Interagency Guidance on Third-Party Relationships: Preparing for Compliance

2. Due Diligence and Third-Party Selection

Once a third party has been identified, it is essential to conduct thorough due diligence before selecting and entering into a contract. The Proposed Interagency Guidance on Third-Party Relationships suggests that due diligence should include assessing a third party’s ability to perform the activity as expected, adhering to policies, complying with all applicable laws, regulations, and requirements, and operating in a safe and sound manner.

Success that this stage requires assessing and monitoring third parties based on the extent of threats to information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier third parties; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

3. Contract Negotiation

The Proposed Guidance recommends reviewing existing contracts periodically, particularly those involving critical activities, to ensure they continue to address pertinent risk controls and legal protections.

Meeting this requirements means centralizing the distribution, discussion, retention and review of third party contracts so that all applicable teams can participate in contract reviews to ensure the appropriate clauses are included and managed.

Key practices to consider in managing third party contracts include:

• Centralized storage of contracts
• Tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

4. Oversight and Accountability

The Proposed Interagency Guidance on Third-Party Relationships requires the organization’s board of directors and management to be responsible for overseeing risk management processes. That effort begins by determining the key performance indicators (KPIs) and key risk indicators (KRIs) important for decision making.

When it comes to measuring KPIs and KRIs, categorize them into these four categories to ensure the board and executive team have the right view of third parties:

• Risk measurements to understand the risk of doing business with a third party, as well as associated mitigations
• Threat measurements overlap somewhat with risk and give a more complete and validated view risk
• Compliance measurements define whether third parties are compliant with your internal controls requirements
• Coverage measurements answer the question, “Do I have full coverage of my third-party footprint and are they tiered and treated accordingly?”

Then, be sure to tie results back to contract provisions to provide complete governance over the process.

Finally, ensure your team is fluent in understanding what type of information the board should see. This approach should enable your team to:

• Present a consolidated view of current risk exposure to the organization from the supply chain
• Communicate current status of critical third parties supporting major company efforts
• Show inherent and residual risk from threat intelligence sources to demonstrate progress in reducing risk over time
• Identify where exec support is needed

5. Ongoing Monitoring

Successful third-party risk management programs include periodic internal controls-based assessments against industry standard frameworks and ongoing monitoring to confirm the quality and sustainability of the third party’s controls.

To accomplish this, continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources should include:

• Criminal forums; thousands of onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases
• Public and private sources of reputational information, including M&A activity, business news, negative news, operational updates, and more
• Financial performance, including turnover, profit and loss, shareholder funds, etc.
• Reputational, regulatory and sanctions sources including politically exposed person profiles, global sanctions lists, and regulatory and legal information

Correlate all monitoring data to assessment results and centralize in a unified risk register for each third party, streamlining risk review, reporting and response initiatives.

6. Termination

Organizations can be exposed to post-contract risk, yet research shows that few organizations conduct risk management at the end of a relationship. The Proposed Interagency Guidance says that it is important for management to terminate third-party relationships in an efficient manner, whether the activities are transitioned to another third party, brought in-house, or discontinued.

To streamline the vendor offboarding process, automate contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure:

• Schedule tasks to review contracts to ensure all obligations have been met. Issue customizable contract assessments to evaluate status.
• Leverage customizable surveys and workflows report on system access, data destruction, access management, compliance with all relevant laws, final payments, and more.
• Centrally store and manage documents and certifications, such as NDAs, SLAs, SOWs and contracts. Leverage built-in automated document analysis based on AWS natural language processing and machine learning analytics to confirm key criteria are addressed.
• Take actionable steps to reduce third-party risk with built-in remediation recommendations and guidance.
• Visualize and address compliance requirements by automatically mapping assessment results to any regulation or framework.

Streamlining Compliance with the Proposed Interagency Guidance on Third-Party Relationships

Effectively addressing the requirements in the Proposed Guidance is virtually impossible if you rely on spreadsheets to collect, analyze, remediate and report on cybersecurity controls. With the Prevalent Third-Party Risk Management Platform, your financial services institution can automate and accelerate its compliance initiatives. The platform enables you to:

• Build a comprehensive, agile and mature third-party risk management program based on proven financial industry best practices
• Automate the identification and assessment of critical third parties based on their criticality to the organization
• Assess and continuously monitor third parties for multiple types of risks
• Deliver automated remediation recommendations to third parties to reduce residual risk
• Measure against contractual key performance indicators (KPIs) and key risk indicators (KRIs)
• Simplify regulatory and security framework audit reporting to multiple internal and external stakeholders
• Deliver prescriptive business continuity and incident response programs to ensure third parties have the policies and procedures in place to address emerging risks
• Securely offboard third parties with a prescriptive process to ensure the organization is not exposed to ongoing residual risk

To learn more about complying with the Proposed Interagency Guidance on Third-Party Relationships, download our best practices guide or contact us to schedule a demo.