VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & General America May 18, 2018
Today’s Presentation ! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk Management and Information Security ! Third Party / Vendor Risk Management Framework ! Best Practices for Emerging Vendor Management Programs
Definitions Vendor: Anyone who provides goods and/or services to a company or individuals Third Party - Someone who may be indirectly involved but is not a principal party to an arrangement, contract, deal or transaction. Third Party / Vendor Management is a long term methodology on how to manage your third parties and vendors Vendor Management : A discipline that enables organizations to control costs, drive service excellence and mitigate risks to gain increased value from their vendors throughout the deal cycle. Outsourced relationships may benefit a company through reduced costs, improved performance, increased business competitiveness in the marketplace, access to a superior knowledge base and established distribution channels.
Why do we need Vendor Risk Management ! Many organizations push more of their business out to third parties / vendors. Higher volume can mean higher risk. ! As cybercriminals increasingly target vendors as a vector to attack their customers, and regulators increasingly hold organizations liable for breaches of vendor controlled-data, the importance of managing information security risk associated with your vendors is escalating. ! Corporate Boards are considering third party risk as a top strategic risk. ! Reputational impact. When consumers are personally affected by a third- party system failure or security breach, or when a well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention), the reputation of the involved organizations can suffer.
Why do we need Vendor Risk Management ! Vendors can play a critical role in a company’s success or failure so managing vendor / third party risk is essential. ! Regulators have become more focused on how companies are managing outsourcing and third-party risk in general, and the fines for violations have reached hundreds of millions of dollars. ! Generally, regulators consider third-party activities to be at a higher level of risk than those performed internally because of their physical and operational separation from day-to-day oversight. The risks of TPVM are of particular concern for third parties involved in critical activities – settlements, custodial functions, payments, or information technology.
Risks Posed by Third Party / Vendor Relationships There are numerous risks that may arise from a company’s use of third parties. Some of the risks are associated with the underlying activity, similar to the risks faced if the company itself conducted the activity. Other potential risks arise from or are heightened by the involvement of a third party. Failure to manage these risks can expose the company to regulatory action, financial loss, litigation and damage, and may even impair the company’s ability to establish new or service existing broker / customer relationships.
Risks Posed by Third Party / Vendor Relationships The following risks should be considered and documented during Due Diligence and throughout the life of the contract: ! Strategic risk - risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the Company’s stated strategic goals. ! Reputation Risk - risk arising from negative public opinion. Third party relationships that result in dissatisfied customers, interactions not consistent with the Company’s policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of law and regulation. ! Operational Risk - risk of loss resulting from inadequate or failed internal processes, people and systems or from external events .
Risks Posed by Third Party / Vendor Relationships ! Transaction Risk - risk arising from problems with service or product delivery. ! Compliance Risk - risk arising from violations of laws, rules, or regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with the Company’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards. ! Information Security Risk – risk arising from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).
Vendor Risk Management and Information Security How does your company secure data provided to vendors? How do your vendors protect and secure your data?
Methods used by some vendors to secure data ! Information Security: • Access to information is authorized on a “need-to-know basis as defined by the vendor’s specific job functions. ! Database Security: • Database access is restricted through Active Directory security, which limits access to customer-specific information. Database authentication credentials are passed to the database server by the application. ! File Transfer Protocol (FTP) • The customer authenticates to the FTP server with a user ID and password. Unauthorized login attempts are recorded by the system. • Outbound data is encrypted using standard File Transfer Protocols (i.e. SFTP-SSH, FTPs-SSL) when supported and allowed by the customer. • Access to the FTP server and application is restricted to authorized administrators.
Methods used by some vendors to secure data ! Internet Encryption ! Internet connections for Hosted applications use Secure Socket Layer (SSL). The client server used to establish internet connections to the hosted environment has a digital certificate. ! Firewall ! Firewall rules are configured to allow only specific traffic either into the firewall from the internet or out of the firewall from the vendor. The Hosted applications’ components reside in a Demilitarized Zone (DMZ) which provides a security layer between the internet and the application. ! Intrusion Detection ! Intrusion prevention / detection technology provides an additional layer of security to protect in-scope network and server infrastructure.
Data Transmission to Vendors How [Company name] Secures PII Data To Vendors # of # of Vendors Department Information Transmitted Department Vendors Transmitting Head to / from Vendor ** TLS Analyzed PII Secure FTP Encrypted Email TOTAL ** Includes but not limited to : company data, client data, agent / advisor data, employee data
Other Considerations for Vendor Risk Management and Information Security Your Vendors may have their own Vendors - Do you know who they are? What is the vendor’s Patch Management Policy? Do your vendors conduct vulnerability and penetration testing? Do your vendors have an incident response plan? When will you know if there is a problem? How will the vendor continue to provide services to you during an outage or a disaster? You need to understand what your vendors have access to (not just what they are providing to you, or what you think they have access to).
Third Party / Vendor Risk Management Framework 14 DUE DILIGENCE PROCUREMENT VENDOR MANAGEMENT Vendor Research Negotiate contract Oversight of Existing Vendor Evaluation Vendors Vendor Selection
DUE DILIGENCE 15 DEFINITION Research and analysis that is expected to be performed (and documented) in the examination and evaluation of risks affecting a business transaction. ACTIVITIES TOOLS " Due Diligence Checklist ! Research viable vendors; " Due Diligence ! Determine which Questionnaire - Internal vendors to evaluate; " Due Diligence ! Select the best vendor Questionnaire - External based on research and due diligence performed.
PROCUREMENT and VENDOR MANAGEMENT 16 PROCUREMENT TOOLS ACTIVITY " Corporate Procurement Policy ! Negotiate Contract " Delegated Authorities VENDOR MANAGEMENT ACTIVITY TOOLS " Vendor Management Policy ! Oversight of Existing • sets a governance and control framework Vendors under which the potential business risks of arrangements with third party service providers and suppliers may be assessed, monitored, evaluated and managed.
Vendor / Third Party Risk Management Pain Points ! Lack of resources to dedicate to this function ! Consider relationship managers within different functions ! Centralized vs. Decentralized environment ! Lack of technology integration with third party risk management processes, jeopardizing the accuracy of their programs. Many still manage via spreadsheets which, depending on the number of vendors, can become overwhelming.
Recommend
More recommend
