TPRM 101: How to Get Vendors to Respond to Risk Assessments

Amy Tweed: All right, welcome everyone as you trickle in really early here. Okay, here come some people. Okay, great. So happy you can join us all here today wherever you’re at, whatever time it is for you. Um we’re really excited to go through this webinar. Um I’ll just a moment I’m going to put up a polling question as to why you are here, what brought you here today. We’re really um looking to learn what it is that you want to learn and why you are here. Um and While I do that, we’ll go through some house uh keeping rules as well as some introductions here. So, I’m going to launch that poll as you settle in, get comfortable, take a moment to answer. Um, I am joined here with Brenda Ferraro. She is Prevalent’s very own vice president of thirdparty risk. Um, she’s going to be taking us through some thirdparty risk management 101, how to get your vendors to respond to risk assessments. So, a lot of really good stuff we’re going to cover today. My name is Amy Tweed. I am in business development here at Pre. Um, and I will be popping in and out with your questions. So, down below you’ll see there’s a Q&A function. There’s also the chat function. So, as you um are listening and learning, please ask your questions. We want this to remain as interactive as possible. Um, that being said, your cameras are off. You are muted on purpose, but please ask your questions. And then um as well as that, I’ll be pulling in poll questions throughout. So, Brenda, how are you doing today? I’m really excited.

Brenda Ferraro: I’m doing well. How are you?

Amy Tweed: I’m good. Thank you.

Brenda Ferraro: Outside of excited.

Amy Tweed: Great. Lot to cover today. So, um the poll questions still up. We’ll give it about 10 more seconds here. So, as you settle in, let us know what brought you here today. Whether it be educational project research, you have an upcoming thirdparty risk management project, you’re not sure why you’re here. You know, why where am I again? You can ask yourself that. Looks like no one’s answering that. So, people are here on purpose. And then we have some prevalent customers as well. So, great to have you. All right, I’m going to end that poll. Brenda, take it away.

Brenda Ferraro: All right, thanks Amy. And so, we want the questions to come in as she had mentioned throughout this webinar and Amy will pop on screen and ask those questions for you. So, please make sure you are engaged. We also like to put polling questions throughout the webinar presentation so that I can get a sense of the audience so that I’m speaking directly to what your needs are. So, we will make sure that when Amy pops on, I’ll either interrupt what I’m saying or we’ll finish the sentence or a screen and then get your questions answered. All right. So, how to get your vendors to respond to risk assessments. This is one of the pain points that seems to be the biggest issue and there are multiple reasons for that. And so during this presentation today, I’m going to be giving you some techniques and some foundational information that you can think about implementing into your own program as well. Some of the things that I’m going to be talking about are processes that you need to create external to any platform that you use. And then we’ll also be discussing things that should be part of your third-party risk management platform because automation is key to getting things done faster, but we want it to be done right. So, let’s get started with our agenda. So, today we’re going to be talking about these five things and more. I’m going to integrate as much as possible into this hour because of this topic being so important. And the first thing is making sure that we have a higher resp response rate and communication and being able to tell your vendors and your business and organization what you’re doing and why sets the stage for success. So, we’ll talk about some of those techniques. The other thing is realistic expectations. So, we can have expectations of our vendors of how fast we need something, but we also need to think about what we’re asking them and how fast they can respond. And if there is a risk identified or a control that’s not in place, How long should it take them to put something in place so that their posture is more secure? Also, what do you do um when you don’t have the right point of contact? So, I was sitting on a conference just before this call and I’m going to go back to it when this call is over, but they were specifically talking at a CISO level about when you don’t have a point of contact, that’s actually what you should be doing as your annual review. Because when you ask individual vendors for what they’re doing for their security posture. Normally, it will either improve or there might be threat landscape changes that you have to ask them about so that you know that their posture is good there. But the one main thing that’s so very important is to have a point of contact. If you don’t have a point of contact, how can you get an assessment done? Or if you don’t have a point of contact, how do you get responses to maybe an incident or some type of rapid response scenario that you need information on? So, that’s one thing that we’ll also discuss. Then we’ll go into chasing down answers. Um getting into the administr fatigue and how to get out of it. And then finally from there, what we’re doing with regards to the vendor risk intelligence and how we’re using that or are we waiting for responses. So we’ll we’ll talk about all of these things. So going into our first polling question before we talk about communicating for a better response rate, Amy, why don’t you pop that up and see what our audience thinks today and where they sit.

