2015 loma conference - third party risk management - session 20
TRANSCRIPT
Marc S Sokol
Brian C Loutrel
Steve Attias 030915
"A person may cause evil to others not only by his actions but by his inaction, and in
either case he is justly accountable to them for the injury.” — John Stuart Mill (On Liberty)
"Sometimes doing your best is not good enough. Sometimes you must do what is
required." — Winston S. Churchill
"One ought never to turn one's back on a threatened danger and try to run away from it.
If you do that, you will double the danger. But if you meet it promptly and without
flinching, you will reduce the danger by half.” — Winston S. Churchill
"Remember teamwork begins by building trust. And the only way to do that is to
overcome our need for invulnerability.” — Patrick Lencioni
"If you take out the team in teamwork, it's just work. Now who wants that?” — Matthew Woodring Stover
IMPLEMENTING AN EFFECTIVE THIRD PARTY
RISK MANAGEMENT PROGRAM
Diverse and Dynamic Environmental Challenges
• Low interest rate yields
• Turmoil in Europe
• Stagnant U.S. economy
• Growing tax burden
• Volatility in certain investment markets
• Growing threat of terrorism by ideological extremists
• Stronger regulatory intervention,
• Increased scrutiny by rating agencies
• Increasing velocity, breadth, and capability of cyber-attacks - a single micro
agent from anywhere in the world can have a macro impact to any
company/sector – it’s not a matter of if, but a matter of when
• Natural disasters concurrently affect multiple geographical regions and
multiple critical infrastructure sectors (Super-Storm Sandy)
• Managing brand and reputation in a social media “viral” world
• Maintaining and satisfying the demands of more empowered, better-informed,
and less loyal customers may even be a greater challenge
• Sustained pressure to contain expenses on non-revenue generating areas
2
Do Any of These Business Challenges Sound Familiar?
• “We’ll do the due diligence after we have selected a vendor”
• You get a call from a business area and its 4:30pm on a Friday. You hear, “We selected a
vendor for this super-duper critical business initiative and need to sign the contract by the
end of next week, can you complete all your due diligence by Wednesday?
• “The vendor says that none of our peers have ever asked or required any of this!”
• “Where exactly is our data stored? multi-tenancy cloud environment?” Encrypted by who?
• Have you considered how we get our data back or destroyed if we terminate the contract?
• “ “I can bypass that process, the cost of the contract is under $100k!”
• “Don’t worry, the lawyers will negotiate the contract terms
• “Who’s going to administer and approve access to the services (Adds/Moves/Terminations)?”
• “The contract requires them to do it!” or “The Law requires them to do it!” so “they must be doing it!”
• “The vendor is XYZ certified! They have a SAS70!” “All our peers use them!”
• “Do we really need to make our vendor answer “our” questionnaire? It will take them too long!”
• “The process is too onerous!” “Let’s just sign the contract!”
• “Don’t worry, they don’t have access to any regulated Privacy Data, financial data, or credit cards”
• “Don’t worry, they just administer the HVAC system in our data center!”
• “Can I get an exception to policy?” and then you hear when the SHTF, “Law, Security, and
Compliance reviewed it, I don’t know how this could have happened!”
• “Who’s your boss?”
3
The Growing Cyber Threat Is a Business and Technology Issue
4
WEAKNESSES CONSEQUENCES
Lack of Governance, Myopic View
(Organizational Conflict of Interest)
Inadequate IT
Procedures/Admin Errors
Poor Patching and Configurations
of Systems & Architecture
Weak Identity and
Access Management
(Network, System, App)
Weak Policies/Standards
Regulatory Compliance
& Financial Penalties
Privacy Breaches
Errors / Omissions
Reputation
Business Interruption
EFFECTS
Monetary
Losses
OTHER
IMPACTS
&
Foregone
Income
Financial Losses
Loss or Damage
to Assets
Legal Liability
Poor Application
Development/Maintenance
Unsecure BYOD, portable storage
and Remote Access
Insufficient Training,
Awareness and Education
Social Engineering
(e.g., Phishing, Spam, website )
Weak Controls over
Third Parties
Too much reliance on
weak authentication (passwords)
Errors in Financial
Reporting
Fraud
(internal or external)
Non Nation-state
ACTORS
Ideological Extremists
Organized Crime
Nation-State (APT) and
Cyberwarfare
Criminals (High ROI, Low Conviction)
Disgruntled Employees
Former Employees
Employees
(Unintentional)
Tone at the top
(Lack of Investment, Support)
Lack of logging and
monitoring to detect problem
Trusted Third Parties
(Upstream/Downstream)
Targeted
or
Opportunistic
Velocity and capability of attack - micro-agent can have macro impact from anywhere in the world;
powerful attack tools readily available (keyloggers, rootkits,Worms, browser exploits, application exploits,
botnets, malware, etc.)
