Search Results

It comes as no shock that a focus on data security continues to rise with the increased number of breaches that occur as a result of organizations' third parties. While programs come in all shapes and sizes, the following five activities are often missed when creating or progressing your Third Party Risk Management (TPRM) program. 1. Inventory your assets. The first step to protecting your assets (i.e. data) is to know where and what your assets are, yet many organizations struggle to understand this key component. Keeping an accurate and up to date inventory of not only your third parties, but also what data you send to them and where it resides is helpful in better understanding how your assets are being protected. Without this list, it is extremely difficult to know what third parties have access to your company's information. With regards to obtaining an inventory of your organization's third parties, you can always start with Accounts Payable to see who you are paying and review your organization's contracts. You can also leverage software discovery tools to better understand what software your employees may have purchased or are using (as there are contracts in the form of click-through agreements tied to the software). Last, you can review inventories that may already exist within your business areas (especially if you do not have a centralized Procurement process). With regards to an inventory of your data and where it resides, you can include questions within your risk assessments to determine what data will be/is being sent to your third parties, as well as where it resides within their organizations. You will also want to ask your third parties if they are sending your data to other organizations. You will then want to take this information and input it into a central repository of some sort. An example would be an excel with the third party's name, type of data they have access to and/or host, location of said data (where it resides), and in what medium or format it resides in. This is particularly helpful if you are terming relations with a vendor and need the third party to return and/or destroy your data or if said third party experienced a breach. Inventorying your assets, location of data, and third parties are good first steps to ensuring you better understand your risk posture. 2. Centralize documentation. There are many factors within an organization that contribute to the difficulty of finding and/or maintaining appropriate documentation. Much of this is due to the organic nature or organizations and the challenges of organizational silos. For example, your Legal and Supply Chain teams may use one repository for all contracts but other groups in the organization may not have access to said repository. Other teams may use different applications for the same activity. Another example is the business may request documentation from a third party; however, a Third Party Security team may request similar or different documentation from that same third party. With documentation in several locations, this can lead to transparency issues, as well as create an inconsistent and frustrating experience for a third party. Maintaining a comprehensive inventory of third party documentation can help alleviate some of these issues, while also ensuring your organization understands all of the products/services and controls needing to be reviewed for a third party. A central documentation repository will also save time and resources during the risk assessment process. While there is no one, right solution for every organization, there is value in ensuring documentation is centrally maintained. 3. Assess risk based on organizational risk appetite. The risk assessment is likely the most varied item in the third party risk review process between different organizations. While some organizations may have as few as ten questions, other organizations may have 2,000 questions. If you have worked in a risk-related field for any length of time, you are most likely struggling with this question: What is the right number of questions? Unfortunately, there is no right or wrong answer to that question. Having a good understanding of what is important to your organization is a key step in determining what questions you should ask in your assessment. As an example, Financial organizations may have a completely different set of questions and care more about certain items compared to Healthcare organizations. The key is to determine what risks your organization is not willing to accept and focus your questions on those key areas. You may also want to add weight to these questions when assessing the risk of your third parties. This will ensure you are evaluating the right level of risk based upon your organization's risk appetite. 4. Educate your executives. Having executive leaderships buy-in and support is critically important to ensuring you maintain an effective Third Party Risk Management program. But where do you start? Education is key and will ensure your executives have a working knowledge of the third party risk assessment and oversight process. Start with one executive who can be your champion and meet with him/her on a regular basis to ensure you have buy-in. Think outside the box when approaching your other executives. One example is holding a Third Party Risk summit strictly for your executives. This could be a two-hour event where you go through the risk assessment program, why it's important, how it saves your organization money and resources, what risks are trending (where your third parties fall short), and why you need their support. Without leadership support, any third party risks you discover may not be addressed at the appropriate level and ultimately put your own organization at risk. 5. Sync for collaboration. Almost every department within your organization will require the services of a third party at some point in time. However, if there is not collaboration