7 Europäische Vorschriften, die TPRM-Programme im Jahr 2023 weltweit beeinflussen

Scott Lang: Hallo zusammen, wie geht es Ihnen? Scott Lang: Hier ist Scott Lang von Prevalent. Ich begrüße Sie zum heutigen Webinar, das sich mit den europäischen Vorschriften befasst, die sich 2023 weltweit auf Risikomanagementprogramme von Drittanbietern auswirken werden. Scott Lang: Ich freue mich sehr, dass Sie sich heute eine Stunde Zeit nehmen, um sich einige wirklich großartige Best Practices und Erfahrungen anzuhören, die unser heutiger Referent Brian Littlefair mit uns teilen wird. Scott Lang: Brian ist CEO von Cambridge Cyber Advisers und langjähriger CISO und führender Experte im Bereich Third-Party-Risikomanagement. Scott Lang: Er wird Ihnen heute einige wichtige Hinweise zum Verständnis der TPRM-Vorschriften speziell in Europa und deren weltweite Anwendung geben, aber auch dazu, wie Sie den Prozess vereinfachen können, ohne sich dabei die Haare zu raufen. Scott Lang: Ich werde mich am Ende der heutigen Präsentation wieder zu Ihnen gesellen, um Ihnen ein wenig darüber zu erzählen, wie prevalent dabei helfen kann, einige dieser Best Practices umzusetzen. Scott Lang: Aber bis dahin, Brian, übergebe ich das Wort an Sie.

Brian Littlefair: Great. Brian Littlefair: Thanks, Scott. Brian Littlefair: And hello, everyone. Brian Littlefair: It’s great to be able to speak to, you know, hopefully some of you who have been on some of my other webinars for for prevalent as well. Brian Littlefair: And as Scott said, today we’re touching European regulations that can affect anyone around the world really. Brian Littlefair: If your organization or business is is selling products or services to anyone that sits in in part of the European union geographic region then then obviously this will uh will apply to you. Brian Littlefair: So I’m going to set the scene as I always do just in terms of you know what are we talking about and and why are we talking about it. Brian Littlefair: So what we’re what I’m noticing what security professionals around the world are noticing is you know regulation is is only going to increase. Brian Littlefair: You’ll probably hear me talk about that you know a few times throughout the call. Brian Littlefair: It’s it’s a fact. Brian Littlefair: Um what we’re also seeing is regulators are are start starting to converge on on global data requirements. Brian Littlefair: You know, the conversations are happening. Brian Littlefair: Everyone realizes that this is important. Brian Littlefair: I think all of the regulators around the world are starting to to look at the organizations that operate within their jurisdictions and say, are they doing things exactly how we need them to do them to protect the data of our citizens? Brian Littlefair: Uh, and I think they’re arriving at the conclusion that no, not in every situation. Brian Littlefair: And therefore, that’s where we start to see regulation emerge. Brian Littlefair: Um I think all organizations you know whether it’s it’s it’s completely independent of size, scale, complexity, data management is is one of the biggest challenges that they face. Brian Littlefair: You know really understanding what data do they have in terms of customer data what I call PII personally identifiable information. Brian Littlefair: You know the the important stuff that your customers care about if you actually experience a data breach. Brian Littlefair: From an organizational perspective it can be tough to understand you know what do we actually have where is it stored who have we outsourced it to who have they out then further outsourced it onto and I think that’s you know what the regulation is trying to get us to do is to to that not to be a complex unknown picture but to really have that in-depth understanding of where all that data is are we allowed to maintain that data currently or should we have offloaded it several years ago I think you know some organizations obviously focus on this more than others. Brian Littlefair: Some see it as a differentiator. Brian Littlefair: You know, if they can be really good at this, if they can use security or privacy or, you know, just hold data engineering and dynamics that are differentiated to their competition, it really allows them to be more agile and customer focused. Brian Littlefair: You know, the customer experience can be a lot better in organizations that have really sorted this this challenge out. Brian Littlefair: Others see it as, oh no, our regulator has put out some compliance and we have to comply. Brian Littlefair: Let let’s do the bare minimum so we can tick the box but they don’t really embrace it as you know a principle that they will run their organization to and you know that’s an individual organizational discussion in terms of where you want to be on that on that cycle or curve and I think you know legacy tools often is a you know a big factor in in how organizations embrace that from you know what I was just saying earlier if you’re trying to run your third party risk management platform using Microsoft Excel in a in a regulated and compliant uh situation, you’re going to struggle, right? Brian Littlefair: You can’t introduce, you know, some of the the the methodologies. Brian Littlefair: You can’t introduce the tools. Brian Littlefair: You can’t introduce, you know, a pre-populated understanding of, you know, what other organizations view on that supplier. Brian Littlefair: You can’t, you know, you just you will you’re absolutely going to struggle. Brian Littlefair: So recognize that there’s been specific technology organiz ations like prevalent that have focused on addressing this issue and can make your life a lot easier. Brian Littlefair: Right? Brian Littlefair: So I mean that’s my view of the scene that I see out there. Brian Littlefair: I do a lot of consulting on in large you know multinationals, small startups, scaleups, multiple sectors and you know that’s really the dynamic that I see but ultimately we we all have to improve and and why because it’s the right thing to do for our customers. Brian Littlefair: All of our customers in trust you know depending on what your organization is if it’s a bank bank or if it’s a health organization or if it’s just offering a service where you’re shipping some product to them, they’re entrusting you with their their name, their payment information, their their address and in some cases a lot more. Brian Littlefair: So I think we have a requirement as security privacy procurement whatever your background is to actually put robust and proactive protection in place to be able to, you know, give the customer that reassurance that yes, we’re asking for this information, but we’re actually going to take security seriously. Brian Littlefair: and protect it for you. Brian Littlefair: So, we’ve already discussed that, you know, regulators are starting to talk and and I’ve got a slide next, I think, that kind of shows a little bit of a heat map in terms of the size and scale of data regulation around the globe, but what we’re seeing is, you know, a lot of acronyms being produced, right? Brian Littlefair: So, they all have breakouts in terms of their long names. Brian Littlefair: They’re all specifically focused, certainly for this conversation around data. Brian Littlefair: There’s obviously a lot of regular in other areas as well. Brian Littlefair: But we have GDPR in Europe. Brian Littlefair: We have Poppier in in South Africa. Brian Littlefair: We have CCPA in in America. Brian