What Does Case History Say?
• Many breaches originates with 3rd party partners • Security firm Trustwave analyzed 450 data breaches in 2013 and
discovered that nearly two-thirds of the breaches were tied to third-party IT
providers
• Bitsight, a security rating company – examined 20 retailers in 2014, 33%
of the breaches came from a 3rd party vendor
• Target - company that serviced HVAC systems in Target’s headquarters
was reported as the source of the breach.
• Goodwill - its investigation concluded that malware on systems belonging
to an unnamed third-party provider was to blame for the breach.
• Home Depot - The home improvement giant said in a statement that the
criminals that attacked the company’s network first gained access to the
“perimeter” of Home Depot’s network.
• Bank of America - via ClearForest, a Thomson Reuters company based
in Tel Aviv
5
What Vendors Could Be “Leaking” Your Data?
• IT Firm
• Shredding Company
• Accounting Firm (External Auditors)
• Insurance Agency/Insurance Provider
• Cleaning Company
• Payroll Provider
• Workers’ Comp Provider
• Employee Screening Drug/Alcohol Company
• Security/Alarm Company
• Copier Leasing Company
• Vending Machine Company
6
Third Party Risk Categories*
1. Financial Condition - Assess the financial condition to evaluate growth,
earnings, cash flows, unfunded liabilities, and other factors that may affect the
third party or subsidiary’s overall financial stability.
2. Insurance Coverage - Verify that appropriate insurance policies are in place
(evaluate also with capital reserves)
3. Legal and Regulatory Compliance - Evaluates the legal and regulatory
compliance program to confirm ability to remain compliant with current and future
domestic and international laws and regulations.
4. Conflicting Contractual Arrangements with Other Parties - Obtain information
regarding legally binding arrangements with subcontractors or other parties,
transfer of risk, potential legal and financial implications.
5. Human Resource Management - Review program to acquire and retain top
talent, availability of training and awareness programs, employee accountability,
etc.
6. Screening, Qualifications, and Segregation of Duties – Assess screening
processes policies, standards, and procedures, clearly defined roles and
responsibilities as well as segregation of duties.
7
* - Derived from OCC 2013-29)
Third Party Risk Categories* (Continued)
7. Incident Reporting and Management Programs - Review incident reporting and
management programs to ensure there are clearly documented plan, processes and
accountability for identifying, reporting, investigating, and escalating incidents in a timely
manner.
8. Reliance on Subcontractors - Evaluate dynamics of subcontracted activities as well
as controls on same to ensure the same level of quality and controls exists no matter
where the subcontractors’ operations reside.
9. Risk Management – Assess effectiveness of risk management program, including
policy and standards on risk management, executive accountability.
10. Resilience - Assess preparedness efforts and ability to respond to service disruptions or
degradations resulting from natural disasters, human error, or intentional physical or cyber
attacks as well as depth and breadth of their resiliency program.
11. Security and Privacy - Assess physical security and information security programs to
include identification, assessment, and mitigation processes for emerging threats and
vulnerabilities, regulatory landscape, as well as asset and data protection techniques.
12. IT Management of Information Systems - Gain a clear understanding of the
business processes and technology that will be used to support critical operations
associated with any products/services and/or key busi ness operations to be provided.
Including: how service will be maintained, technology to be used, disaster preparedness
and availability, and/or interoperability issues with the company’s systems
8
* - Derived from OCC 2013-29)
Multi-dimensional Convergence of Risk Management Resources
THIRD PARTY RISK
MANAGEMENT Security
Operational Risk
Finance
Law
Enterprise Risk
Management
Business Owner
Business Continuity
Compliance
Human Resources
Information Technology
9
Risk Assessment Framework Overview
• Risks evaluated using a three-phased approach:
• Phase One: Validate risk appetite and determine inherent risk (distressed value)
• Phase Two: Evaluate key controls and safeguards effectiveness
• Phase Three: Determine residual risk that and evaluate gap with risk appetite
• Perform for 12 key categories of risk (derived from OCC 2013-29):
• Financial Condition
• Insurance Coverage
• Legal and Regulatory Compliance
• Conflicting Contractual Arrangements with other parties
• Human Resource Management
• Screening, Qualifications, and Segregation of Duties
• Reliance on Sub-Contractors
• Risk Management
• Resilience/Continuity of Operations
• Security/Privacy (Identify, Protect, Detect)
• Incident Response, Management, and Reporting
• Management of IT/Architecture
10
Inherent Risk Key Controls
and Safeguards
Residual Risk vs.
