the policy must cover are similar to those from the OCC and FRB in regards to performing risk assessments, due diligence and ongoing monitoring. The impacts of DFS requirements on your TPRM program will stem from the depth of the review of the third parties information security program. Sending IS questionnaires may not be enough to satisfy the requirements. A review of the third parties policies and procedures related to multi-factor authentication and encryption will be required. Key features of the third party section (500.11) of the regulation Policy and Procedures Risk Assessment Minimum cybersecurity practices Due Diligence Ongoing Monitoring Multi Factor Authentication Encryption Notices Cyber event Representations & Warranties Grant Thornton LLP. All rights reserved. 22

23 Details Topics NYDFS Overview: Hot Topics Notices Encryption Two-Factor Authentication Material events- 72 hours Certification of compliance- 5 year data retention Remediation plans made available All non-public information in transit and at rest Compensating controls for in transit can be used for a year; at rest is five years External access Privileged access to databases Require Risk based authentication for web access Support Multi-factor for web access Reporting Data Protection Third Party Access Grant Thornton LLP. All rights reserved. 23

24 Polling question # 3 What do you see as your company's biggest obstacle in addressing these new regulations? A. Limited visibility to the full complement of third party services B. Lack of a formal global governance and accountability over third parties C. Limited contract standards to allow for effective monitoring D. Lack of integrated technology to support the third party risk lifecycle E. All of the above Grant Thornton LLP. All rights reserved. 24

26 Five Steps to Prepare for GDPR and NY DFS Enhance your current program to ensure compliance 1 Know your data 2 Improve third party risk assessments 3 Uplift your contracts 4 Risk based ongoing monitoring 5 Collaboration Grant Thornton LLP. All rights reserved. 26

27 First step to prepare for GDPR and NY DFS Understand your data and how third parties use the data 1 Know your data Do we know what third parties have access to our customer data? Does in-scope sensitive data flow transferred to third parties? Are they storing this data? Is our sensitive customer data being accessed, processed or stored by subcontractors? Are third parties supporting critical business functions with access to in-scope data? Considerations Understand the flow of sensitive data to third parties Leverage business process flows and narratives Work with privacy and cyber security teams to understand where data is stored Collect the minimum required personal data for the service or product Grant Thornton LLP. All rights reserved. 27

Second step to prepare for GDPR and NY DFS Increase the effectiveness of third party risk assessments 2 Improve third party risk assessments Have we sufficiently identified all third parties and

28 Second step to prepare for GDPR and NY DFS Increase the effectiveness of third party risk assessments 2 Improve third party risk assessments Have we sufficiently identified all third parties and subcontractors? Is each identified third party appropriately risk ranked? Do we have senior level support to perform due diligence prior to contracting? Are the current risk assessments sufficient to satisfy recent regulatory requirements? Considerations Perform short inherent risk assessments to determine what third parties are in-scope Use service type profiles to pre-determine due diligence Use vendor tiers to identify critical and high risk third parties that require periodic onsite reviews Work with the CISO organization to determine controls required, e.g., multi-factor authentication Grant Thornton LLP. All rights reserved. 28

Third step to prepare for GDPR and NY DFS Ensure contracts are current 3 Uplift your Contracts Do our contracts include the right clauses to meet regulatory requirements?

29 Third step to prepare for GDPR and NY DFS Ensure contracts are current 3 Uplift your Contracts Do our contracts include the right clauses to meet regulatory requirements? Do we have evergreen contracts that don't expire? Can we uplift contracts that have not expired? Are contracts reviewed by counsel to ensure comply with minimum requirements? Considerations Contracts should specify if subcontractors can be utilized Evaluate highest risk contracts and work with third party to add updated clauses Engage counsel early to validate contract templates meet requirements Ensure contracts specify if and how subcontracting can be done Grant Thornton LLP. All rights reserved. 29

Fourth step to prepare for GDPR and NY DFS Monitor your third parties 4 Risk Based Ongoing Monitoring Are we periodically monitoring high risk third parties?

30 Fourth step to prepare for GDPR and NY DFS Monitor your third parties 4 Risk Based Ongoing Monitoring Are we periodically monitoring high risk third parties? Do we know which third parties require periodic monitoring? What level of monitoring? Have we verified that our third parties are monitoring their third parties? Are we monitoring issues and remediation actions identified in previous assessments? Considerations Consider outsourced monitoring services, e.g., BitSight, Security Scorecard Perform periodic onsite control validation for highest risk third parties Monitoring third parties should include risk, compliance and performance One size does not fit all establish levels of monitoring based on risk and service Grant Thornton LLP. All rights reserved. 30

Fifth step to prepare for GDPR and NY DFS Don't go at it alone, leverage your internal resources 5 Collaboration Are security and privacy officers connected to the third party risk program?

31 Fifth step to prepare for GDPR and NY DFS Don't go at it alone, leverage your internal resources 5 Collaboration Are security and privacy officers connected to the third party risk program? Are there channels for security and privacy SMEs to update requirements? Does Operational Risk opine on program requirements? Does Internal Audit? Is risk language and taxonomy aligned to enterprise and operational risk? What are your peers doing? Considerations Steering committees and working groups can be created to keep everyone on the same page Embed security and privacy SMEs with the TPM program Collaborate with 2nd and 3rd line of defense to validate program effectiveness Join peer groups to share leading practices Grant Thornton LLP. All rights reserved. 31

32 Polling question # 4 What is the biggest compliance effort for your third party risk team for these regulations? A. Technical information security control implementations B. Contract management and uplift C. Program policy and procedure updates D. Risk assessment scope changes (both on-site and virtual assessments) E. Data management and understanding data flows Grant Thornton LLP. All rights reserved. 32

34 Disclaimer This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered. For additional information on matters covered in this presentation, contact your Grant Thornton, LLP adviser. Grant Thornton LLP. All rights reserved. 34

35 Thank you for attending To retrieve your CPE certificate Respond to online evaluation form. Please note you may need to disable pop-up blocking software to complete this evaluation. Print your CPE Certificate and retain for your records. Participants are responsible to maintain CPE completion records. Those receiving CPE will also receive the certificate at the address used to register for the webcast. We are unable to grant CPE credit in cases where technical difficulties preclude eligibility. CPE program sponsorship guidelines prohibit us from issuing credit to those not verified by the technology to have satisfied the minimum requirements in monitoring response and viewing time. If you experience any technical difficulties, please contact or Grant Thornton LLP. All rights reserved. 35