Littlefair: There’s, you know, I could go on with about another 80 names. Brian Littlefair: I don’t know them all off my top of my head. Brian Littlefair: You’ll be you’ll be pleased to hear, but they all have a similar goal. Brian Littlefair: You know, they want organizations to take data security. Brian Littlefair: They want to be able to put the ability for an individual, whether it’s a customer or an ex-C customer, to understand what data do you who hold on their behalf. Brian Littlefair: But there are a lot of overlaps and I’ll I’ll talk about that in a in a later slide as well. Brian Littlefair: But you know my personal view is I think regulation is is actually quite good. Brian Littlefair: We started at an immature point looking holistically across all organizations. Brian Littlefair: Obviously some individual companies might have been very good at it but it it taken the whole you know organizational construct as a whole. Brian Littlefair: Uh we started at a fairly immature position. Brian Littlefair: Regulation comes in and says you have to take this seriously and that actually helps the security data risk privacy professionals because it’s a regulation. Brian Littlefair: It’s a license to do business. Brian Littlefair: It has to be done and it has to be done right and it will be made public if you are not doing it correctly. Brian Littlefair: So that will damage your brand and reputation. Brian Littlefair: So what does that do? Brian Littlefair: It frees up resource. Brian Littlefair: It frees up budget and it frees up focus time within an organization to get these things done. Brian Littlefair: So that can only be a good thing because we’re improving security. Brian Littlefair: and data and you know what it’s only going to continue. Brian Littlefair: I’ve been a CISO for you know 20 plus years been running my own company for for seven plus years work a lot with you know private equity VC funds as well and you know what I’m seeing is regulation helps and therefore it’s only going to continue. Brian Littlefair: We are going to hit a crunch point where we can be overregulated. Brian Littlefair: You know everything is dictated you must do this, you must do that etc. Brian Littlefair: But I don’t think we’re there yet. Brian Littlefair: I think we’re you know we’re we’re starting to scratched the surface of some pretty important topics that actually need more robustness and focus across the industry. Brian Littlefair: So personally I I welcome it. Brian Littlefair: So if you look at this heat map across the globe, this is purely looking at data protection, data regulation, you know, or uh countries uh putting regulation and compliance requirements into organizations that operate within those boundaries or sell products or services to their citizens that exist with in those boundaries they’re starting to dictate you know how is that citizens data managed u we can see you know in this situation red is is heavy so we’ve got the whole of Europe covered by the GDPR you know you’ve got USA and Canada covered off there pretty much Australia’s there as well and a lot of Asia is is maturing this will eventually start to turn red holistically across the globe right that even the the countries in Africa which are are pretty much grayed out at the moment. Brian Littlefair: I know that there’s a lot of conversation going on in that space to extend obviously the South African papia regulation into those other countries in in a bit of a you know a phased approach. Brian Littlefair: So it’s an important topic you can see by the adoption across the world. Brian Littlefair: It’s it’s not many things are are truly focused on globally the the amount of hacks, breaches, you know, organizations not taking this as as seriously as they should have done It actually led to you know global regulators and they are pretty much you know you’ve got the whole of Europe governed by the obviously the EU council you’ve got you know the whole of America and Canada governed but you know there’s lots of different breakout countries in there with their own territorial borders that have put their own procedures and policies in place. Brian Littlefair: So they they take it seriously and therefore we have to take it seriously. Brian Littlefair: And what can this lead to? Brian Littlefair: It can be fairly complex if you’re leading a large multinational organization. Brian Littlefair: that is selling products and services into 60 70 80 90 of these countries then you’ve got a bit of a a challenge because as I say they’re all broadly focused on the same agenda but there are differences there’s differences in uh thresholds in terms of what classifies when you have to report an issue or an incident to the regulator. Brian Littlefair: There’s differences in time frames when that um when that report has to occur. Brian Littlefair: There’s differences in the actions that have to happen after that report. Brian Littlefair: what has happened. Brian Littlefair: So you have to be very conscious of the markets that you’re selling your products and services into and therefore the data regulations that you actually are exposed to. Brian Littlefair: But equally outsourcing is is a huge thing here, right? Brian Littlefair: So uh you know if you’re outsourcing to you know high skill but lower cost locations to you know transform how you interact with your customers that might be call centers, it might be data center operations. Brian Littlefair: Both of those have access to data different flavors. Brian Littlefair: Obviously, the call center is interacting with the customer. Brian Littlefair: They take some details and access their customer record, but the data center outsourcer also has access to that data because they manage the servers that that data resides upon. Brian Littlefair: So, it’s really getting into that detail of, you know, as an organization, what do we look like? Brian Littlefair: Who have we outsourced, who have we given access privilege to, who have we, you know, given access to our data, and you know, what controls and capabilities have we got to to govern that and manage it. Brian Littlefair: So, it can be complex. Brian Littlefair: It doesn’t have to be as complex as as hopefully I’ve just outlined. Brian Littlefair: And and as I said at the beginning, you know, using a tool like prevalent can can certainly remove a lot of that complexity for you. Brian Littlefair: But if you’re on Excel, you need to move off that, right? Brian Littlefair: So, global regulations. Brian Littlefair: Uh just to hit this point home, you can see we’ve compared CCDPA to GDPR here. Brian Littlefair: Uh Europe got there first, closely followed by, you know, CC EPA. Brian Littlefair: Uh what we’re actually we’re we’re looking at here is a very similar set of requirements and regulations. Brian Littlefair: They all have a you know a fine that they will put in place. Brian Littlefair: They all have directives that you have to comply to. Brian Littlefair: They all have thresholds that you know kick in in terms of you know this applies to you and then it doesn’t apply to you etc. Brian Littlefair: And they all require the business to change and and and address it. Brian Littlefair: But the biggest overlap that you’ll see across most of the data standards across the across the world is it puts the customer front and center. Brian Littlefair: So the the it is the customer’s data. Brian Littlefair: They’ve given it to you uh to to procure a service or product. Brian Littlefair: