6 Wege, wie sich der Datenschutz auf das Risiko von Dritten auswirkt

Amy Tweet: Okay, wir sind live. Herzlich willkommen, liebe Zuschauer. Wir freuen uns sehr, dass Sie heute dabei sind. Wenn Sie live dabei sind, danke, dass Sie einen kleinen Teil Ihres Tages mit uns verbringen. Während Sie sich einrichten und es sich bequem machen, werde ich eine kurze Umfrage starten, denn wir sind wirklich neugierig, was Sie dazu bewogen hat, dabei zu sein. Während Sie warten, können Sie vielleicht etwas lernen und sich ein wenig weiterbilden. Ich freue mich auf unsere Experten, die wir hier zu Gast haben und die ich Ihnen gleich vorstellen werde. Vielleicht recherchieren Sie gerade für ein bevorstehendes Projekt zum Risikomanagement bei Drittanbietern. Vielleicht wissen Sie noch nicht, wo Sie stehen. In diesem Fall: Dieses Webinar heißt „Sechs Wege, wie Datenschutz das Risiko bei Drittanbietern beeinflusst”. Vielleicht möchten Sie also dabei bleiben, oder vielleicht sind Sie bereits Kunde von Prevalent und möchten sich über die aktuellen Entwicklungen auf dem Laufenden halten. Nehmen Sie sich also einen Moment Zeit, während ich einige Regeln für die Hausordnung durchgehe. Mein Name ist Amy Tweet. Ich bin hier bei Prevalent in der Geschäftsentwicklung tätig. Meine Aufgabe heute ist es, sicherzustellen, dass alle Ihre Fragen an Len oder Alistar an die richtigen Personen weitergeleitet werden. Sie können dazu die Chat-Funktion unten oder die Q&A-Funktion verwenden. Ich werde dafür sorgen, dass diese Fragen an die richtigen Personen weitergeleitet werden. Und ohne weitere Umstände möchte ich Ihnen nun unsere Experten vorstellen, die an diesem Gespräch teilnehmen. Wir begrüßen Len Solom. Sie ist ehemalige Chief Privacy Officer und seit mehr als 30 Jahren in der regulierten Dienstleistungsbranche und der Risikobranche tätig. Außerdem ist sie Gründerin von Solom Risk Partners. Len, wie geht es Ihnen heute?

Len Solom: Mir geht es gut.

Amy Tweet: Gut. Schön, dass Sie dabei sind. Außerdem ist Alistair Par dabei. Sie können sein Gesicht dort unten sehen. Ähm, er ist der Vizepräsident für globale Produkte und Risiken bei Prevalent, und Sie werden ihn gegen Ende des Webinars hören und sehen. Wenn Sie also Fragen zu Prevalent haben, können Sie diese ebenfalls stellen, und wir können Ihnen dabei helfen. Zur Erinnerung: Wir möchten, dass dies ein interaktives Webinar wird, also nutzen Sie bitte die Chat-Funktion und die Fragefunktion. Wir zeichnen das Webinar auch auf, wenn Sie also zwischendurch weg müssen oder nicht bis zum Ende bleiben können, senden wir Ihnen die Aufzeichnung morgen früh als Erstes per E-Mail zu. Also gut, dann fangen wir an. Ich gebe das Wort an Sie weiter. Okay. Wenn Sie weitere Fragen haben, nutzen Sie bitte die Chat-Funktion. Fahren Sie fort.

