Shared Assessments held its inaugural international roundtable in London this week and I was very fortunate to be able to participate. The event was attended by leading financial services firms and service providers. This event was put together by the Shared Assessments International Subcommittee headed by Shared Assessments member Lin Lu, Americas CISO for Deutsche Bank and sponsored at their London offices. The inaugural event highlighted the need for educational and standards leadership by Shared Assessments in the UK region.
While many Shared Assessments members are global firms, the program itself has been primarily focused in the United States. The conversation was excellent and extremely timely given new regulations and changing privacy requirements for both US and European firms. In fact, the very day of the event Safe Harbor was effectively struck down allowing more oversight by European regulators over data being sent to the US.
There were multiple discussion threads, including the goal of building efficiencies and reducing costs, key regulatory bodies important to European firms, the difference between managing security and compliance for third parties, and stakeholder involvement which may differ based on data governance rules locally. A couple of topics really stood out as important areas of focus for the UK third party risk community, including what people deal with from a localization and language perspective; and security frameworks appropriate for a European audience.
Everyone agreed English was seen as a universal language standard for communicating with third parties when requesting information about security controls. The consistent agreement was that a separate toolset (SIG/AUP) in other languages was not necessary to support a global audience. However, it was interesting that responses to vendor requests sent in English (as well as evidence in support of controls from vendors) are generally returned in the local language of the firm being assessed. While this is generally dependent on the size of the firm and the language spoken locally by the security team, it was apparent that there is a major disconnect and that the responses often require translators on both sides. Additionally, responses are often hindered by a telephone game where English is translated into the local language, answered in the local language by the vendor, and then translated back into English by the receiver. These multiple translations often lead to errors in understanding response and could impact overall control validation. Several participants mentioned this issue especially when dealing with responses from vendors in Japan.
It was also interesting that the frameworks being discussed in the US to help meet the needs of firms like the NIST cyber security framework and attestations like SOC 2 are not generally part of the European discussion. ISO certification as well as local regulatory guidance seemed to play a more important role. However, there was discussion that ISO certification itself did not meet the needs of the banks and financial services firms as regulators continue to push them to prove that they themselves have reviewed the controls.
Scaling and cost containment given the issues identified above seems to be a difficult challenge, however I believe Shared Assessments and Prevalent can play a significant role here. First, the combination of the SIG and AUP offer a scalable, procedure based control validation that can be performed by both CPA and consulting firms to provide a validated reporting mechanism without dealing with the translation issues, offering better validation to regulators, and offering ISO as well as other mappings that are important to a European audience.
The ability to automate the assessment and collection process with localized language support (to scale) also becomes an important aspect of the discussion. The combination of content, automation, and threat intelligence provided by Shared Assessments and Prevalent Vendor Risk Manager and Prevalent Vendor Threat Monitor allows global firms to scale from the smallest to largest vendors offering control visibility, regulatory transparency, and continuous monitoring while focusing on the intended goal – risk reduction.
The roundtable ended with agreement that the participants in the room would form the kernel of what will become a more localized, European Shared Assessments effort. This might include regional meetings, member forum calls, and potentially a European Shared Assessments Summit. I am extremely excited about the prospect and look forward to additional participation as a member of the Steering Committee and as a licensee of the program. Thank you to all that supported the effort and participated.