But that doesn’t mean you’ve got caught blunch anymore. Brian Littlefair: You know in the old world if someone downloaded a white paper from your website, they went on every single marketing list, you know, emails were coming out left, right, and center. Brian Littlefair: You know that that that data could be shared broadly across the the rest of your group, etc. for marketing needs and requirements. Brian Littlefair: That’s not the case anymore. Brian Littlefair: The the customers opting in to procure a very certain service from you and you have to get their consent to do anything else with it. Brian Littlefair: So, and if they do consent to that, you know, if they consent to you sharing data with third parties and if or if you consent with sharing that information across the group, then that’s fine. Brian Littlefair: And we see this now. Brian Littlefair: You know, if you think about when you sign up for a product and services online, the check boxes at the bottom of the before you click the submit bit and button. Brian Littlefair: I’m happy for you to do this with my data. Brian Littlefair: I’m happy for you to do that. Brian Littlefair: You either check it or you don’t uncheck it. Brian Littlefair: That’s consent. Brian Littlefair: That’s giving them that information which allows them to comply to this this these regulations around the world. Brian Littlefair: So, as I said, I I personally think it’s a a pretty good thing, but organizations have to take it seriously and and certainly you can see some of the the fines that can be dished out, and we’ll we’ll get on to that a little bit later in the in the more specific as well. Brian Littlefair: So, let’s get into some of the the regulations and I’ve tried to, you know, take a couple of of flavors here in terms of, you know, specifically focused on governance, specifically focused on technology and then spec focused on ESG as well. Brian Littlefair: So, you know, there’s even though they’re all focused around data and all focused on on requirements and third party risk management, they all have a slightly different twist. Brian Littlefair: So, the National Cyber Security Center and for those of you that are sitting outside the UK. Brian Littlefair: So the National Cyber Security Center is part of GCHQ. Brian Littlefair: So in the US that’s your NSA equivalent. Brian Littlefair: And they send out requirements which aren’t really requirements. Brian Littlefair: They’re things that you you actually have to do. Brian Littlefair: That’s just I suppose a bit of British language around, you know, it’s a it’s a guidance, but actually it’s a requirement. Brian Littlefair: Um what we actually, you know, I really like this uh approach and I’m going to spend a little bit of time on the next slide kind of breaking it down because I think it applies to all of organizations and how they should approach their third party risk management in terms of you know setting it up for success going forward. Brian Littlefair: Um it does mandate it does say you will do this you won’t do that and you know organizations have been taking this pretty seriously in the UK and and what the NCSC actually saw was an increase in in attacks coming via the supply chain and you know this isn’t just UK um I look at the the information coming out at, you know, national security organizations around the globe and organizations weak spots have been determined by the the hackers and attackers as being via their supply chain. Brian Littlefair: You know, you’ve got big organizations that invest tens of millions in security every year. Brian Littlefair: They have big security teams, etc. Brian Littlefair: So, why am I going to try and attack the large mothership when actually I can come in covertly via a trusted relationship that they’ve got in place with a supplier? Brian Littlefair: And that’s the risk that we’re trying to mitigate. Brian Littlefair: You know, we want to drive that security from the mothership into that third party relationship. Brian Littlefair: And even if that goes down to fourth, fifth, sixth party, it doesn’t make a difference. Brian Littlefair: We want to understand what that that data flow looks like. Brian Littlefair: So, as I say, I really like this graphic. Brian Littlefair: It’s simplistic and I think it sets you up for success in not just your third party risk management program, but but equally, you know, how do you comply to standards and and regulations and you know thinking about what I’m going to say later on the others it pretty much applies for for this as well so before you start why are you doing this and you know I said at the beginning some organizations take this really seriously they change the culture of the company it becomes a key differentiator others see it as a bit of a box ticking exercise you need to understand where your organization sits on that scale because that’s going to dictate the level of focus attention investment resource that you have available to you to be able to do it properly. Brian Littlefair: So let’s assume that you’re going to be at the upper end of the scale and you’re going to do it properly as you know it gives your your your customers the right level of assurance that you’re taking data security seriously. Brian Littlefair: But actually you know you need to be set up for success. Brian Littlefair: You need to understand that this isn’t going to be a security siloed initiative. Brian Littlefair: You need to embed into the broader business. Brian Littlefair: You need to work closely with with risk. Brian Littlefair: You need to work closely with procurement, you need to work closely with, you know, category managers that manage, you know, individual suppliers and you need to work closely with the business units as well because yes, we’re focusing down on on supply chain cyber security, but you know, there’s huge benefits outside of cyber to to getting this right. Brian Littlefair: One of the examples that I often use is, you know, the sewers canal being blocked or the the Russian, you know, invasion that we’re seeing at the moment or some of the, you know, potential disruption that’s coming from China. Brian Littlefair: If you’ve got suppliers that are based in any of those regions or you’ve got goods and services that need to come via the sewers canal and something gets blocked or you know there’s geopolitical instability, then you’re going to have a bit of a challenge, you know, producing your product and and selling it onto your onto your customers. Brian Littlefair: So, a lot of this is just about risk. Brian Littlefair: It’s about business continuity. Brian Littlefair: It’s about disaster recovery. Brian Littlefair: It’s about understanding how is your service that you deliver to your customers constructed you know what are the sum of the parts and you know how do you hedge the risk on that and that’s from a cyber perspective but it’s equally from a procurement perspective as well so understand why you’re doing it you know before you start understand who you need to work with in within your organization and how do you extract the best value from that as well then then understand you know what are what would we be targeted for so sit back reflect you know what does our business business do? Brian Littlefair: Are we a pharmaceutical organization that, you know, produces groundbreaking drugs? Brian Littlefair: Are we a payment business that has people’s cards or or or money or, you know, anything in between? Brian Littlefair: And you don’t have to be a large critical national organization to to really take this seriously. Brian Littlefair: Sadly, I still work with with organizations that have the view, well, well, we would never be targeted. Brian Littlefair: Well, you would because, you know, we’ve seen hospitals targeted, we’ve seen charities targeted, etc. Brian Littlefair: So, Sadly, there’s there’s very little ethics on on some of the attackers sides and and every organization has something of value to them. Brian Littlefair: So, it’s really understanding what your crown jewels are and then building that defense in depth approach around them so that you haven’t got you know single controls or s sing signal sorry single technologies protecting those crown jewels. Brian Littlefair: It needs to be that defense in depth approach. Brian Littlefair: Then you need to obviously apply that approach to your new suppliers going forward. Brian Littlefair: So you’ve you’ve come up with your strategy, you’ve decided how you’re going to do it. Brian Littlefair: So, you’re going to, you know, draw a line in the sand and move forward so that all new suppliers are subjected to this new governance and, you know, information gathering and you’re going to be very clear on what your expectations are from a security perspective and and extend your security policy requirements into those organizations. Brian Littlefair: Now, that’s really good. Brian Littlefair: But then look at point four. Brian Littlefair: You know, this is something new that you’re doing and your organization might have been operating for 10 years. Brian Littlefair: years. Brian Littlefair: It might have been operating for for 400, 500 years, right? Brian Littlefair: So, you’re going to have all of these existing supplier relationships that you have to retrospectively apply this to. Brian Littlefair: And and as we get on to some of the later slides, this is where, you know, some of the complexity on implementing regulation within your organization can actually occur. Brian Littlefair: And then we always have to continuously improve. Brian Littlefair: You know, in security, the job is never done. Brian Littlefair: You know, we don’t get to a point and say, “Right, you’re secure. Brian Littlefair: You don’t need security professionals anymore. Brian Littlefair: And the reason is that is you know in a lot of cases security is always on the back foot. Brian Littlefair: You have new threats, new risks, new vulnerabilities. Brian Littlefair: You have a whole industry in terms of hackers and you know people that are on the darker side of security coming up with new and innovative ways that are extremely wellunded, coordinated and resourced to try and break anything that we’re discussing about today and get hold of that data. Brian Littlefair: So we always have to be reactive. Brian Littlefair: We always have to be agile and we always have to recognize that we need to improve going forward. Brian Littlefair: So let’s talk about GDPR. Brian Littlefair: So this this covers the entirety of the the European Union. Brian Littlefair: Uh so the the whole of Europe. Brian Littlefair: Um even though the UK is, you know, from a a country perspective, no longer part of the European Union, we still obviously are are part of it from a from a data privacy perspective. Brian Littlefair: We still require all of our organizations to comply to to this going forward. Brian Littlefair: In some point in time in the future, we may come up with something country specific. Brian Littlefair: I’ve certainly heard conversation around that. Brian Littlefair: But for the moment, we are focused on on GDPR. Brian Littlefair: So this is important regardless of where you are in the world. Brian Littlefair: As I said on that heat map, if you’re sitting in in the US and you sell a product or service to to to a European citizen, then you have to be compliant to to GDPR. Brian Littlefair: Well, you don’t have to be as I’ve put on that that that example there. Brian Littlefair: My personal, you know, situation sometimes when I’m googling news stories and I see something interesting and in the US and I click on that link and it takes me to a to, you know, a smaller newspaper or even some of the national newspapers that that exist in the US, they’ve decided that they don’t want to comply to GDPR. Brian Littlefair: You know, they don’t get a lot of revenue, only a few adclick revenues from from people in Europe coming over to to read their stories. Brian Littlefair: And in a lot of cases, you know, those stories are replicated in in European newspaper sites anyway. Brian Littlefair: So rather than have to invest to change their business to be able to comply to GDPR, actually what we’re presented with is is a block screen, which you might not have never seen because obviously you’re you’re coming in from the US. Brian Littlefair: And it simply says, we’ve tracked your your IP address to originate from Europe. Brian Littlefair: Uh we’re not going to serve you this content simply because they don’t want to comply to GDPR. Brian Littlefair: But that might be fine for their business. Brian Littlefair: But if you’re a a pharmaceutical or if you’re an Amazon or if you’re something that is regularly selling a product or service to European citizens, you don’t have that luxury. Brian Littlefair: Not a lot of businesses can just, you know, slice across their customer base and say that we’re going to exclude, you know, a whole continent. Brian Littlefair: It’s, you know, it’s not typical from a business strategy perspective. Brian Littlefair: You have to get this right. Brian Littlefair: And I’ve got a slide uh next which kind of gives a a pictorial example of, you know, what is the construct of GDPR, but if you know there’s been it’s been around for a for a fair few years, organizations have had plenty of time to to make sure that they’re they’ve got the right processes and controls in place. Brian Littlefair: So now we’re in the situation where when there’s breaches of GDPR, whether it’s, you know, a marketing email going to customers where it shouldn’t be or whether there’s been, you know, a hack and data theft, etc., and it shouldn’t have happened because the controls weren’t effective enough, so it’s a breach of GDPR, then the fines can be, you know, fairly hefty, uh, up to 20 million or 4% of global revenue, whichever is the higher. Brian Littlefair: And then obviously that doesn’t even start to touch the compensation that has to go out to to individuals that are affected by perhaps the breach. Brian Littlefair: And then on top of that, you’ve got the reputation damage, not only from the breach, but obviously the the subsequent reputation damage that comes further down the line when the fine is imposed upon you by the by the regulator. Brian Littlefair: And obviously, it shifts this dynamic. Brian Littlefair: So, So it says regardless of what you do as an organization, you remain the data owner. Brian Littlefair: So if you’ve outsourced, you know, your call centers to a different jurisdiction or a different country or someone else to do it on your behalf, that that doesn’t matter. Brian Littlefair: You are the owner of that data. Brian Littlefair: If that third party is hacked and breached, but they steal your data, that’s still your problem. Brian Littlefair: And hence why you need to really get into the contracts and and understand, you know, what are their security controls against your data that you’re entrusting them with because