Len Solom: Okay. Excellent. Thank you so much. Well, welcome everybody. We’re going to have uh quite a bit of good um discussion today. There we go. So, as Amy introduced, uh this is a bit of my background. Um I have been in the outsourcers. I have also been on the service provider end. So, I’m really going to weave together today data privacy, data protection and thirdparty risk and there’s a lot of hot topics. So let’s right now get into our discussion. So converging topics as I outlined why are these topics important? Um we all know that you have to follow the data. The data starts the conversation in terms of any dialogue between an outsourcer and a third party. But managing data is much more challenging in today’s environment. Even technology like you know online meetings creates new data challenges right so data protection and third party risk are really converging and as we talk through these these topics today I’ve listed quite a few terms that will be woven into the dialogue and the narrative but what I’m going to focus on is less how you build these things but spotlight some of the challenges and opportunities and things that are shifting. Um we’ve got a lot of divergent topics and uh quite a significant amount of change that’s occurring today that are going to impact almost every element of not only a privacy program but a third party riskmanagement program. So I’ll try and connect the dots where appropriate and hopefully we can learn through this session and through the Q&A uh where some of the other pain points are. So let’s dive in to kind of that road mapap for today’s dialogue. I’m going to highlight kind of six key topics that all are related and we’re going to start with what’s changing in the regulatory landscape, how that impacts contracts, what you then need to do around data protection and safeguards and assessments. Uh but put a little bit of that magnifying glass on data governance because that’s the hottest topic. And we’ll end with kind of where does this road map now affect your thirdparty risk management program where would you maybe need to do some maturity or process enhancements. So this is kind of our road map for today’s dialogue. So let’s dive into the first topic. Uh it might be August and hot and humid where you are but right now it’s raining regulations for data protection and thirdparty risk management. Um our journey really got aggressive when GDPR really accelerated the expectations for sur service providers. And when you think of the regulatory changes that have happened since GDPR became effective only three years ago, um we’re getting the point where 65% of the world’s population is now covered by data protection rags and the US is getting even more aggressive at the state level. Um but it’s not just a regulatory landscape. We are seeing uh focus areas from different regulators, from agencies, um new proposed guidance and we’ll dig into that. Uh, but it’s not just an an industry challenge. Privacy risk is now top of mind for public companies in the United States. I thought it was very interesting that over 60% of companies are citing privacy risk or data protection risk in their SEC reports. And when we first started to think about that, everybody assumes it’s about cyber security and breach. But no, it seems to be more about privacy. ethics, privacy, permissions and data practices, corporate governance, ESG. The topics are broadening um and really bringing privacy, security and compliance together into a better focus on data governance and data protection. So, as we look at this, let me highlight a couple of of key things in terms of developments um in terms of that raining uh regulation. uh for those that do business in the EU, we’re still dealing with shredd and Brexit in terms of the UK and the EU adding a complexity. You’ll see on the right I listed just kind of a visual that talks about how enforcement is accelerating. Uh but now I need a new chart because even though I put this out there towards the end of July, uh the EU regulators issued a fine uh the largest in history of 8 $87 million. Uh and as you look at that, part of the focus is on data practices. So, everyone’s now looking at their frameworks and making changes. Uh Canada’s getting involved with a new update to modernize their privacy framework. Uh many international companies are following suit. E privacy is still happening within the uh EU. Um but there are updated industry frameworks from and ISO that are really putting a spotlight on data governance, data protection, data protection safeguards and really bringing privacy engineering and security engineering together. In fact, for those of you on the call that might work within the financial services sector, the three agencies have come together to propose a new framework and modernize guidance on thirdparty risk management programs. The joint guidance from the three regulators is out for industry comment right now. So, we don’t see these developments slowing down uh because of the new frameworks and regulations and enforcement. It’s it’s going to get even more challenging. Um just to show you a little bit of the checkerboard of what’s happening at the state level, you’ll see that the International Association of Privacy Professionals publishes on a monthly basis um a state privacy uh legislation tracker and you can see the ers of what’s been introduced, what’s in committee, what’s in chambers, and what’s across uh being developed or passed or signed. Why this is important is because when a state like California or now Colorado put out new guidance, uh we’re a global economy. We’re a national economy and a regulation in a particular state starts to impact other states. It’s kind of like the years when we first had breach notification and now we have a checkerboard of 48 states with a law. We’re kind of going down that path from a US state privacy tracking. Um, but we’re starting to see some key themes. Consumer information, disclosures of data to third parties, the sharing of data, and an increased litigation or brand risk. So, it’s less about just protecting the data. It’s really about what does the vendor have the authorized use of the data. What are they allowed to do and what are they not allowed to do. So again, the privacy dialogue I believe is actually evolving as you look at uh the different topics that are that are happening. So let me provide a quick recap of a topic that you might have heard about called Shrems 2. Uh basically uh privacy shield was invalidated about a year ago as a data transfer authorization method for data going from the EU to the United States or to other geographic or non-EU areas. Uh the regulators after this litigation in a court decision um identified gaps in this in the existing standard contractual clauses uh that were in place to address GDPR compliance. Why this is important is that for those organizations that need to manage compliance between outsourcers and vendors or controllers and processors in the EU that standard language was the primary way to address processing in thirdparty risk. So let’s fast forward the after comment period updated new templates. These new templates aren’t just about contract changes. They will impact controls, due diligence, vendor classification, and most thirdparty riskmanagement operational processes. And because we’re talking about a key change that’s uh That’s important. Let’s really think about the business model in today’s environment between an outsourcer and a vendor. Vendor compliance is multi-dimensional. And while the standard contractual clauses apply specifically to address GDPR, they actually represent what’s happening in our ecosystem. When you think of internet of things, the digital environment, cloud hosting, we’re more connected than ever before. And the new requirements that are being um you know put out by the EU tend to be a model that other states and countries tend to follow. We saw that with GDPR. So I don’t think that will u this will not be the only a GDPR type of solution but their agreements really are anticipating that you have to put in place very specific guidelines between all parties in a relationship. So whether it’s the out sourcer to the vendor, the vendor to their vendors, the fourth parties, the subcontractors. Uh it really gets down to the end parties when you start to look at processor to processor relationships. But the themes that came out about the standard contractual clauses in the simplest terms, it’s not just a contract exercise. It’s it’s a warranty of data protection safeguards. It’s a maturity in due diligence. It requires more evidence. some proof of controls or proof of ongoing monitoring and there are some exit clauses that if the vendors can’t comply uh there’s ways to get out of the contract. So it really will put a spotlight on thirdparty riskmanagement governance. And the reason that I highlight this as such an important trend is the timeline. And I know you’ll get a copy of the slide because the text might be a little bit small but when you think of what was released in final language on June 4th um new contracts with new vendors if they need to meet GDPR compliance and use standard contractual clauses, they need to be in place by the end of September. So that’s a short ramp period. And if you’re an existing vendor and you have to think about that, the contract with that data controller for all of those existing vendors will all have to be updated by the end of 2022. So that’s less than 18 months to assess the new language, look at the new data controls, identify the impact to due diligence, update your processes, and execute a repapering of contracts and due diligence and document everything that you did. So, this is absolutely a key thing on data protection and what’s changing in the environment for thirdparty risk. Um, just to provide a highlight on why this is important is that while most contracts really define the processing relationship, this new proposal really crosses the line into data governance and third party risk management programs because within each contract there’s now three annexes and the first all talks about things that as a privacy professional I’m familiar with but a lot of procurement sourcing and risk teams may not understand that they need to docu ment. Now the business model context, the category of data subject, the data classification of the data, descriptions of the processing, the purpose, the retention, all of that context that’s always been in the privacy world now needs to be brought into the vendor contract. In addition, the they’re getting more detailed in describing the data protection safeguards. So what you put now in the contract is what will be inspected in the third party risk management process or assessment process either with the on-site or virtual assessments or ongoing monitoring. But the contracts also require the list of approved subcontractors. So again, higher expectations, greater focus on governance and compliance, and really a a greater emphasis on keeping track of the different activities that are being performed because you have to prove prove that you’re doing what the contracts say and you’re holding