Risk Appetite
Optimized Due Diligence Tools
11
Multi-Dimensional
Risk Review Team
Risk Areas Questions
Finance 2 12
Legal/Compliance 2 11
Human Resources 1 5
Security & Risk Management 6 74 (105 if SaaS)
Information Technology & Architecture 1 19 (21 if SaaS)
TOTALS 12 121 (154 if SaaS)
Due Diligence Questionnaire
Approach To Assessing Third Parties Should be Risk Based…
12
12
Critical Inability to continue business operations, substantial harm to company’s reputation, downgrade of rating, material errors in financial reporting, possible closure of business by regulatory bodies, and/or cause material financial losses or fines (at Profit Center and/or Corporation)
Significant Substantial degradation in business operations, notable harm to reputation and brand, threat of ratings downgrade, financial reporting errors, significant regulatory sanctions, and/or financial losses (at Profit Center and/or Corporation)
Moderate Degraded business operations, limited harm to reputation and brand, financial reporting errors, moderate regulatory sanctions, fines and/or financial losses (at Profit Center and/or Corporation)
Low Minimal Impact to business operations, no material affect on reputation or brand, minor financial reporting errors (e.g., less than, fines, or financial losses (at Profit Center and/or Corporation)
>$10M $5M - $10M $1M - $5M <$1M
Full Risk Assessment & Monitoring Standard Contract Terms w/ Annual Attestations
• Financial Condition
• Insurance Coverage
• Legal and Regulatory Compliance
• Conflicting Contractual
Arrangements
• Human Resource Management
• Screening, Qualifications, and
Segregation of Duties
• Reliance on Sub-Contractors
• Risk Management
• Resilience/Continuity of Operations
• Security/Privacy (Identify, Protect,
Detect)
• Incident Response, Management,
and Reporting
• Management of IT/Architecture
Communicating Results using the STAR Method
• Situation: Present opportunities across multidimensional
view prioritized in terms of gap between residual risk
consequence(s) and business defined risk appetite
• Task: What can be done to overcome any material gaps
and better align with defined risk appetite (mitigation,
acceptance*, show stopper)
• Action: Based on task chosen, what action steps
(including accountability/responsibility) must be assured
• Results: Pre/post contract monitoring: Did you achieve
objectives and alignment with risk appetite? Sustaining
level of residual risk through monitoring? Is there Risk
Acceptance Concentration?
13
* It is ESSENTIAL for the business owner of the third party relationship to
understand that, by accepting the risk, they are taking responsibility for that
loss or impact to materialize.
What Are the Critical Steps For an Effective 3rd
Party Management System?
• Identify>Measure > Analyze
• Know your assets!!! • Can you identify “all” your vendor relationships”?
• Follow the money!
• Survey
• Multiple risk constituencies must be involved – work together, not in silos • Legal
• Procurement
• Security
• Business Resiliency
• Enterprise Risk
• Lines of Business
• Make decisions to review risk-based • Data Toxicity
• Data Volume
• Geographic/Geopolitical issues
• Criticality to business operations
• Ongoing management (compliance to contracts)
14
What About the “Cloud”?
• Well, what about it?
• Lots of security and privacy hysteria!
• We think of it as another form of outsourcing
• Due diligence is very similar
• The catch: Contracting!!
• T&C’s aren’t always negotiable (Microsoft)
• Right to Audit – can be difficult – and you can understand why
• Looking for more certification from reputable 3rd parties (ex: CSA)
15
16
OPEN DISCUSSION AND
QUESTIONS????
• Marc S Sokol, CISM, CHS-III @ [email protected]
• Brian Loutrel, VP CCO NY Life @ [email protected]
• Steve Attias, VP, CISO NY Life @ [email protected]