if they have a problem, that’s your problem as well, right? Brian Littlefair: And again, at the bottom, it’s a complex situation. Brian Littlefair: It’s going to be really challenging to do this from a from manual perspective. Brian Littlefair: So, you need to understand how can you build automation into your business process, automation into your workflow, but equally automation into your compliance processes that can tell you where you have an issue using a a tool similar to Prevalent. Brian Littlefair: So let’s there’s 10 key GDPR requirements. Brian Littlefair: I’m certainly not going to go around them all. Brian Littlefair: The key things that were a challenge from from an organizational perspective to put in were consent. Brian Littlefair: We’ve already touched on that in terms of you know the big impact was to organizational’s marketing list. Brian Littlefair: You know they might have had 10 20 30 million emails in their marketing list but when they actually look at you know how many do we have consent for still to be able to communicate in the in the eyes of GDPR, some organizations saw a 70% 60 70% pull of their marketing list. Brian Littlefair: So, you know, a fairly sizable impact. Brian Littlefair: Another big change was that every company has to have a data protection officer and this isn’t someone with no teeth embedded deep within the organization. Brian Littlefair: This is someone sitting at the executive team or very close to it who can influence the behavior and culture of the organization to make sure that it’s as it says there privacy by design to make sure that the data subjects rights are you know maintained throughout everything that the organizations do to make sure that the business is operating in a lawful fair and transparent way and you know it’s very public you have to communicate your compliance to GDPR publicly as part of your annual reports if you’re a listed company so you know everyone can see how well are you doing this so it’s you know it’s absolutely critical that people focus on this going forward So let’s get on to another one. Brian Littlefair: Dora, the the digital operations resiliency act. Brian Littlefair: And you know this is primarily focused on financial services and it has a slightly different lens to GDPR. Brian Littlefair: So it’s quite technology focused. Brian Littlefair: So for those of you that work in, you know, whether it’s venture capital firms, large banks, insurance companies, uh whatever it is, if you’re if you’re working with financial payment uh information, and you’re dealing with European citizens, then obviously this is something that you’re going to have to, you know, embrace and embed within your organization. Brian Littlefair: What it does is, you know, rather than just looking at the whether an organization has policies, procedures in place, it actually says you have to get into the details of their technical security stack. Brian Littlefair: So you have to understand not just taking a you know a sock two type two report and and taking that as as written that everything is Okay, I want to see your penetration test results. Brian Littlefair: I want to understand the the findings within your ISO 27,0001 audits as it relates to to technology. Brian Littlefair: So what it does do is it’s you know explained on this this following slide in my way to simplify it. Brian Littlefair: It’s a show me don’t tell me. Brian Littlefair: So rather than you saying you know everything’s fine. Brian Littlefair: We know we patch our perimeter on a weekly basis you know or we scan our perimeter on a weekly basis. Brian Littlefair: If anything critical comes out we fix it. Brian Littlefair: in a matter of hours. Brian Littlefair: That’s all well and good in terms of, you know, an initial conversation, but and that might be fine from a policy statement perspective, but what DORA requires companies to do is, okay, show me the evidence. Brian Littlefair: Show me how you identified this vulnerability and show me the business process that was effective in in remediating it within the time frames that you’ve got stipulated within your policy. Brian Littlefair: Show me your full end-to-end enterprise risk management stack. Brian Littlefair: Show me how that is going to be able to you know, flip into action instantly for business continuity and disaster recovery. Brian Littlefair: Show me how you understand all the vulnerabilities within your organization. Brian Littlefair: Show me how you would detect someone within your organization rapidly and and show me how you’ve extended that into your subsequent supply chain as well. Brian Littlefair: So, you know, where the conversation historically was, you know, fill in this spreadsheet, tell me you’ve got an information security policy and and largely everything would be good depending on the critical ity of that supplier for financial services in EU now because it’s dealing with people’s uh banking information and dealing with their money and and obviously money is the primary target of you know maliciously inclined people there’s such a focus on making sure that the the technology is there to to to be focused upon and you know technology isn’t everything but we have complimentary requirements and regulation that focus on business process and we have complimentary requirements that actually focus on getting you know the education and awareness and the culture right as well embedded into the people within the organization so you have that full people process technology focus as it should be in that order. Brian Littlefair: The next one we’re going to look at is the German supply chain due diligence acts. Brian Littlefair: So SCDDA um you’ll forgive me if I don’t go into the full uh the German pronunciation of it and we tend to use the the acronym this came in enforced relatively recently 1st of January 2023 and has a slightly different flavor right so this is around the whole ESG angle or the corporate social responsibility however you want to look at it you know organizations should be doing the right thing if you’re creating a product or a service you have to really understand you know what is the footprint of that product and service on the globe are you using too much energy are you protecting human rights Are you protecting the environment in your product and your your your you know the the wrapper or the the capability within your product? Brian Littlefair: Are you using factories in you know potential organizations that that don’t take emission standards as they should be? Brian Littlefair: So really looking at that global footprint and I’m certainly not going to name organizations but you know there’s been some pretty big brands that sell you know products and services in every country around the world that weren’t focusing on this as they should do. Brian Littlefair: You know, making sure that, you know, child trafficking isn’t happening or, you know, children aren’t being used in in production sites and and things like that. Brian Littlefair: Really making sure that people when they’re putting the work in are getting a fair fair income and a fair salary for the effort that they’re putting in place. Brian Littlefair: The fine initially when you look at it, you know, €800,000 is fairly sizable, but it’s not certainly not one of the biggest. Brian Littlefair: The big lever that they can pull in this space is restrict ricted market access. Brian Littlefair: So if you’re not doing you know everything that this requirement