things accountable. So, it’s really driving maturity in a lot of these processes. So, let’s dig into those processes and really what’s changing around data protection safeguards. Um, while regulations may put out guidance, uh, frameworks tend to get out at a control level. So, you really have to assess both drivers to understand how data protection safeguards are evolving the themes that I’m seeing whether it’s coming from the regulators from the frameworks or from an external assurance or audit report but it’s really holding people accountable it requires a deeper concrete description of the control environment evidence of controls is critical maintaining due diligence artifacts u I think we’ve learned through having to do assessments now in a virtual environment, the documentation beyond the policy is even more important to show the evidence of the controls that are in place. So, it’s really driving a maturity in a lot of different areas of data protection. Um, and I think we’re going to see that what’s happened for many organizations due to the pandemic and having to go to the remote environment, there will continue to be a significant footprint of remote workers. So the actual environments changed in the last year and many organizations are seeing the need through resilience or through the migration to cloud hosting the the footprint of their vendors is changing who’s critical uh may also have been impacted by the remote work because obviously online collaboration is pretty critical but these platforms probably weren’t in the high-risisk vendor uh category in a lot of third party risk management. programs. Um, so we’re really seeing a shift in the need to look at controls at a broader area and these focus areas are I think are really bringing privacy and security together. Cyber security will always be important whether you’re focused on technical controls, breach, ransomware. Uh, but what we’re seeing through the frameworks and a driving of a migration to data governance is that it’s more riskbased. It’s more methodology focused. So it’s beyond the yes no of a control is in place or not in place. It’s is the control sufficient to address your risk your risk posture. It’s driving a maturity in the process and instead of just technical controls um it also becomes contextual controls. So minimizing the amount of data that’s collected or used. Ensuring that data has a purpose limitation, working on limiting data retention or data portability from one vendor to another. So you’re seeing a lot of data governance topics that all start with understanding business model type of data and the roles between parties. And each of these controls impacts the third party risk management process. process because you might need to gather additional information. You might need to conduct additional discovery um and you may need to focus on data protection impact assessments in a different way as you look at changes in the environment be it change management or thirdparty risk or the SDLC process because you’re not just looking at the technical security control you’re looking at the use of the data the authorization of the data and what are the expectations of the individual or the data owner. So the safeguards conversation is really broadening into ethics and permissions and not just the technical uh bits and bites of the control environment. So when you look at that evolution uh data governance um and how does that impact thirdparty risk uh it’s a critical element because it becomes one of those foundational building blocks in thirdparty risk management. As I outline the context of authorized use of data, one of the challenges with data governance in thirdparty risk is probably the most common theme I hear from clients is how to maintain vendor and data inventory. It’s a continual battle to you always know who your highest risk vendors are and you have a good idea of the lowest risk, but it’s all of those vendors in between that create the the operational challenges. And when you start to look at disclosures, well, that’s not just to the third party. It’s understanding the ecosystem and the fourth parties and nth parties and all of the people that participate in the delivery of a technology product or service. So, as technology emerges, Whether it’s artificial intelligence, IoT, 5G, the cloud, you’re bringing in more third parties, more technology integrations, more network connectivity between parties and different paths for the data to follow. So managing that environment becomes not only a people resource issue, but it’s technology and its process op processes and optimization. But it’s really taking a look at not just the padlock of securing the data but understanding the path of the data within the organization and outside the organizational boundaries. Those are some of the key areas that we’re seeing really evolve in terms of data governance. So how do you look at data governance in thirdparty risk? So there’s terms that that are discussed whether it’s called data maps, data flows, devices, there’s a data governance explosion happening. So, you really have to really take a look at data and really kind of profile with at a vendor, not just who the vendor is, but what’s the product, service or system that they are delivering. So, from an outsourcer perspective, it’s not enough to know that company ABC is in my vendor portfolio. I really need to know what that company does for my organization. Do they interact with my end customers? Do they have higher sensitive data? Are they critical to my operations? And then what data is used within that relationship? And then let’s follow the data. Where is it located? Where is the data backed up? So it’s it’s become a broader conversation in terms of location management because it’s not just about physical addresses. in physical buildings, right? We now have remote workers. That means we have remote vendors and how you’re connecting can be through multiple devices. So that mapping exercise really becomes a critical pillar within your third party risk management program to understand how often and how frequently you have to update your vendor and data inventories and be able to connect the dots between the vendor, the data, and then your due diligence process based on what contractual obligations or regs apply to that relationship. So, as we look at these changes, we kind of started with the reigning regulations and then what’s happening, spotlighted a few highlights, and then we’ve talked a little bit about data governance. But let’s think about things from a a third party resp. management program in and of itself. And we, if I look at the last 18 months, um, I really started to look at kind of three big drivers that are starting to trigger the the need to modernize third party risk management programs. And obviously the first column is the pandemic factor because we as an industry, as a global world, we had to evolve. We had to quickly figure out remote workers. That means We might have had to shortcut some security controls or build new bridges or new paths. Now we need to go back and correct those areas. We had to start to bring the concept of zero trust. We had to start to do our assessments for thirdparty risk virtually. So that changed the skill set of the assessor. It might have actually changed how we document the workpapers or document what works been performed. And if you’re a service provider and you have to and you go through an annual attestation or audit report. Well, now you’re doing that virtually with your audit firms. So, resilience, cloud, remote technology, all of those things that are critical to enable business operations also impacted how vendors deliver their services. So, looking at thirdparty risk through the pandemic lens, not only do you have to look at how the existing vendor relationship works within your contract or your due diligence, standard, but you have to understand how did they adapt? What changes did they implement now due to the pandemic and remote work because those factors might require additional due diligence on your side? But I think the conversation is also evolving a bit into nonIT risks because of what’s been the focus on so many different areas. Um it’s not just about data security and cyber security. you look at thirdparty relationships uh environmental social governance ESG are top of mind um in the boardroom uh but also in the shareholder or the consumer the buyer there’s a greater focus on geopolitical human rights diversity the supply chain and that’s not just a United States factor I’m seeing these nonIT risks and guidance driving maturity of across the board. And I really think when you start to look at the nonIT risks, it almost requires a different level of viewpoint into your vendor risk rating system, the way you classify vendors. Um, it’s it’s less just about the company. It becomes a broader conversation and that may actually require different types of assessments. So instead of one large vendor assessment, I’m seeing Party risk management programs obviously need to do a deep dive on the onboarding, but then they might be doing very topic specific assessments for a particular vendor. They might have to dig deep into resilience uh and remote access and securing data. Or depending on the nature of the product, if they’re helping you with marketing, sales, or advertising, you might need to do a deeper dive on consumer protection and fraud authentication. and privacy. Um, or if they’re in the supply chain, you might have to focus on a a broader environmental factor. Um, so these topic specific assessments are layered into your overall program. So, organizations need to modernize and understand their staffing levels. How do they rightsize assessments and manage multiple assessments? Um, in one of my prior roles, um, at a service provider for certain clients, I I would have to undergo at least seven to 10 assessments on an annual basis because they were tailored at the product or service. So, not only are thirdparty risk management programs evolving in terms of the requirements, but it also starts to impact workflow and really having to take that that riskmanagement approach as to what’s sufficient. And I think the the the drivers that I’m highlighting here are actually very similar to the FAQs in the questions that the three primary regulators in the financial services sector have put out for comment as they’re looking at the original OC guidance that was for national banks in terms of thirdparty risk management. How do they bring that type of guidance across the board to community banks, regional and other areas within financial services? You know, even last week, FINRA just announced in the financial services sector uh they’re seeing audit issues on lack of maturity in thirdparty risk management programs and and that’s a concern. So I think we’re starting to see the drive for modernization come from a lot of different areas and that really is going to require some investment in making some changes to your third party risk management program. Um it might be a project to address regulator changes if you have to address GDPR and standard contractual clauses, you’re