Amy Tweed: All right, so polling question. Do you have challenges with getting responses from your vendors? Simple yes, no, not sure. Take a moment to answer. I remember when I was um doing the third party risk assessment program at at a large company and this was one of the areas that was so very difficult for us and we tried creating so many techniques and those are the ones that I’m going to share with you as well as the strategy workshops that I have with other companies today and everybody gets very creative and innovative. So, I’m hoping that all of the things that we talk about today are either one going to resonate and remind you to keep up with it or two give you some ideas.

Amy Tweed: Great. All right, I’m going to end the polling in three, two, one. We have a lot of responses here. I’ll share. So, a lot of yeses, a little bit of no, not sure.

Brenda Ferraro: Okay. So, this webinar and presentation is is for you. We’re happy you’re here. Good.

Brenda Ferraro: We will definitely be helping you today. So, thank you for joining and let’s get started. So, let’s talk about the four proactive communication techniques. Now, I could go into like there’s aggressive communication and avoidance communication and all of those social styles, but that’s not really what we’re here to talk about today. We’re going to be talking about these four items at the very get-go. There are contracting things that you can do to help to solidify that your vendors comply with your program. So, we’ll dig into that. The next thing we’ll dig into is initial diligence outreach and ongoing due diligence outreach. From there, we’ll talk about continuous status updates and reports because one thing that really bothers me as an individual is if I go and take a test or I am audited, I want to know what I need to fix and then I need to know negotiations of how long to fix them. and tracking those and being communicated with as those are progressing and even knowing that if my risk status becomes more positive, give me kudos, let me know. And then vendor expose and conferences for the most mature companies, they are able to hold internal and sometimes external expose or conferences to educate and to inform what is happening within the program and how well they’re doing. So as we jump into contract section, of this particular webinar. You have master service agreements, you have business associate agreements, and you may have other types of agreements that you use. But each and every one of them, what I found successful and what I advise my other companies to do when I’m doing strategy discussions with them is there really needs to be a section within your contract about the third-party risk management program. It doesn’t need to be lengthy. It can be very brief, like one, maybe two paragraphs and some expectation. of what types of assessments you will be doing. Now, this is completely separate from the annual audit clause that is normally in a contract. And I was having a lot of problems with the fact that the contracting organization or the vendor management department or procurement or sourcing, whoever was in charge, was asking me to go through red lines.

Brenda Ferraro: And the red lines were talking about the security environment or even the third party risk management or the annual assessment. And got to the point where I was like, you know what, I’m spending way too much time going through deadlines. I am not legal in nature. I don’t have a law degree. And all I really want them to understand is they need to comply with our third party risk program. Whether there’s an incident, they need to respond. Whether it’s they’re just being assessed, they need to complete the assessment. If we have some exception capabilities, I’ll list those in the contract. But I wanted I wanted it to be unredlinable. Now, unreadlinable is not a word in the Webster’s dictionary. So, it is something that I maybe have made up or it’s something that people always used, but we didn’t make it official. So, update those contracts with a TPRM section. Now, the other thing that was very helpful was we added in some cases an information security addendum to the contract. So, for particular classes or categories of vendors or suppliers, um we would make sure that that information was attached to the contract and it would map to our key controls that were applicable to that type of an engagement. So in other webinars we’ve talked about key controls. Those are basically the controls that are musthaves in order to do business with you for that type of service. So it basically would list a very short summary of the control and what’s expected and why. And that way they would know upfront before even having an assessment or direct ly after having an initial assessment that those were the things that we were going to hone in on very specifically. Now, from a key performance indicator and a key risk indicator, this was very helpful because at the very beginning of building a program, sometimes your departments aren’t playing nice together.

