By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder
This past year was an eventful one for the third-party risk management (TPRM) industry. New headlines seemed to appear each month that brought attention to third-party risk, whether it was a significant cybersecurity event, like the MOVEit data breach, or the ongoing discussion of the potential risks and rewards of artificial intelligence (AI). The mid-year release of the Interagency Guidance on Third-Party Relationships: Risk Management was perhaps the most obvious reminder of the increased regulatory focus on TPRM.
We’re going to review some of the lessons learned from the past year’s events and look forward to some best practices for 2024.
Significant TPRM Events of 2023 and Lessons for 2024
The following list of events highlights a few TPRM trends that are worth exploring in greater detail. Although we can’t predict what 2024 will bring, TPRM leaders can stay informed of these trends and determine how to implement these best practices into their programs.
Release of Interagency Guidance on Third-Party Relationships: Risk Management – The OCC, FDIC, and Federal Reserve released the final guidance in June, which brought a unified approach to TPRM best practices. The guidance offers a clear framework for how an organization should manage its third-party relationships, such as identifying critical and high-risk vendors and having awareness of subcontractors that can elevate risk.
MOVEit Data Breach – Thousands of organizations in the U.S. and abroad were impacted by the MOVEit data breach, either from using the software directly or being indirectly exposed to it through a third- or fourth-party vendor. The situation unfolded in June, but victims are still coming forward months later, indicating that this incident may not be resolved anytime soon.
Emerging Risks of AI – As AI continues to evolve with new possibilities, many experts are reminding business leaders to acknowledge the potential risks such as data manipulation and hard-to-detect automated cyberattacks. Because AI is changing so quickly, the Biden administration even released an executive order to promote new standards for the safe and secure use of this technology.
TPRM continues to be a growing topic and 2024 will no doubt bring new regulatory expectations that will influence best practices across all industries. Third-party cyberattacks and data breaches will likely continue to grow in complexity and occurrence, so it’s important to have a strategy in place to respond and limit their impact to your organization. Staying aware of new risks and industry trends will help protect your organization as we head into a new year.