Prevalent-Blog-Logo

Great yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR).  Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do?  Well folks I’m here to do just that.

Determining vendor compliance with GDPR requires a fairly rigorous process.  It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role.  Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller).  I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.

(more…)

Prevalent-Blog-Logo

We are continuing to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney.  While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.

Until most recently only banks really focused on third party risk issues due to regulatory requirements.  They were then joined by healthcare providers as their regulators began to require robust third party practices as well.  Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognize the risks that third party service providers create from the unauthorized access to customer data and company networks.  However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.

(more…)

Prevalent-Blog-Logo

On June 7th, the OCC issued a welcomed update to the 2013 Guidance on how to manage third party relationships (OCC Bulletin 2017-21). While much of the guidance provides insight into how to address issues related to fintech companies, there are several key areas that have received little, if any, previous formal comment by the OCC.  This first in a series of blogs will address an area of the Guidance that will substantially improve the TPRM process.

(more…)

Prevalent-Blog-Logo

The vendor risk assessment is the lynchpin of every effective third-party risk management program. In theory, the essential components of an assessment are easily determined. However, in practice, the ability to effectively understand and assess third-party controls usually conflicts with the resources available to perform the assessments, and is further handicapped by the need to rapidly conclude assessments so contracts can be finalized and projects begun.

All too often this results in assessments that are performed based on resource availability and time rather than an appropriate review of required security controls.

(more…)

Prevalent-Blog-Logo

The FFIEC issued its general findings from an assessment of over 500 community based financial institutions this summer. In its November 3rd   press release1, the FFIEC discussed the growing need for tighter cybersecurity measures and indicated that it was already in the process of reviewing and updating the existing guidelines for managing cybersecurity risk.

(more…)

Prevalent-Blog-Logo

In reviewing recent security incidents at several New York City banks, an article in the October 21st New York Times1 focused on an ever recurring theme – the need to closely scrutinize how well a financial institution’s vendors provide IT security to protect access to data and systems.  While the theme itself isn’t new, the article revealed that the Treasury Department is now engaged in a “sweeping effort”1 to require banks to increase their procedures for determining if vendors are adequately protecting their data and access to their systems.

(more…)