going to start with what you have today and where you need to be by the end of 22. Uh, but you also might be adopting a framework, whether it’s NIST or ISO, to help mature your information security and your cyber footprint and bring privacy into that conversation. But anytime you’re looking at changes to your program, um, it really starts from that outside in perspective. What are the external drivers? Then the internal what’s changing within your organization sometimes it could be M&A activity it could be new products and services consolidation efficiency but all of those things now require that review. Do we need to change the definition of vendor criticality in today’s landscape? Do you have a commonly understood definition within your organization of who is critical and as thirdparty risk management programs broaden in scope to include ESG and these others you’ll really see that it becomes an integral part of an organization’s enterprise riskmanagement program. So while the project teams may understand what they need to do to operationalize changes to thirdparty risk management programs actually doing that changes the story also though in terms of how you gain you know management approval of all of these changes or if it has to go up to the board or executive reporting. I think the other key thing that I think that is really evolving obviously thirdparty assessments have evolved from on-site to kind of a virtual environment. Uh the old kick the tires type of approach uh of a site visit is not going to come back because people have realized the cost. of the travel and the level of of value that they get. There will certainly be high-risk suppliers or vendors that need that deep dive or physical inspection. Um, but I think people will be starting to use a combination of different techniques. But I think the key factor that I think you know puts a wrinkle into existing thirdparty risk management programs is really the contract and due diligence synchronization. So I use the example of standard contractual clauses. The legal team and the privacy people are all over this. But now that work product has to be implemented by the third party risk management teams and they don’t have a clue what all these privacy terms mean. So we all of a sudden have to build a bridge even within one company to figure out how do I sync up what I have to put out into a legal contract that impacts how I audit the vendor and now my audit of the vendor can be viewed by the regulator and they’re actually saying you need to have very good workp papers to document what you’ve done. You’ve got to build a really strong dialogue and collaboration between very different and divergent teams and a lot of that may start with education or doing a gap analysis or figuring out how do we sync up due diligence and thirdparty risk assessments with contract expectations. and how you manage the gaps is even more critical. So I think all of these factors are really driving um organizations to really start to take a look holistically at their processes. And I think connecting the dots across different processes is an area that is sometimes very under um undervalued or under reppresented in terms of the the need for clarity of roles and responsibilities between within and across teams. So let’s think of some examples today when you have all of these changes that are happening in the internal and external environment right technology transformation migration to the cloud new regulations you know fines and enforcement and obviously we always have the threats and vulnerabilities in terms of the bad actors all of these things teams are coming at a third party riskmanagement team, but they’re also coming across the newswire of the CEO and the boards of directors. So, organizations need to really be able to tell their story. Here’s what’s changing. Here’s what we’re doing about those changes. Here’s what’s important. And here’s what I need from the organization. So, if you need to modernize your program, it’s about that business It’s about explaining here’s the role that these teams play today. Here’s what the new expectations are. Whether that’s by the reggg, by a framework, by a customer driving language in the contract. All of these things can now change what you need to do on your policies for thirdparty risk, your due diligence standards, your assessment process. And so there’s almost that layered education not only to keep everyone on the same page with the changes but also make sure that folks understand uh that the with the heightened expectations there’s now a a a better level of what I call uh change management maturity we know in thirdparty risk we always think about change management purely from the IT coder you know the developers point of view and IT operations uh but now you have the pandemic and you have security DevOps. But now when you look at privacy and data protection, it’s a whole different conversation to be managing regulatory change around devices, privacy permissions, settings on a smartphone, use of a web application. So what I’m seeing emerge around data protection is really broadened conversations around change management and process integration, but It’s really bringing these teams together and bringing these processes together because that’s what’s critical to be able to demonstrate here’s how I am managing expectations not only to manage and mitigate risk but also ensure that my risk management process is in alignment with really the expectations coming from the market clients regulators or investors even. And I think what we’re going to see as we look at, you know, the challenge with connecting the compliance dots is that it’s it it’s not just a volume issue with staff. It could be skill sets of staff. People have to adapt to a new way of doing work or some of the changes that we’re seeing around data governance or even things like the standard contractual clauses may require organizations to assess how many vendors do I have? Do I need to do some consolidation of vendors? So, I think we’re going to see some evolution of even KPIs and metrics in terms of managing the third party risk management program. Um, scorecards I could see uh becoming, you know, even more important in terms of process maturity in terms of not just the status of the vendor, red, yellow, green number of findings, red, yellow, and green. Um, but it starts to look at the risks across vendors, not just within a particular vendor relationship, because you’re managing different touch points, and you’re managing different types of risk that different organizations and different stakeholders are going to say that are important. So, I always like to, you know, think about, we talked about a lot of topics, but when we look at some of that, the guidance that’s coming out, you know, there’s some simple steps to do to kind of get your arms around these environmental changes, uh, the six-step process, uh, putting guidance into action. U, what I liked about these messages, even though they originated in the EU guidance, I think they apply across the board to any organization that’s really trying to modernize or update their third party risk management program. First up, update your data maps and inventory. Know where the data is located. How what what the purpose is, what they’re authorized for. Verify and understand any transfers or disclosures between third parties, whether that’s financially by contract, a trade, or any type of benefit, any data transfer or access between parties. I think it’s also critical to conduct due diligence not just of the third party but understand is this transfer or disclosure to a third party allowed by law by contract is is there are restrictions are there hoops I have to jump through to enable that disclosure so there’s more maturity happening in the regulations getting more complex that changes your processes on your side for how you even trigger the d diligence activity and I think you’ll start to see the evolution of due diligence beyond just the technical controls and really get into organizational and contractual measures. Um I think another key area for modernizing programs is really focusing on that uh fourth and party relationships because at the end of the day uh everyone has multiple third party relationships. No one is very few organizations are hosting their own data in the cloud or hosting their own applications. They’re all using technology service providers to enable their footprint. And all of those providers have their own vendors. So it’s not just critical to understand who they are, but really understand what the contract says in terms of who owns which controls. I’ve done quite a few gap analysises and assessments and I I will hear from a client, well, you know, they had a stock report, so I didn’t think I had to do anything else. Well, if you read the report, it says, “These are all the controls that the vendor owns, and these are the controls that you own.” At the end of the day, you can’t outsource accountability. So, it’s really important that your third party risk management teams not only understand their process, um, but the standards and the requirements and kind of how you maintain your evidence across your entire program because how the program in and of itself um comes under a greater you know inspection and oversight. So as we look at this I know in one hour we’re covering a ton of information um and I think it’s always important to be aware of privacy fatigue and you could use the word privacy fatigue or you could put in that replace that with cyber security fatigue. Regulations are emerging faster It’s happening all at once. You’ve got to build a road map. Find some quick wins. Do the quick hits. Make it manageable. Break the work up into manageable parts so it’s not feeling so overwhelming. It requires prioritization. Uh but I think data protection and third party risk the number one thing is that it should be a strategic conversation and not an operational tactic. Ensure that the board board the seauite understands the linkage to revenue so that the third party risk management program is not just looked at as an administrative burden or it’s table stakes you know it actually can drive and enable the business to succeed because you need the vendors to run and and help you grow your business so really make sure that the board and the seauite understand their role in ensuring that the thirdparty risk management programs have the business case and the investment and the resources they need to manage the risk because the regulators don’t give you new budget when they change the rules. So each organization has to adopt their program or have that conversation to say this is what’s changed, these are our gaps and we can either fix the gap or accept the risk. So you’ve really got to have that conversation um and really then look at your processes to say what can we do better to really drive process efficiency um you know into those recommendations. And with that, I’m going to turn it over to uh to the prevalent team to cover a few topics and then we’ll jump into the Q&A which I can see some things that uh Amy’s probably monitoring in the chat.

