Compliance Week’s 4th annual summit was a great opportunity to meet with colleagues in third party risk management and share insights on new trends and challenges. There’s certainly a wealth of new issues to consider, including vendor subcontracting (fourth parties), IoT, and new data privacy regulations. However, my most interesting take away wasn’t what’s new, but what hasn’t changed.
Efficiency (and therefore standardization) is still lacking
Speaking with others who have also been actively engaged in TPRM for well over a decade, we were all struck by how poorly the practice has kept up. Until recently we’ve still collected vendor due diligence in the same way as we did in 2004 – questionnaires sent to vendors via email and then manually reviewed and analyzed, with little central reporting. Since roughly 50% of the time it takes to perform vendor assessments is spent sending out, collecting and verifying questionnaires, why haven’t we as a group worked to create greater efficiency? Using standardized questionnaires (like the Shared Assessments SIG) certainly helps through standardization, but we really need to do more.
Collaboration within industries is progressing…
The OCC‘s bulletin (OCC 2017-21) specifically referenced the actions we should be taking. Section 4 of their guidance specifically encourages companies who share vendors for similar services, to collaborate on the assessment due diligence process. In fact, the guidance goes so far as to state that collaboration is a “useful tool” in helping banks meet their responsibilities for vendor risk management under OCC 2013-29. These “useful tools” include the use of a standard process for “performing due diligence and on-going monitoring” of vendor security controls. As long as each individual bank performs their own analysis and makes their own conclusions about risk, the OCC is encouraging us to collaborate on the due diligence and threat monitoring process.
Prevalent has been at the forefront of these efforts for several years. Top law firms asked us to design and manage a network which collects and shares vendor assessments and threat monitoring for common law vendors and therefore, we developed the first shared assessment due diligence network. This network created significant improvements in cost and time to conduct vendor assessments, of which we now also manage a similar network for H-ISAC (healthcare vendors).
… but organizations must understand that their requirements are more alike than they are different
Opponents of vendor risk sharing networks argue that their security controls are somehow different than everyone else’s so sharing won’t work. But are they really? Don’t most of us defer to the NIST Cybersecurity Framework? Are our password standards and multi-factor authentication requirements truly unique to our company? Don’t we all fall under the same regulatory requirements? In addition to industry based regulatory requirements we are now subject to regulation based on the data we collect (GDPR, CCPA, etc.). I would suggest that when considering regulatory requirements, 75% of the security controls we all require from our vendors providing similar services is the same.
So, what are we waiting for? Let’s all gain back some of that 50% of the time we spend on non-skilled activities and focus on vendor risk sharing. If you agree, contact us today and we’ll set up a brief demo or conduct a strategy session.