between the Third Party Risk Management function and the business, risk assessment efforts may be duplicated across the organization or risks may not be assessed at all. Therefore, it's helpful to sync third party efforts and activities across departments. After all, your business is the risk owner and responsible for understanding and managing the risks related to their third party relationships. When syncing third party risk management activities, you may find a better outcome if you meet with your business departments to determine what third party processes already exist. You can then tie in your own third party risk management efforts into their existing processes (example, if the business is already meeting with a third party regularly, you can work with their schedule to risk assess said third party). This method does not always work if there are limited third party processes within the organization. You can also take the approach that your team will help alleviate some of the risk management work from the business and bring them in to discuss risks your team discovers. Your business can also keep you updated when there are changes to the relationship with the third party (example, ownership changes, leveraging new products/services, or sending additional data). There is also a huge benefit to ensuring you maintain collaboration with your business partners. Collaboration can ensure you understand the evolving nature of third party relationships and also ensure your business understands the risks they are accepting on behalf of the organization. Conclusion. While the third party risk management space is not new for many, it is becoming increasingly important as business processes and data continue to be diversified. Having a good hold of the risk your organization takes on by being in a relationship with third parties can ensure you mitigate said risk appropriately. Identifying and addressing gaps in your program, such as the ones noted above, can allow your organization to continuously improve upon your risk mitigation techniques.

Based off the TPRA May 2020 presentation from Nyemaster Goode Law Firm. Disclaimer: The following information does not represent legal advice. If you have specific questions concerning specific circumstances, please consult your attorney. Many questions have recently come up regarding improvements that can be made to contracts as a result of COVID-19. The TPRA recently held a Practitioner Member meeting that addressed some of the contract enhancements that can be made, specifically to the Force Majeure contract clause. Per Nyemaster, "Force majeure is a contractual remedy that, under certain circumstances, excuses the nonperformance of a party when the failure to perform is caused by a “fortuitous event” that makes performance impossible." COVID-19 may be considered a Force Majeure event but it truly depends on the actual clause noted within each specific contract. The first question to ask yourself is "Does my contract include a Force Majeure clause"? The event causing the disruption must be included in the Force Majeure clause and must excuse the party from performing services. Nyemaster suggests using specific language and limiting use of "catch-all" terms. Specific events to insert into your clause can include, but not be limited to: Pandemic/epidemic, Government order, law, or actions, National or regional disaster or emergency, and Material or Equipment shortages. Catch-all terms to limit and/or remove include, but are not limited to: “acts of God”, “including without limitation”, and “other events beyond the reasonable control of a party”. Nyemaster explains that courts look narrowly at the Force Majeure clause. Since the burden of proof is on the non-performance party, it is important this clause contain specific information about events that could result in non-performance and what non-performance actually means. The type of evidence a court could ask for may include, but not be limited to: Evidence that event was unforeseeable Proof of causation between the event and the nonperformance What is the performance standard (e.g. impossibly, impracticable); is the performance standard subjective or objective Is clause unilateral or bilateral (which party does it actually protect) Are there multiple Force Majeure clauses in the contract Are there any carve outs or exclusions (e.g. payment obligations, macroeconomic conditions, delays due to subcontractors) What is the contract’s governing law provision Notice requirements Mitigation requirements Nyemaster also warns that there could be consequences when declaring Force Majeure... Namely: Anticipatory Repudiation Termination of Contract or Suspension of Counterparty Performance Rate Changes LITIGATION Lastly, if your contract does not have a Force Majeure clause, Nyemaster suggests other alternative contractual provisions and/or common law defenses that could act similarly to a Force Majeure clause. Examples include, but are not limited to the below. Alternative Contractual Provisions Change in Law Dispute Resolution Termination for Convenience Common Law Defenses Impossibility - Performance is no longer possible because of a supervening event. Impracticability - A supervening event changes the inherent nature of performance to be more difficult, complex, or challenging, contravening a basic assumption of the parties' agreement. As a result, the cost of performing increases excessively and unreasonably. Frustration of Purpose - One party's known principle purpose for entering a transaction has been destroyed or obviated by a supervening event. Performance remains possible, but is excused when one party would no longer receive the expected value of their counterparty's performance. To hear the full presentation provided by Nyemaster around the topic of Force Majeure and other contractual issues to consider, TPRA Members can visit the "Previous Meetings" playback page and re-listen to the May 2020 meeting.