Alistair Par: Thank you very much. Really insightful and it’s it’s interesting because we we very much agree with what we’re seeing. So the whole privacy privacy angle of course is symbiotic to the broader third party program and we appreciate and totally agree with you when it comes to right sizing and making sure that that program is proportionate whether it’s riskcentric from an infosc standpoint whether it’s looking at uh contract due diligence clauses or privacy as well. So it completely resonates with what we’re hearing and seeing as well. So what really what we’re looking at in front of us is is something that we tend to focus on as part of the analysis and interpretation of the program because invariably we find and I’m sure you do the same that Most people have some some semblance of a program whatever it may be. It might be a couple of spreadsheets sitting on someone’s laptop somewhere or they might be involving the seauite and they might be getting steering committees involved etc. But it’s that taking that moment to passively review what you’re actually doing and considering uh before applying changes and proportionate changes to to right size demonstrate return on investment. And some of the key things we’ve seen on that is is some of the insights you see in front of you now. So the maturity assessment up front this applies to the entire pro program uh from a privacy standpoint and beyond which is understanding well really what are we trying to achieve where are we where do we stand against our peers is that actually good or not and are we investing the right amount in order to achieve these obligations whether that’s regulatory in nature or based on a framework or just internal risk appetite so we often see people using a CMM model carne capability maturity model to grade themselves and compare themselves to the peers and then that beats the the metrics the KPIs KIS as to what the steering committee the sea level really want to try and focus on and then that drives that uh that scoping and that perception up front and completely agree with you and you can’t outsource accountability is at this point where we help to define well what does accountable look like you know what can we bring in house and and effectively managing governance and u you know it sounds sounds very much similar to what you’re seeing in your expertise in the field. and when we start looking at the sort of the rest of the circle per say in it’s about that comprehensive profiling I know We agree you start looking at the end of parties and understanding the data points and elements that that we can build this sort of holistic profile of them on whether that’s data processing activities uh whether it’s their security controls and governance uh it’s it’s multifaceted. So we we look at it from a comprehensive profiling lens which is you know how can we amalgamate all these data sets and end parties into something that’s actually coherent that we can action against and then benchmark everybody uh against one another. So these being the third parties themselves. Uh then of course we can compare that to to the regulative obligations and frameworks that we need to consider. Uh and then factor in well what can we actually do about it and how engaged is the business. So the human effect of remediation planning. Now it’s it’s interesting hearing you talk and correlate to seuite so much because it’s a challenge we always see which is that human factors and how can we get the business involved and multiple people to participate. Uh and that’s always an ongoing challenge that that we also try and pay attention to and and advise on. So it’s it really resonates. So on to the next slide, if I may. We talked about that holistic profile and and again I think you’ve you’ve really hammered home and touched very well on some of these points, but some of the things we like to see working quite well is building up this vendor profile and that’s multiple f factors and facets and you understanding the data processing, understanding the context around what they do and why they do it is is really really foundational. You know, context is really key and to address privacy, all of these other symbiotic factors, understanding what articles there there may be relating to them in in the world, broadly speaking, are they expanding territories, are they processing data in other areas, have they had any data breaches that we need to be mindful of that they haven’t reported back to us? Uh, and then of course, even things like financial stability feed into that, being aware of any changes, M&A, that may impact them in the next 12 months. That that perception on how your data is being managed and how you’re adhering to any regulations is is going to be very much dependent on pretty much everything that you see in front of you. We do find it quite challenging for people to spend the time to be able to aggregate these data points as best they can and react particularly when you’re dealing with it at scale. So on the final slide before I pass back to you and go to general Q&A just something that we’re we wanted to share because again I think it resonates quite well with what you’ve been talking about is some of the processes that we see and we consider which is the life cycle of third party management. You know, I’ve obviously spoken and you’ve spoken about that comprehensive profile, but beyond that, it’s the broader life cycle and and I think you rightly touched on the contract and due diligence clause reconciliation piece up front is is generally pretty on point for a lot of organizations that doesn’t necessarily carry over to the rest of the workflow. Things start to to dwindle until contract renewals and so on. So, we like to spend a bit of time focusing on post selection, how can we apply that through life cycle. So tracking the regul the regulations the obligations associated to that making sure that the seauite uh the legal councils etc feed into us to let us know really what do we need to deal with you whether that’s the data protection officers of the business uh or whoever’s owning that. It all feeds into how we interact and govern and take accountability of uh of the third party program and and the risks that they present to us. So we like to see through that life cycle that degree of ownership. You we like some maturity and expanding that maturity past procurement and contracting into the life cycle and tracking those contractual clauses through the outset. So what we often tend to do is build workflows around that where we see customers or visionaries really in the space starting to collect the data look at it cohesively uh drive remediation on targeted focus points and then really try and drive their programs iteratively and improve and optimize them over time. So establishing that best practice internally and driving it through steering committees etc is is really something that we we’re seeing as well. So, I’m glad to see that nothing seems to contradict really what um hopefully you’ve been seeing.

