top of page

Search Results

813 items found for ""

Events (156)

View All

Blog Posts (37)

  • Optimizing Third Party Contractual Agreements

    This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page  and navigate to the November 2024 meeting recording noted on the On Demand tab.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

  • Achieving Third-Party Risk Management Program Compliance With Vendor Collaboration

    Maintaining a compliant third-party risk management (TPRM) program involves active collaboration between multiple stakeholders. Compliance isn’t just an objective but a shared responsibility throughout your organization, from senior management and the board of directors to the business lines and vendor owners. Vendors themselves also have a responsibility to comply with TPRM policies and regulations, so it’s crucial to develop a strategy that involves effective collaboration.   In this blog, you’ll learn some tips on collaborating with your vendors to achieve compliance in your TPRM program. You’ll also learn some next steps to take when a vendor is creating challenges in your compliance efforts.  How to Achieve Third-Party Risk Management Compliance Through Vendor Collaboration  TPRM program compliance involves more than just reacting to specific laws and regulations. It's about being proactive and considering internal policies, rules, and industry best practices that are designed to maintain effective TPRM programs. Below are some proactive strategies to collaborate with your vendor and achieve TPRM program compliance across multiple expectations and standards:   Set a culture of compliance – In order to effectively set expectations for your vendors' compliance, it’s advisable to first establish your organization's values and practices for your TPRM program. Organizations should communicate priorities internally to foster a culture of compliance that’s clearly understood and endorsed by all stakeholders. Once this culture has been established, it can be more effectively conveyed to your vendors, leading to smoother collaboration and program compliance.  Follow up on due diligence –   Compliance issues are usually identified during the due diligence process as you collect and review the vendor's documentation. Follow up on any issues that were found and ask for clarification or more information as needed. In some cases, the vendor may have additional documentation that can verify its compliance with your expectations.  Negotiate a compliant contract –   Make sure to include contract provisions that require both parties to comply with applicable laws and regulations. These provisions could relate to areas such as data protection, privacy, and breach notification requirements. Contract provisions could also outline any internal compliance requirements set by your organization, such as following your corporate policies or industry standards.  Communicate early and often  – Don’t assume that your vendor is staying updated on changing regulatory expectations and industry standards. New state privacy laws continue to emerge, and cybersecurity standards are revised to address new vulnerabilities, so it's essential to frequently communicate your expectations to ensure the vendor is aware of relevant changes and is updating their processes as needed. This ongoing communication is key to building a collaborative partnership.  Work together on remediation –   Just like compliance should involve vendor collaboration, so should remediation plans. Whenever there are issues with compliance, work with the vendor to develop a remediation plan that’s actionable, effective, and time bound. Vendors may be more responsive to requests for improvement if they collaborate on the remediation plan and can identify any roadblocks to success.  Addressing Challenges With Vendor Compliance  It’s not uncommon to face compliance challenges with vendors who might have different strategic goals and priorities. Some vendors may choose to do the bare minimum in compliance and only meet applicable laws and regulations. Here are some suggestions for handling a vendor that isn’t collaborative in your compliance efforts:  Talk with the vendor – First, sit down and have a conversation with the vendor about any issues to better understand their perspective. There may be a misunderstanding about a certain requirement, or they may not have the resources to meet your expectations. These conversations can help clarify your compliance goals and determine if you and the vendor can work toward an improvement plan.  Document issues and progress – Make sure to document any com