Guest Author: FortifyData It has become apparent that it is no longer sufficient for businesses to only secure their internally-controlled infrastructure and services. They must also diligently evaluate the security policies and procedures of their third parties. Organizations interact with each of their third parties in different ways. And frankly, some are more critical to daily operations than others. And while every third party your organization partners with introduces some risk into your organization, when managing that risk, it is important to have the ability to prioritize risks most relevant to your business as well as focus remediation efforts on the most critical issues. Accuracy First generation scoring platforms don’t offer customization on how each third party influences the inherent risk for your organization so the resulting score is more generalized. In addition, these platforms simply conduct passive assessments using open source intelligence data available over the internet. Only next generation platforms, that perform passive assessments, as well as active but non-intrusive infrastructure and web application assessments provide the most comprehensive and accurate representation of risk. Efficiency A lack of score accuracy results in your team using precious man-hours and resources working to mitigate less important risks. For example, you may be willing to tolerate  more risk from one third party than you are from another one based on the impact of that particular third party to your business. Therefore, time will be better spent focusing on that third party than draining resources on the other, less critical ones. The more accurate your score from a next generation risk management platform, the more efficient and effective your risk management program will be. The ability to categorize and prioritize the third-party risk mitigation tasks most important to your organization sets up your IT and/or security team for success. Relevancy In addition to being able to configure which risks are most relevant to your organization and determine how much risk you are willing to accept given your relationship with each third party, you must also consider how current the data is that you are reviewing. If third-party risks are not being actively monitored in near real time, you could be wasting time focusing on old data that is no longer relevant. An ever-changing threat landscape requires continuous monitoring to ensure the overall risk status is accurate. Conclusion The success of your third-party risk management program is based on three components: accuracy, efficiency and relevancy. Having the capability to categorize your third-party relationships is fundamental to understanding and effectively managing the risk each one introduces to your organization. You can only achieve this understanding with a next generation third-party risk management platform that allows for configuration and continuous, near real-time monitoring in order to produce the most relevant view into your organization’s inherent risks. These features result in the ability for your team to use their time wisely by prioritizing the most crucial mitigation efforts. TPRA Disclaimer: TPRA does not endorse or sponsor the products/services of one particular TPRA vendor member; however, we do communicate training opportunities and vendor offerings provided by our vendor membership for the benefit of the community.