Len Solom: Absolut. Ich meine, es ist ein Lebenszyklus, und ich denke, das ist ein gängiges Konzept, aber die Lebenszyklen sind heute kürzer und noch komplexer.

Alistair Par: Da stimme ich voll und ganz zu. Wunderbar. Dann können wir jetzt zum Frage-Antwort-Teil übergehen.

Amy Tweet: Ja, ich gebe euch beiden einen Moment Zeit, um einen Schluck Wasser zu trinken und durchzuatmen. Vielen Dank für die Informationen. Ja. Ähm, es sind ein paar Fragen eingegangen. Ähm, ich werde unsere letzte Umfragefrage von der vorherrschenden Seite hier stellen. Ähm, bevor Sie heute gehen, möchten Sie 2021 ein Programm zum Management von Risiken durch Dritte erweitern oder einführen oder vielleicht sogar schon für das nächste Jahr planen, da wir uns dem Jahresende nähern? Ähm, wir würden uns über eine Antwort freuen. Ja, nein, ich bin mir nicht sicher. Wie Alistister bereits erwähnt hat, sind wir hier, um Ihnen zu helfen. Um, also, lassen Sie es uns wissen. Und diese letzten beiden Fragen hier, ich denke, die können entweder Len oder Alistar beantworten. Die erste lautet: Könnten Sie bitte zusätzliche KPIs oder KRIS empfehlen, um Datenrisiken besser verfolgen zu können?

Alistair Par: Sicher. Ich fange gerne an. Und bitte, Wayne, ja, danke. Also ja, auf unserer Seite sind es sicherlich die KPIs und KIS, die wir sehen müssen. Datenrisiken sind natürlich ein Teilbereich des gesamten Risikobereichs, und wir würden ähnliche Ergebnisse sehen, nämlich wie wir sicherstellen können, dass wir bei der Betrachtung unseres Scoping- und Triage-Prozesses den Risikokriterien Kontext hinzufügen. Ich weiß, dass es ziemlich schwierig ist, den Kontext zu qualifizieren, wenn es um KPIs und KIS geht, aber wenn wir zumindest die Tier-1-Risiken, die kritischen Risiken, die im Rahmen der regulatorischen Verpflichtungen der Anbieter liegen, und die wichtigsten Datenrisiken zuordnen können, können wir uns zumindest auf diese konzentrieren und dann unsere Bemühungen auf diese Teilmenge konzentrieren und priorisieren. Aus Sicht der KPIs und KIS würde ich also sehr dafür plädieren, die Datenrisiken, die regulatorische Verpflichtungen oder Rahmenverpflichtungen mit sich bringen, zu segmentieren und dann die Fortschritte in Bezug auf diese zu betrachten.

