VENDOR MANAGEMENT AND THIRD PARTY RISK Amy J Butler Legal & - - PowerPoint PPT Presentation

VENDOR MANAGEMENT AND THIRD PARTY RISK

Amy J Butler Legal & General America May 18, 2018

Today’s Presentation

! Definitions ! Why do we need Vendor Risk Management ! Risks Posed by Third Party / Vendor Relationships ! Vendor Risk Management and Information Security ! Third Party / Vendor Risk Management Framework ! Best Practices for Emerging Vendor Management Programs

Definitions

Vendor: Anyone who provides goods and/or services to a company or individuals Third Party - Someone who may be indirectly involved but is not a principal party to an arrangement, contract, deal or transaction. Third Party / Vendor Management is a long term methodology on how to manage your third parties and vendors Vendor Management: A discipline that enables organizations to control costs, drive service excellence and mitigate risks to gain increased value from their vendors throughout the deal cycle. Outsourced relationships may benefit a company through reduced costs, improved performance, increased business competitiveness in the marketplace, access to a superior knowledge base and established distribution channels.

Why do we need Vendor Risk Management

! Many organizations push more of their business out to third parties /

• vendors. Higher volume can mean higher risk.

! As cybercriminals increasingly target vendors as a vector to attack their

customers, and regulators increasingly hold organizations liable for breaches of vendor controlled-data, the importance of managing information security risk associated with your vendors is escalating.

! Corporate Boards are considering third party risk as a top strategic risk. ! Reputational impact. When consumers are personally affected by a third-

party system failure or security breach, or when a well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention), the reputation of the involved organizations can suffer.

Why do we need Vendor Risk Management

! Vendors can play a critical role in a company’s success or failure so

managing vendor / third party risk is essential.

! Regulators have become more focused on how companies are managing

• utsourcing and third-party risk in general, and the fines for violations have

reached hundreds of millions of dollars.

! Generally, regulators consider third-party activities to be at a higher level of

risk than those performed internally because of their physical and operational separation from day-to-day oversight. The risks of TPVM are of particular concern for third parties involved in critical activities – settlements, custodial functions, payments, or information technology.

Risks Posed by Third Party / Vendor Relationships

There are numerous risks that may arise from a company’s use of third parties. Some of the risks are associated with the underlying activity, similar to the risks faced if the company itself conducted the activity. Other potential risks arise from or are heightened by the involvement of a third party. Failure to manage these risks can expose the company to regulatory action, financial loss, litigation and damage, and may even impair the company’s ability to establish new or service existing broker / customer relationships.

Risks Posed by Third Party / Vendor Relationships

The following risks should be considered and documented during Due Diligence and throughout the life of the contract:

! Strategic risk - risk arising from adverse business decisions, or the

failure to implement appropriate business decisions in a manner that is consistent with the Company’s stated strategic goals.

! Reputation Risk - risk arising from negative public opinion. Third party

relationships that result in dissatisfied customers, interactions not consistent with the Company’s policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information and violations of law and regulation.

! Operational Risk - risk of loss resulting from inadequate or failed

internal processes, people and systems or from external events.

Risks Posed by Third Party / Vendor Relationships

! Transaction Risk - risk arising from problems with service or product

delivery.

! Compliance Risk - risk arising from violations of laws, rules, or

regulations, or from intentional or inadvertent non-compliance with internal policies or procedures or with the Company’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.

! Information Security Risk – risk arising from unauthorized access, use,

disclosure, disruption, modification, inspection, recording or destruction

• f information. It is a general term that can be used regardless of the form

the data may take (e.g. electronic, physical).

Vendor Risk Management and Information Security

How does your company secure data provided to vendors? How do your vendors protect and secure your data?

Methods used by some vendors to secure data

! Information Security:

• Access to information is authorized on a “need-to-know basis as defined by the

vendor’s specific job functions.

! Database Security:

• Database access is restricted through Active Directory security, which limits access to

customer-specific information. Database authentication credentials are passed to the database server by the application.

! File Transfer Protocol (FTP)

• The customer authenticates to the FTP server with a user ID and password.

Unauthorized login attempts are recorded by the system.

• Outbound data is encrypted using standard File Transfer Protocols (i.e. SFTP-SSH,

FTPs-SSL) when supported and allowed by the customer.

• Access to the FTP server and application is restricted to authorized administrators.

Methods used by some vendors to secure data

! Internet Encryption

! Internet connections for Hosted applications use Secure Socket Layer (SSL). The

client server used to establish internet connections to the hosted environment has a digital certificate. ! Firewall

! Firewall rules are configured to allow only specific traffic either into the firewall from

the internet or out of the firewall from the vendor. The Hosted applications’ components reside in a Demilitarized Zone (DMZ) which provides a security layer between the internet and the application. ! Intrusion Detection

! Intrusion prevention / detection technology provides an additional layer of security to

protect in-scope network and server infrastructure.

