Last week, we shared the first batch of six predictions for 2020 from our team of third-party risk management experts: Brad Hibbert, COO & CSO; Alastair Parr, Sr. VP of Global Products & Delivery, and Brenda Ferraro, VP of Third-Party Risk. Be sure to check out that post for a look into the perils of funding; the ever-changing role of the vendor manager; evolving beyond compliance and point in time assessments; the rise of advanced analytics; and the commoditization of security ratings services tools.
What else does the future hold? Read on for predictions 7-12!
2020 will bring even more attention to data privacy – especially in the US where there is the possibility of 50+ different flavors of a GDPR-style law, creating a complex patchwork of regulatory requirements for organizations and their third parties to contend with. GDPR will have a full second year to sink in. CCPA goes live on January 1. Plus, there is NY SHIELD and, earlier this year, an extension to ISO 27001 & ISO 27002 was released to specifically address risks associated with privacy. Growing complexity will push federal regulators and Congress to draft a consensus framework to address data privacy and protection nationwide. Our prediction is that what NIST did with the Cybersecurity Framework (i.e., leverage the best of existing best practices to create a new cybersecurity standard) they’ll do again for data privacy and protection. A change of administration could help move this along more swiftly.
The concept of evidence sharing is not a new one. It entails enabling risk practitioners to focus resources on remediating risk and compliance concerns by leveraging a repository of completed vendor questionnaires and continuous monitoring. This “collect once, share many” concept enables risk programs to streamline processes and scale program coverage. Today, many networks are focused on evidence collection initiated by clients looking to assess their vendors with reassessments performed on an annual basis. Over the next 24 months we expect to observe the following activity among shared network communities:
Organizations will gradually begin working together to improve efficiency and reduce costs, either internally throughout the third-party lifecycle chain, or externally with peers in verticals to combat the “us vs. them” mentality. Third-party risk and governance will continue to be segmented between organizations attempting to make a dent in their unwieldy supply chains and those pushing for greater maturity and integration.
The tools and capabilities for capturing quantitative data from the third-party estate will continue to become prolific, with ease of use and automation being at the forefront. This will result in a surge of organizations asking for and capturing third-party risk information via technology. This will present a growing logistical challenge for third parties, who present the same information in varying ways in different platforms throughout the year.
Vendors respond to these dozens, or even hundreds, of assessments annually. While many organizations may have a third-party vendor risk management program for their suppliers, most are performing their own assessments ad-hoc and manually. In fact, many vendors respond to surveys but do not have the tools or visibility to understand how the assessments can help them proactively prioritize their own internal remediation activities to strengthen their security and compliance posture.
Increasingly, we see vendors requesting to proactively upload their evidence. They want to upload, publish, and update their evidence in one place that can then be shared with all of their customers. We expect that adoption and maturity of vendor portals to continue to increase over the next 12-24 months enabling both clients and vendors to streamline processes and ultimately share program costs.
In the next year, third-party risk management organizations will continue to react by offering network-based services targeted at third parties, however they will receive pushback from auditors and risk officers who understand that a fixed assessment/profile provides limited value. We will therefore see organizations and vendors moving towards a hybrid model, leveraging prepopulated content and customized additions to provide some efficiencies.
For organizations that have established processes and good visibility into their third-party estate, either due to regulatory obligations or good planning and execution, we will see a broadening of profiling data and reporting ability. Mature organizations will leverage feeds from multiple systems and capabilities to enrich their third-party profiles covering the gamut of threat monitoring, assessment data, business risk data, and legal compliance. This will support the wider third-party risk lifecycle team and enable more informed answers. Furthermore, mature organizations will seek to gain greater insight into the vast volumes of data they have aggregated with intelligent reporting tools more aligned to big data analytics.
True Risk doesn’t mean that we haven’t been identifying risk or applying proper risk mitigation practices when using a trust-and-verify approach! However, many practitioners have written their third-party management policies to focus risk understanding on assessing met or unmet control standards. Therefore, the focus on risk remediation historically has been dedicated to mitigating unmet control standards, which has the potential to place attention on what is called partial known risk.
For example, when a threat intelligence report is used to identify open-source intelligence risk factors, it is critical to configure contextual thresholds and engagement scoping to better understand the risks that matter. When questionnaires and authoritative documents are used to identify risk, the assessment requires that both the Yes and No responses receive attention.
True Risk is when the assessment technique applies attention to both the Yes and No responses and maturity level risk awareness is identified on every Yes response. After all, all Yes responses are not created equal. Applying risk disposition on partial risk awareness can leave companies vulnerable by trusting control standard maturity posture with a simple Yes response. In 2020 you will see a pointed shift from focusing on remediating No responses towards identifying maturity of Yes responses for True Risk and increased maturity on resiliency.