Len Solom: Was ist mit Ihnen selbst? Ja, dazu möchte ich noch ein paar Dinge hinzufügen, über die man nachdenken sollte: Wenn man sich eine bestimmte Lieferantenbeziehung ansieht und eine Risikobewertung vornimmt oder misst, also hohes Risiko, Stufe 1, Stufe 2, Stufe 3. Erzählen Sie den Rest der Geschichte. Wie hoch ist das Risiko des Lieferanten in Bezug auf die Ausfallsicherheit? Er könnte ein Lieferant mit hohem Risiko sein, weil er für die Ausfallsicherheit von entscheidender Bedeutung ist, aber ein Lieferant mit geringem Risiko für den Verbraucherschutz, weil er eigentlich nicht mit Ihren Endkunden interagiert. Fügen Sie also Ihrer Risikobewertung und Ihrer Lieferantenklassifizierung etwas Kontext hinzu. Und wenn Sie sich die Kennzahlen ansehen, übersehen viele Unternehmen möglicherweise die Bedeutung der Nachverfolgung von Beschwerden. Eine Beschwerde ist etwas anderes als ein Problem oder eine Fehlerbehebung, aber bei Beschwerden geht es um den Kontext. Wenn es also Beschwerden oder Vorfälle gibt, ist das in der Regel ein Symptom für etwas anderes, das vor sich geht. Richten Sie also einen guten Eskalationsprozess für diese nicht IT-relevanten Bereiche ein, denn so können Sie noch schneller erfahren, was vor sich geht.

Amy Tweet: Super. Tolle Frage. Wir haben noch eine Frage aus dem Publikum und noch ein paar Minuten Zeit. Wenn Ihnen also noch etwas einfällt, was Sie Len oder Alistar fragen möchten, nehmen Sie sich bitte einen Moment Zeit, um Ihre Frage aufzuschreiben. Die letzte Frage ist wirklich gut. Wenn Sie also keine direkte Beziehung zu einer vierten Partei haben, wie können Sie dann besser mit Problemen umgehen und diese beheben, die Sie bei dieser Partei feststellen?

Len Solom: Das ist eine gute Frage. Ich würde zunächst einmal sagen, dass die Herausforderung bei vierten Parteien darin besteht, dass man keine Kontrolle über sie hat, richtig? Sie haben weder finanziell noch vertraglich eine direkte Beziehung zu ihnen. Was Sie jedoch tun müssen, ist, Ihren Drittanbieter zur Verantwortung zu ziehen. Anstatt also nur Ihren Lieferanten zu überprüfen, müssen Sie auch dessen Risikomanagementprogramm für Drittanbieter überprüfen und auditieren. Es ist gut für Sie, deren Programm zu auditieren und von ihnen Nachweise für die Kontrollen zu verlangen. Und wenn Sie auf der Seite des Dienstleisters stehen, schieben Sie die Verantwortung nicht einfach auf den Kunden ab. Finden Sie heraus, wie Sie Ihre Dokumentation so anpassen können, dass Ihre Kunden ausreichend dokumentiert sind, um sich darauf verlassen zu können, dass Sie die Risiken der vierten Parteien und Endparteien gut managen. Denn wenn Sie ein Dienstleister sind und dies gut machen, kann das einen Mehrwert für den Kunden bedeuten. Es geht also wirklich darum, die Reife zu fördern, aber das Programm des Dritten zu überprüfen.

Alistair Par: Da stimme ich Ihnen voll und ganz zu, Len. Es beginnt also genau damit, was wir auch sagen, nämlich mit dieser Beschaffungsübung im Vorfeld, wenn man diese vertragliche Verpflichtung eingeht. Es ist also wirklich entscheidend, festzulegen, welche Verpflichtungen sie gegenüber Dritten und dann gegenüber den von ihnen verwalteten Parteien haben. Und leider denke ich, dass das eine gute Frage ist. Ich denke, Sie haben das auch angesprochen, nämlich dass die meisten Unternehmen nicht über die nötige Reife und Vereinbarung verfügen, um ihre Drittparteien so zu steuern, dass sie diese effektiv verwalten. Es ist eine Art reaktive Aufforderung, sicherzustellen, dass sie sich damit befassen. Wir beobachten, dass immer mehr Unternehmen reifer werden und im Voraus Vertragsklauseln festlegen, um sicherzustellen, dass sie die vierten Parteien kontrollieren, aber auch hier gilt, dass man die Verantwortung nicht vollständig auslagern kann. Das wird nicht funktionieren. Es wird erwartet, dass Sie mit ihnen zusammenarbeiten, um diese Probleme zu identifizieren und zu verfolgen.

Len Solom: Nun, ich denke, es ist auch wichtig, sich nicht nur auf die Zertifizierung eines Prüfungsberichts zu verlassen. Ich habe lange genug im Bereich Third-Party-Risiko gearbeitet, und früher gab es die SAS 70-Zertifizierung, und ich dachte mir: „Was soll das denn?“ Aber jetzt gibt esgibt es verschiedene Stufen von externen Prüfungsberichten, aber man muss genauer hinschauen, insbesondere in der Cloud-Umgebung oder in anderen Umgebungen, um zu wissen, welche Kontrollen der Anbieter hat, welche Kontrollen der Kunde hat und wie die Konfiguration aussieht, und man muss Nachweise verlangen, dass sie sich die Berichte tatsächlich ansehen und eine risikobasierte Analyse dessen durchführen, was sie in den Berichten gelernt und gesehen haben. Es geht also nicht nur darum, dass Sock 2 vertraglich vorgeschrieben ist, sondern darum, was man mit Sock 2 macht, wenn man es erhält.