Many have questioned the value of a third-party risk questionnaire. How much information can you really glean from a questionnaire anyway? Especially since organizations want to look good and will frequently answer in the affirmative. The following is a list of adjustments Intermountain Health has made to our process to improve our security and decrease risk with vendors. Early on in our third-party risk journey we likely had a similar experience to most other teams. We created a questionnaire with yes, no, or not applicable answers. But there was one slight problem… Everyone was answering yes to everything. How could our questionnaire have value with only yes and no options? The value of adding the answer choice ‘partial’. As a result of vendors always answering “yes”, we had a few key follow-up questions we would ask. One of them was to ask for a ‘high level overview’ of the process they claimed to be following. What we discovered was that the process was either only partially followed, or the vendor was beginning to implement the process and therefore answered yes. Because of this realization, we decided to add a ‘partial’ option to our multiple-choice questions. This resulted in vendors better explaining their process. We found that simply offering the “partial” answer choice gave us better insight into the maturity of a vendor’s process. It also provided an avenue into further probing on topics that we deemed important to our organization. Compare what is said to what was said last time. Another change we made was to more closely compare the current questionnaire responses from a vendor to past responses from the business owner and the vendor. Key questions we ask and compare are with regards to data flows, data storage, current products and services provided. This has led to a discovery of several items such as data being stored offshore (which is against our standard) and products in use that currently do not have a security review completed. So, while we are still asking the same questions, we now have a baseline to work from and can determine if there are discrepancies that need to be addressed. Business visit and demo. Compare what is said to what is done. An additional change we have found beneficial is to visit with our internal business partners using the product. Although it has taken additional time, it has served us well as we have learned of process changes and additional data being sent to a vendor. In some cases, we found processes have changed compared to what was originally reviewed. These changes are then taken into consideration the next time we perform an assessment of the vendor. We also found cases where sensitive information was being uploaded to software that was not originally documented or approved. These visits also assist with questionnaire validation and we have found instances where vendor responses contradict the actual process and/or service provided. In short, a few strategies we have found beneficial include adding a “partial” choice within the vendor questionnaire, comparing questionnaire responses to past conversations with the business and vendor, and reviewing user-level processes and documentation provided by the vendor. While these enhancements have added a few extra steps to our assessment process, they have exposed additional vendor risk not normally discovered with the completion of a questionnaire.

Due to restricted travel and quarantine zones, global supply chains are being disrupted. Per Forbes, this is also resulting in a downturn of consumer demand. (Ex. Travel, tourism, conferences, etc.) Organizations are slow to respond as sufficient testing has not been completed regarding pandemic plans. So what should you do? In today's TPRA Practitioner Meeting, we discussed steps you can take to evaluate the impact COVID-19 has/will have on your vendors/suppliers. Below are the highlights. First you need to understand the impact COVID-19 has on your own organization. - What are your critical processes and/or products? Does a vendor perform pieces of your critical processes or supply raw materials for your critical products? - Do you know the locations of your suppliers? Do you know the locations of your supplier’s suppliers? - Have you enacted your own pandemic plans? Next, are you determining if your vendors/suppliers have sufficient pandemic and recovery plans in place? - Create a task force to review critical vendors and/or suppliers. - Map out where your vendors/suppliers are located. You will need to understand where their critical suppliers are also located. - Once you have a list of vendors and suppliers critical to your business, begin understanding if they are prepared for and/or have been impacted by the pandemic. Are they in a quarantine zone? - If they are prepared, ensure you are communicating with your vendors/suppliers the change in the demand for your organization’s products/services. - If they are less prepared, determine if you need to plan for alternate sourcing. Quickly work through due diligence and contracts for alternate sources. - If you do not have them already, set key risk indicators to alert you if things change with one of your vendors/suppliers. (You can start with contract SLAs and response time.) - Ensure you and your vendor/supplier have a strong communication plan regarding updates on future impact. - Be compassionate. Every organization will be impacted by COVID-19 in one way or another. Offer to help those that need it if you can. How can you determine if your vendors are prepared? - Create a set of questions you can use to determine if your vendors/suppliers are prepared for a pandemic and/or if they are impacted by COVID-19. - Reach out to your vendors/suppliers via email or phone (depending on criticality) to determine their preparedness and/or impact. - Review responses to determine next steps. You may want to form a committee to assist with this piece. - Ensure you have an escalation plan when unfavorable responses return. For TPRA Practitioner Members, the TPRA has prepared a set of questions for you to consider. This questionnaire is available in an excel format on the Information Sharing site within the Members Only section of our website. The document is titled "COVID-19 Readiness Questionnaire - TPRA Created". Author: Julie Gaiaschi, TPRA CEO & Co-Founder

Welcome to the TPRA blog site! We hope to post regular blogs from subject matter experts on topics that you want to hear about. Be sure to check back regularly! If you would like to be a contributor for one of our blog posts, please email your blog idea to info@tprassociation.org. Thank you! #TPRABlog #ThirdPartyRisk