asks you to do then actually they can restrict your access to to sell your product and services currently within Germany but you know these things tend tend to proliferate out to other countries as well and then obviously you know lawsuits regulation suing etc that’s only going to go on as well but this is you know very much focused on that that ESG angle as well so slightly different from the other two. Brian Littlefair: So it wants you to understand how your business operates. Brian Littlefair: It wants you to understand who are you doing business with, who produces your raw materials, where do your raw materials come from, you know, who actually creates the product and service, who do you outsource capability to, and you have to understand that entire footprint. Brian Littlefair: And you know, I remember when anti-bribery first came in as a as a requirement and regulation. Brian Littlefair: And we all all have to accept that there were some countries and jurisdictions around the world where where bribery was standard business practice and you had to extend that out to those organizations and countries and say we understand that this has been a way that you’ve done business historically but it’s no longer acceptable to operate under our brand and again from a whole ESG CSR perspective you know organizations you know put out this is how we operate these are our beliefs this is the culture within our organization we want to embrace face, you know, a positive environment going forward. Brian Littlefair: We want to make sure that the people that work for us have a fair salary, etc. Brian Littlefair: And that goes globally. Brian Littlefair: You know, often in western countries, some of the products and services can be created in other jurisdictions, but this has to extend out there. Brian Littlefair: If you’re going to make a big ESG or CSR difference, then you need to be able to tap into that that global footprint going forward. Brian Littlefair: So, so absolutely this is a requirement. Brian Littlefair: Again, a good one from my perspective, and I think we’re going to start to see these requirements and regulations populate more globally as well. Brian Littlefair: So how can you start to operate you know globally with these conflicting compliance requirements? Brian Littlefair: So as I said there’s 80 plus when you when you like looking from a data perspective around the globe and that can seem fairly daunting. Brian Littlefair: Uh you you want to be able to run this global business process but then you have this nuance of local compliance requirements. Brian Littlefair: So What did in my experience have I seen organizations do and this really comes down to you know what type of business that you’re operating in but typically to remove internal business complexity you want to have a so single g global business process you want to have a single global business policy single global security policy single global IT policy because everyone is then singing from the same himsh sheet but what do you do when you have these 80 plus different requirements well Typically what I observe is an analysis of the markets and jurisdictions that you operate within and an understanding of the most stringent requirements and controls that that are that are present and then to apply that globally across your business. Brian Littlefair: The constraint there is obviously if that puts you know extra financial requirements on the business where it’s perhaps unwarranted then maybe that wouldn’t be the case but that’s pretty much the norm that we see. Brian Littlefair: So you can start to globalize those processes going forward but Equally, you know, using a tool like Prevalent can can help you reach into your supplier footprint, understand the jurisdictions that you’re you’re operating in, understand the requirements that you therefore have to to to comply to going forward, and then actually give you a very clear lens on where your challenge and focus areas need to be going forward. Brian Littlefair: But, you know, the objective should be uh as I say, you know, one company, local roots. Brian Littlefair: So, running that global business process everywhere and Again, if you’re trying to run a manual process, it can be a real challenge because, you know, you might work with one supplier who is fairly trivial in one geography, but is then fairly fundamental in another. Brian Littlefair: And actually understand that nuance and difference can be quite a challenge. Brian Littlefair: And but a tool like prevalent can really help you get under the hood of that going forward. Brian Littlefair: So in summary, just before I I hand over to Scott, in an ideal world, like I’ve just said, a global approach, a global standard, it would be amazing if all of our regulators could get together and say, “Look, we’re all largely asking for the same thing. Brian Littlefair: So, can we actually convene down onto a specific requirement that actually impacts every organization globally, but we’re we’re a long way from that.” Brian Littlefair: So, you know, we are where we are and we have to focus on getting it right. Brian Littlefair: So, you know, that that we we want to do the right thing, I largely believe. Brian Littlefair: So, you have to embrace the the approaches that can make that simpler for you. Brian Littlefair: But equally, we have to recognize that countries want to protect their citizens data, right? Brian Littlefair: So, you know, that’s where the regulation is is coming from and and as I said at the beginning, I I think that’s the right thing to do. Brian Littlefair: That’s why I got into into security. Brian Littlefair: Uh regulation has emerged because we simply haven’t been proactive enough as as organizations. Brian Littlefair: We haven’t taken it seriously enough. Brian Littlefair: We haven’t put in place the right measures and control etc. Brian Littlefair: And therefore, that’s why we have regulation that’s going to drive all of our behaviors to make sure that we we all reach a point and you know when we all reach that common point guess what the regulation will ask us to step up more history tells us that right it’s only going to increase so embrace it be proactive have those conversations with your organizations for you know the things that we’re discussing today one of them was new GDPR has been around for for many years so you know if you are in scope for GDPR then largely you’ll be compliant today but you know regulation is going to continue and you need to get that muscle memory in place in terms of regulation is going to adapt. Brian Littlefair: It’s going to evolve. Brian Littlefair: So, how do we embrace it and and take our security on that journey as well and as I said it can be streamlined. Brian Littlefair: It it doesn’t have to be as as complex if you’re sitting there using a Microsoft Excel or running a manual process etc. Brian Littlefair: It doesn’t have to be that difficult. Brian Littlefair: I’ve seen and run personally you know large multinational 60 plus organizations with a fairly small team with access to the right tools and capabilities so you can get those insights. Brian Littlefair: And what you see is, you know, yes, it’s of great benefit to security, but equally it’s of great benefit to the business because you’re pushing that intelligence back into the business where it needs to be so they can make business decisions on how to mitigate those risks. Brian Littlefair: So Scott, I’m going to hand over to you.