Alistair Par: Und ich schließe mich dem an, indem ich sage, dass man immer auch den Umfang überprüfen sollte, falls dieser zufällig irgendwo in ihrem Besenschrank liegt.

Len Solom: Auf jeden Fall. Denn es geht um Produkte oder Dienstleistungen. Und ich denke, dass hier auch die Datenverwaltung ins Spiel kommt, da physische Standorte in der heutigen digitalen Umgebung manchmal an Bedeutung verlieren. Ähm, wissen Sie, in bestimmten Branchen ist der physische Standort für die Fertigung sehr wichtig, aber man muss wirklich diese Analyse im Lieferantenprofil durchführen, um sicher zu sein, dass man die gewünschte Sicherheit erhält oder um zu wissen, wo man die Sicherheit in einem bestimmten Bereich, der für das Unternehmen oder den Kundenstamm entscheidend ist, ergänzen muss.

Amy Tweet: Okay, danke. Das ist eine gute Frage. Wir kommen nun zu einer weiteren Frage, die gerade eingegangen ist. Ich denke, das hat viel mit der aktuellen COVID-Situation zu tun. Viele Anbieter erlauben derzeit keine Besuche vor Ort. Sollte das ein Problem sein oder welche alternativen Verfahren wären ausreichend?

Len Solom: Das ist eine großartige Frage, und es ist fast so, als bräuchten wir manchmal Webinare nur zur Information auf Seiten der Dienstleister. Ähm, ich denke, der Schlüssel liegt darin, zu erkennen, dass bestimmte Anbieter nicht in der Lage sind, Sie vor Ort zu empfangen, aber dann muss der Anbieter dieses gemeinsame Gespräch mit seinem Kundenstamm führen und sagen: „Okay, aber hier ist, was wir stattdessen anbieten können.“ Hier sind zusätzliche Belege. Hier sind zusätzliche Unterlagen. Hier sind zusätzliche Nachweise für Kontrollen oder Möglichkeiten, wie Sie virtuelle oder Web-Technologien auf unterschiedliche Weise nutzen können. Es sollte keine Ja-Nein-Entscheidung sein. Wir müssen nur die gleiche Funktion auf andere Weise erfüllen. Wie machen wir das? Und das beginnt wirklich mit diesem Gespräch und der Flexibilität auf beiden Seiten. Es geht einfach darum, die Herausforderungen zu erkennen, denen Unternehmen gegenüberstehen.

Alistair Par: Da stimme ich voll und ganz zu. Und wir sehen, dass die virtuelle Validierung in den letzten 18 Monaten, wie zu erwarten war, ein echter Treiber war. Ähm, und der Schlüssel dazu ist unserer Meinung nach, prägnant und konzentriert zu sein, da man nur begrenzt Zeit hat, weil die Leute bei Zoom genauso schnell ermüden wie bei allem anderen auch. Ähm, also haben wir generell Erfolg damit gehabt, ihnen die groben Kriterien für die Nachweise zu geben, die man validieren möchte. Man testet bestimmte Kontrollen, die für einen selbst entscheidend sind, gibt ihnen aber nicht unbedingt die Aspekte dieser Kontrolle, die man sich ansehen möchte. So können sie sich nicht unbedingt im Voraus mit dem System vertraut machen, haben aber Zeit, die relevanten Materialien vorzubereiten. Diese konzentrierte Validierung, dieser Lit-Test, bei dem bestimmte Kontrollen überprüft werden, gibt zumindest Sicherheit, was für uns in den letzten 18 Monaten ein häufiges Thema zu sein scheint.

Len Solom: Richtig, und letztes Jahr hatten wir die Webinar-Reihe zum Thema virtuelle Bewertung, und wir konnten sogar Veränderungen beobachten, seitdem dieses Event zum ersten Mal Anfang des zweiten Quartals veranstaltet wurde, bis hin zu den veränderten Sichtweisen der Menschen auf virtuelle Bewertungen und virtuelle Validierungen am Ende des Jahres, weil sie sich mit einem virtuellen internen Audit-Team auseinandersetzen müssen. Sie müssen sich mit einem virtuellen externen Audit-Team und virtuellen Anbietern sowie virtuellen Risikobewertungen durch Dritte auseinandersetzen. Also, ähm, in den letzten 18 Monaten haben sich viele Prozesse verändert, und ich denke, dass sich das weiterentwickeln wird.

Amy Tweet: Ich liebe diesen Begriff, virtuelle Validierung. Das ist großartig. Das ist wirklich eine großartige Frage. Ähm, wir sind jetzt am Ende der Stunde angelangt. Ähm, ich möchte sicherstellen, dass alle den Rest ihres Tages genießen können, und wenn Sie noch letzte Fragen haben, können Sie sich an Lana Solom wenden. Ich denke, LinkedIn ist gut für Sie oder ein guter Ort, um Sie zu erreichen.

Len Solom: Ja, das ist in Ordnung. Und ich habe auch meine ... aufgelistet.

Amy Tweet: Da bist du ja. Ich sehe dich. Ich musste die Umfragefrage aus dem Weg räumen. Ähm, aber was Prevalent angeht, wenn du Fragen an uns hast, kannst du uns eine E-Mail an [email protected] schicken. Folge uns auf LinkedIn oder Twitter. Nochmals vielen Dank, dass du die letzten 60 Minuten mit uns verbracht hast, und ich hoffe, du hast einige Best Practices gelernt, wie du mit Datenschutzrisiken in deinem Drittanbieter-Ökosystem umgehen kannst. Vielen Dank an alle, danke Alistister. Danke Lene. Ich wünsche Ihnen noch einen schönen Tag und allen anderen auch.

Len Solom: Ausgezeichnet.

Amy Tweet: Tschüss, ihr Lieben.

Len Solom: Tschüss. Danke.