By Steve Richardson
Vice President of Product Management, Fusion Risk Management
Every week it seems there is another article about a company suffering a data breach—from Google to Equifax. As the world becomes more connected and businesses collect data at an increasingly rapid rate, hackers and cybercriminals are keeping pace with security protocols and consistently finding ways to get around them—sometimes almost as soon as they are implemented.
Data now is currency—in fact, many hackers would much rather steal consumer data than a finite sum of money. While organizations must be in control of their security and data protection obligations and practices, they must also be vigilant about how their third-party service providers approach these crucial components. The success of an organization depends on the security and resiliency of the third parties with which they partner and, often, share data. If companies do not thoroughly vet these providers, the consequences can be dire.
Steve Richardson, Vice President of Product Management for Fusion Risk Management, recently spoke with Solutions Review on the importance of third-party risk management when creating their data security and risk management plans. Here’s our conversation, edited slightly for readability:
Solutions Review: What are the potential implications for organizations that don’t address third-party risk sufficiently?
Steve Richardson: The implications can be severe. In 2018 alone, large-scale organizations have experienced breaches that affected not only their bottom lines but also their reputations. One incident involved Saks Fifth Avenue and Lord & Taylor, when cybercriminals tapped into an unsecured point of their sales system and stole more than 5 million customer credit card numbers.
In another instance, a customer service vendor for Best Buy, Sears, Kmart, and Delta was hacked via malware and credit card information, addresses, and other personal data of hundreds of thousands of customers was compromised. These incidents, and others like them, have led to negative media attention and customer mistrust – two things any business must avoid at all costs.
SR: Why do you think enterprises are struggling to protect themselves?
Steve Richardson: As organizations look for ways to solve the security problems inherent in many of their business partnerships, they require a system that is tailored to different user experiences and needs which remains accessible for all parties. Unfortunately, many companies aren’t sure how exactly to approach this and end up relying on outdated methods such as spreadsheets and email to track and maintain their risk assessments and third-party relationships.
SR: How can these methods impact enterprises moving forward?
Steve Richardson: Manual processes, spreadsheets, and email are not scalable or sustainable models for managing third-party risk for many reasons. Increased spending with third-parties, new and stricter privacy legislation, and increased media coverage of information security breaches increase the risk a business faces when entering third-party relationships as well as the risks resulting from inconsistent or error-prone assessment processes.
Companies are spending more money—and are relying more heavily—on third parties to manage crucial areas of their business because it can reduce internal costs and cut down on internal hiring and training of full-time employees. While this option may be more convenient, companies must also pay attention to how third-parties protect and store sensitive data as well as address their own risk and compliance obligations.
SR: What else do businesses need to consider when building processes and storing information?
Steve Richardson: Companies must also consider the General Data Protection Regulation (GDPR), which took effect in the European Union (EU) on May 25 2018, and consolidated all privacy laws into one regulation.
GDPR has expanded the privacy rights of individuals in every EU country and has put much stricter rules around how organizations handle the personal data of their customers and employees. GDPR enforcement doesn’t just apply to countries in the EU – but to every company that does business there where European citizens’ data is stored or processed. The broad nature of GDPR makes it even more evident just how much importance people around the globe place on their privacy. GDPR increases obligations for companies to ensure privacy for their employees and customers – which includes a thorough vetting of all third-party relationships.
SR: What steps do you recommend organizations take to build an effective solution?
Steve Richardson: They have to do away with legacy governance, risk management, and compliance (GRC) solutions in favor of an integrated solution that incorporates third-parties in broader risk management and resiliency strategies. The solution must provide third-parties with access to information, due dates, and standardized assessment work-streams through a secure portal designed with ease-of-use in mind.
When an organization brings third-parties into the solution, with shared information and standardized processes, it accomplishes these four things:
- Establishes a higher level of control over vendor relationships.
- Saves time and effort during the assessment process.
- Significantly lowers risk exposure.
- Enables better decisions and improves accountability and oversight.
Vendors can log in and access questionnaires and assessments that address third-party risk, impacts, dependencies, and compliance. This model provides for easier review, scoring, and analysis of that information so organizations can make the most prudent decisions possible about potential third-party risk.
An example of increasing efficiency in the assessment and onboarding process is the automation of the pre-risk assessment procedure that evaluates the vendor’s potential risk tier and determines the level of detail with which the company should vet that potential vendor. Some vendors might be put through a complete assessment because they are handling sensitive customer or employee data, while others might not undergo as intense a process because they are not involved in the processing or storage of sensitive data. Automating much of this activity speeds up the process and lets internal team members focus their efforts on higher risk providers.
SR: What final thoughts, if any, would you share on third-party risk and data management?
Steve Richardson: Today’s business climate is fraught with risk. A company cannot simply have internal risk management and resiliency measures in place and assume they are protected. We have seen time and again that third parties who are not fully vetted, and do not undergo a rigorous risk assessment process, can do as much damage to a company as an internal failure. Accountability does not stop within the walls of an organization – it can extend to a partner on the other side of the world. And, if the security and data management processes of your third-party service providers are not complete, consistent and compliant – then neither are yours.
Thank you again to Steve Richardson for his time and expertise! Steve Richardson is Vice President of Product Management at Fusion Risk Management.