Scott Lang: Sounds great, Brian. Scott Lang: Thanks so much. Scott Lang: I appreciate it. Scott Lang: Um, everybody, I want you to kind of internalize for a second some things that Brian said there. Scott Lang: I think the meta message behind all of that is or behind all of what Brian covered today was, you know, the the relatively uh weighty complexity behind understanding the requirements, understanding where some of these requirements overlap with one another. Scott Lang: Uh and then how much audit and reporting work has to be done to collect information regarding your third parties data protection. Scott Lang: and privacy practices or IT security practices or whatever and then put that into some sort of a meaningful format that those not only in the organization decision makers in the organization can manage but also how you know external auditors can can address it as well. Scott Lang: So you know just think think about you know as we kind of transition from from Brian’s presentation to to my part of the presentation understanding that’s a complexity you know what we’ll cover is what we can do to help you. Scott Lang: So Brian if if you wouldn’t mind switching to the next uh slide. Scott Lang: Uh and in that vein, you know, we really hear customers tell us three things uh when it comes to addressing their their, you know, regulatory requirements. Scott Lang: Number one is, you know, they want to get the data they need to make better decisions, uh and do it in an efficient way. Scott Lang: You know, they’re looking at, you know, dozens, hundreds, whatever, uh of thirdparty vendors and suppliers with multiple different jurisdictional requirements that they have to meet. Scott Lang: Uh that lack of centralization definitely hurts. Scott Lang: Second, increasing team efficiency and breaking down silos. Scott Lang: You know, it isn’t just the the auditing and compliance and the legal teams that need to have um you know, access to to you know, third-party risk information for reporting and and compliance and audit regulatory purposes. Scott Lang: But it’s also, you know, the executive team, it’s also the IT security team, it’s also the data privacy team, uh and more. Scott Lang: And often times what happens is, you know, you probably and different tools and um not a whole lot of efficiency in that process. Scott Lang: And the third of all just kind of leads to the inability to really evolve your program and keep up with those constantly changing regulatory requirements and then scaling your ability to um you know address kind of those changing requirements across you know your your your vendor estate. Scott Lang: Next slide please Brian. Scott Lang: What really gets in the way of that I think is three things and you know Brian mentioned this earlier but number one is spreadsheets. Scott Lang: You know we do an UAL industry study on thirdparty risk management practices. Scott Lang: And you know last year 42% of respondents said that they are solely using spreadsheets to manage auditing and controls of third party risk management and and regulatory information. Scott Lang: Almost half. Scott Lang: It’s down from 45%. Scott Lang: So hey progress, right? Scott Lang: But still 42% are using spreadsheets and spreadsheets alone. Scott Lang: It’s it’s unbelievable. Scott Lang: You know you’ve got you know go back to a slide that uh for example that that Brian presented a few minutes ago that talked about some of the overlapping requirements between GDPR and CCPA. Scott Lang: You know, if you’ve got a vendor that, you know, has facilities or third parties of their own in both of those different jurisdictions, you know, you’re looking at essentially three different mechanisms for assessing their data privacy controls. Scott Lang: For example, specific to CCPA, specific to GDPR, and then the conjoining of of those two. Scott Lang: as well. Scott Lang: You’re not you can’t do that with spreadsheets. Scott Lang: Second big challenge is um outdated information. Scott Lang: You know, once you complete that spreadsheet and fill in your controls over, you know, X, Y, and Zed, all of a sudden, you know, that data is out of date, the minute you you uh you click send on that. Scott Lang: So, there’s really no real time view or intelligence into those vendors as controls, which really doesn’t really help you from a validation perspective or kind of an ongoing monitoring uh perspective. Scott Lang: And then third, we kind of addressed this on a previous slide, but you know, another one of those challenges is all the different folks that have their hand in the in the uh in the pot, so to speak, or trying to stir the pot. Scott Lang: Where I grew up, they said the more hands you put on a plow, know where it goes. Scott Lang: Uh and that’s the issue. Scott Lang: I recognize that, you know, the ownership across organizations uh tends to be variable. Scott Lang: You know, 50% of organizations we talk to, it’s the IT or the infosc team that owns thirdparty risk, but in 50% it’s a common of other teams as well and that just leads to a lot of organizational complexity. Scott Lang: Next slide please Brian. Scott Lang: You know our approach and you can build this out one more if you’d like. Scott Lang: Um you know our approach is to give you a very prescriptive process to guide you through your third party risk management assessments. Scott Lang: And you know we do that at every stage uniquely in the third party life cycle. Scott Lang: That’s kind of our approach if you will. Scott Lang: You know we understand what the challenges are at each one of these stages. Scott Lang: Whether it be not getting good risk insights or being faced with manual processes when trying to, you know, source and select a vendor to, you know, different teams and processes and tools in place to to onboard a vendor, disjointed tools inefficiency to to monitor spreadsheets for assessments, you know, siloed teams and no view of KPIs or KIS from a performance management perspective and manual process. Scott Lang: processes uh from an offboarding point of view, you know, we kind of understand those challenges and we also understand that it takes, you know, a very holistic solution to address each of those risks uniquely and then tie it all together for everybody else in the enterprise. Scott Lang: Next slide, please, Brian. Scott Lang: You know, from my perspective, you know, it’s all about delivering a solution that is comprehensive and includes, you know, not just um a platform that helps you automate and host assessments and you know manage data and documentation and attestations and more. Scott Lang: But it’s also about the people that help to do that for you. Scott Lang: That’s one some of the areas we specialize in is thirdparty risk assessment