Data Transmission to Vendors

Department Department Head # of Vendors Analyzed # of Vendors Transmitting PII Information Transmitted to / from Vendor ** How [Company name] Secures PII Data To Vendors Secure FTP TLS Encrypted Email TOTAL ** Includes but not limited to: company data, client data, agent / advisor data, employee data

Other Considerations for Vendor Risk Management and Information Security

Your Vendors may have their own Vendors - Do you know who they are? What is the vendor’s Patch Management Policy? Do your vendors conduct vulnerability and penetration testing? Do your vendors have an incident response plan? When will you know if there is a problem? How will the vendor continue to provide services to you during an outage or a disaster? You need to understand what your vendors have access to (not just what they are providing to you, or what you think they have access to).

Third Party / Vendor Risk Management Framework

14 DUE DILIGENCE Vendor Research Vendor Evaluation Vendor Selection PROCUREMENT Negotiate contract VENDOR MANAGEMENT Oversight of Existing Vendors

DUE DILIGENCE

15

! Research viable vendors; ! Determine which vendors to evaluate; ! Select the best vendor based on research and due diligence performed.

Research and analysis that is expected to be performed (and documented) in the examination and evaluation of risks affecting a business transaction.

DEFINITION

" Due Diligence Checklist " Due Diligence Questionnaire - Internal " Due Diligence Questionnaire - External

TOOLS ACTIVITIES

PROCUREMENT and VENDOR MANAGEMENT

16

! Negotiate Contract

PROCUREMENT

" Corporate Procurement Policy " Delegated Authorities TOOLS

VENDOR MANAGEMENT

ACTIVITY TOOLS ! Oversight of Existing Vendors " Vendor Management Policy

• sets a governance and control framework

under which the potential business risks of arrangements with third party service providers and suppliers may be assessed, monitored, evaluated and managed.

ACTIVITY

Vendor / Third Party Risk Management Pain Points

! Lack of resources to dedicate to this function

! Consider relationship managers within different functions

! Centralized vs. Decentralized environment ! Lack of technology integration with third party risk management processes, jeopardizing the accuracy of

their programs. Many still manage via spreadsheets which, depending on the number of vendors, can become overwhelming.

Vendor Risk Management Considerations

! Create an inventory of all vendors

! In a decentralized organization, you may find multiple departments using the same vendor. In those situations – you may be able

to renegotiate your contract for a better price.

! To better manage risk from vendors – rank those third parties according to their level of risk and continue

to perform due diligence commensurate with the level or risk and throughout the life of the relationship when appropriate.

! Obtain SAS 70 or other control-related reports that the vendor may have in order to obtain an independent

assessment of their control structure

! Establish Key Performance Indicators and require regular / periodic reporting.

Mature Vendor Risk Management Process

Accountability

The use of vendors / third parties DOES NOT remove responsibility of the firm and it’s senior management to ensure that the activity is performed in a safe and sound manner and in compliance with all applicable laws

10 Best Practices for Emerging Vendor Management Programs

• 1. Right size your vendor management program for you.

! Figure out what matters most to you and right size your program using a vendor

management framework

• 2. Set the right tone at the top

! Your leadership must buy into the fact that vendor management is a core business discipline

and not a compliance function.

• 3. Establish governance and engage your stakeholders.

! Vendor management involves multiple stakeholders and subject matter experts from across

the organization.

• 4. Get visibility into your vendors and contracts.

! You need a central system for storing, managing and reporting on vendor-related

information.

Source: https://www.vendorcentric.com/single-post/10-best- practices-for-vendor-management-programs

10 Best Practices for Emerging Vendor Management Programs

• 5. Know which risks apply to which vendors.

! Not all vendors are created equal, and different types of vendor relationships bring different

types of risk.

! Vendor risk assessments and tiering are core components of your vendor management

program.

• 6. Don’t skimp on due diligence

! Due diligence is where the rubber meets the road in terms of drilling down to really

evaluate risk exposure in your vendor relationships.

! Be sure to align your activities with the risk level of the vendor – more risk

always requires more due diligence.

• 7. Be disciplined in contracting.

! Contracts are your only opportunity to legally document the business terms to which

you and your vendor have agreed.

! Your vendor management program should provide for a standard, consistent

contracting process that ensures all of the necessary, risk mitigating contractual clauses are incorporated into the final agreement.

Source: https://www.vendorcentric.com/single-post/10- best-practices-for-vendor-management-programs

10 Best Practices for Emerging Vendor Management Programs

• 8. Establish expectations during onboarding.

! Your vendor management program must address what happens post-contract and who

will be responsible

• 9. Monitor and grow the relationship like you would any other.

! Nurture your vendor relationships to get the most value from them.

• 10. Have a formal process for breaking up.

!

Have a formal process for off-boarding your vendors, especially as it pertains to key contractual requirements such as transfer of assets, data, or destruction of confidential information.

Source: https://www.vendorcentric.com/single-post/10-best- practices-for-vendor-management-programs

CONTACT INFORMATION: AMY J BUTLER ABUTLER@LGAMERICA.COM

THANK YOU