services where we do the hard work for you. Scott Lang: You have to assess your you know thirdparty vendors, your critical, you know, providers, your outsourced data providers against GDPR. Scott Lang: We can do that for you. Scott Lang: We can chase that down. Scott Lang: Uh we chase those vendors down, help design a questionnaire with you, analyze the responses, and then recommend remediation guidance. Scott Lang: At the same time, consuming a tremendous amount of, you know, thirdparty intelligence in multiple different domain areas that helps you add context to the risk that you’re gathering through those assessments or that we’re gathering on your behalf so that you got a very comprehensive view of of that third party’s risk. Scott Lang: Right? Scott Lang: So, it’s a three-part harmony, if you will. Scott Lang: It’s it’s the people and the expertise that helps to do it for you. Scott Lang: if that’s what you choose. Scott Lang: It’s the data that adds context to the assessment and it’s the platform that drives the analytics, the automations and the workflow uh to make it happen. Scott Lang: Next slide, please, Brian. Scott Lang: You know, we address thirdparty risk management across many use cases. Scott Lang: We’ve bucketed them into three here uh that are unique to procurement, vendor, supplier management, uh to core IT security use cases such as assessing against cyber security, information security, um, NIST, ISO, SOCK 2, internal IT security and then for data privacy, legal and compliance as well. Scott Lang: You know, we address, uh, you know, requirements with specific questionnaire content in our platform for the, you know, the regulations that you see in front of you, uh, as well as many more that I just didn’t have room to address. Scott Lang: But the point is, you know, if you have a PDPA or MAZ requirement that you have to address in Singapore, or a GDPR or an FCA requirement that you have to address in the UK or or in AMIA, we probably have a questionnaire for that that you can then utilize and customize. Scott Lang: And then we have continuous monitoring data that helps to validate those responses and the evidence that the vendor provides to make sure that those controls are being implemented and enforced uh uh properly. Scott Lang: Next slide, please, Brian. Scott Lang: You know, and along those same lines, you know, our object our objective active. Scott Lang: At the end of the day, our approach to thirdparty risk is three-fold. Scott Lang: Number one is to help your organization be smarter in its approach to thirdparty risk. Scott Lang: That gives you comprehensive risk and performance insights that you kind of saw on the last slide. Scott Lang: Datadriven analytics that help you make good decisions and then role-based reporting to help you get that data and those conclusions to the right folks either inside or outside the enterprise. Scott Lang: Second is to unify it all together and give you a single source of the truth for all of your third-party uh vendor and supplier risk management uh data to combine assessment and monitoring together to give you a complete picture of risk and then to look at the life cycle from onboarding to offboarding and then finally give you a prescriptive approach uh that includes built-in intelligence and recommendations automated workflow and response to progress issues and remediations through the life cycle as well as a whole army of expert experts uh on the back end to help extend your team and you know help you you know do more with the resources you have available. Scott Lang: So that’s really the prevalent approach. Scott Lang: Uh Brian I think that’s my last slide um you know to to you know addressing the challenge of thirdparty risk management and you know what what Brian really talked about today was you know how complex it is to understand and make sense of you know the myriad number of you know European regulations that um you might be beholden to if you’re a global enterprise. Scott Lang: You know, I think together we can kind of simplify that process for you, automate it a little bit, and then, you know, help you make sense of all of that data. Scott Lang: You know, that’s all I really had to share with you today. Scott Lang: Brian, any final comments from you?

Brian Littlefair: Nein, ich habe dieses weit verbreitete Tool schon oft in Unternehmen unterschiedlicher Größe und Ausrichtung eingesetzt. Brian Littlefair: Und ich empfehle es hier aus einem bestimmten Grund, nämlich weil ich es selbst verwendet habe. Brian Littlefair: Ich habe die Vorteile gesehen. Brian Littlefair: Ich habe die Ergebnisse gesehen, die es liefern kann. Brian Littlefair: Und wissen Sie, Scott, der entscheidende Punkt, den Sie angesprochen haben, ist der manuelle Ansatz, richtig? Brian Littlefair: Wenn Ihr Unternehmen also eine Beziehung zu einem neuen Kunden oder Lieferanten aufbaut und Sie Excel verwenden, dann beginnen Sie mit einem leeren Blatt Papier oder mehreren leeren Zellen. Brian Littlefair: Wenn Sie dann weitermachen und die Informationen finden, die andere Kunden über diesen Lieferanten herausgefunden haben, bedeutet das, dass Sie nicht bei einem leeren Blatt Papier anfangen. Brian Littlefair: Dadurch wird der Prozess viel schneller, viel nahtloser und viel reichhaltiger. Brian Littlefair: Und was ich als CISO auf keinen Fall wollte, war, dass das Sicherheitsteam als Hindernis angesehen wurde, das die Dinge verlangsamte und keinen Mehrwert schuf. Brian Littlefair: Und ich denke, wenn man diese Art von Technologie nutzt, die sich mit den wichtigsten Risiken befasst, wie Sie wissen, sagen Sicherheitsorganisationen auf der ganzen Welt, dass Risiken durch Dritte nicht nur am schwierigsten zu bewältigen sind, wenn man es nicht richtig macht, sondern auch eine der komplexesten Auswirkungen haben und sicherlich ein wichtiger Angriffsvektor sind, den wir beobachten. Brian Littlefair: Man sollte also die Innovationen in diesem Bereich unbedingt begrüßen und die Technologie nutzen, die speziell darauf ausgerichtet ist, Ihnen in diesem Umfeld zu helfen. Brian Littlefair: Richtig.

Scott Lang: Großartig. Scott Lang: Großartig, Brian. Scott Lang: Nun, ich möchte Ihnen heute danken, Brian, dass Sie sich die Zeit genommen haben, Ihr Fachwissen mit unserem Publikum zu teilen. Scott Lang: Ich denke, jeder hat von diesen Ratschlägen profitiert. Scott Lang: Und ich bin wirklich dankbar, dass sich alle heute wieder die Zeit genommen haben, daran teilzunehmen. Scott Lang: Damit beenden wir das heutige Webinar. Scott Lang: Ich hoffe, wir sehen uns alle bei einem zukünftigen Webinar wieder und wünsche Ihnen allen einen schönen Tag. Scott Lang: Machen Sie's gut. Scott Lang: Auf Wiedersehen.

Brian Littlefair: Vielen Dank an alle. Brian Littlefair: Auf Wiedersehen.