Brenda Ferraro: You may have procurement who feels they own certain things, third party risk who feels they own certain things, compliance that feel they own certain things, and until that’s centralized, then you’ve got to be able to show those organizations and departments how this is not only helping you in TPRM, but it’s helping them as well because think of the time that it will save to not have red lines and have to go back and forth negotiating on yes, you really do have to do this type of a assessment. Now, there was a debate recently with a large quantity about 25 or so practitioners in thirdparty risk management and we were discussing What is the um third-party risk management expectations on completing assessment content? Do you have to complete a proprietary questionnaire or a standard questionnaire or go to someone’s platform and fill out their questionnaire for a network? And the answer is yes. You don’t as a company have an auditor come into your shop and say, “Give me your self audit.” They never do that. You do a self- audit to get ready. But you never say, “Oh, here’s my self audit. Thank you for auditing me.” They will come in and they will audit you. Well, we are going to do that with third party risk vendors. We’re going to ask them the information and run threat intelligence reports on them in order to find out if their security posture is sound. So those KPIs and KIS were very helpful to say, okay, there are companies that are compliant. They are fulfilling their requirements to do the third party risk man. management program mandate which is stipulated in their contract and the contract completions are rapidly going faster because we’re not doing that back and forth redlinable information. The other thing is the unresponsive. So if we have a vendor who’s unresponsive or they’re redlining that section that’s a flag. Why would they not want to participate in thirdparty risk to make sure that the ecosystem of security is sound? So with that those are the things with regards to cont contracts that will help you. If you’re not already doing it, I would think about doing it pretty rapidly. Now, this is going to be information overload. It’s a very large picture of a lot of steps that you can take.

Brenda Ferraro: So, you might, you know, want to take camera shot of it. You’ll get this in your inbox as a recorded session. And sometimes, I believe we give this out as a PDF. So, as you walk through what you are doing with your vendor, you’re building a relationship. And you want to do that early and you want to do it often because when an incident happens then you want to have a relationship with them where they want to give you information about what’s going on but you also want to set the stage to say I am empathetically here to help you be secure and to have a successful relationship with our company and these are the things that I’ve put in place in order for you to be well aware or knowledgeable on exactly what we’re doing with you when why why and how fast. So there needs to be some type of an initial announcement that goes out to your pro about your program to your internal key stakeholders. And you also want to announce to your vendors, whether they’re just the critical and high ones or all of them, that you have a program and here’s what you’re going to be expecting from them. This sets the stage and plants the seed so that you can tell them here’s exactly what we’re thinking that we’re going to do and it may tweak, but we also need you to comply with it. And It gives your internal stakeholders the awareness that you’re communicating with those vendors because sometimes you might get into a sticky situation where the sourcing agents or the procurement office will say, “Well, well, wait a minute. We’re the only ones that are talking to our vendors and now you’re talking to our vendors, too. What exactly are you saying to them? What are you gathering from them?” So, this is getting you to better have a communication structure with your internal and your external stakeholders for the vendor relationship. Now, the welcome program program. This is what happens when you outreach to a vendor specifically to have an assessment. So, you want to set the program expectations to say, “Welcome to our program. Here is why we do it. This is what we’re going to expect from you. Here’s what’s going to happen next.” And in many cases, if you’re working through a platform, the platform can do this announcement for you.

Brenda Ferraro: You don’t have to do it external to the platform, but if you wish to, you can. It’s just another step of something that you have to track. Now, when you inform them of the next steps, make sure that you’re talking to them about what they are going to expect. And hopefully, it is going to be pointed at relevant information that you need to gather. Don’t um if you are already using a standard questionnaire, but you’re using a one-sizefitsall, that one-sizefits-all may not be relevant to each individual contract. You might have a software developer, and there are specific things that you need to ask them. You may want to add ransomware questions and that needs to be also noted that there’s going to be a ransomware section that they need to answer or respond to. And then provide them timelines and make sure that the email reminders that you have embedded into your system or your platform is also going to remind them in that time frame. So I usually recommend that you remind people at least three times. Once and then once to say hey I hope you got this notifications. Second one to say, uh, we’re just making sure that you got this notification. Uh, you’ve got a couple extra weeks or timeline or days, however fast you need to have them done. And it basically tells them what will happen if they don’t respond because you can’t just give them something, not tell them a due date, and not tell them what the ramification is. Many times there are companies that will use a soft hammer and some companies will use a hard hammer. The hard one is to say, “We will stop paying you. And then the soft one is to say, “We have the ability to uh extend your date if you’re having some problems um with getting this completed or would you like to hop on a call or um you can just escalate and and take that approach internally?” Now, the relevant due diligence is really important because we’ve got fatigue happening everywhere, especially with the fact that we’ve had ransomware attacks and people are sending out questionnaires. They’re also still having to fill out proprietary questionnaires. No one um has figured out how to take proprietary and standard questionnaires and make it so that they would cross reference each other.

Brenda Ferraro: There are companies who are looking at that and so in when you start getting that mapping done um prevalent is one of them. We have started looking at some of the standard questionnaires and making sure that we’re mapping those and making relationships. But until there is only one way of doing it, which will be very difficult and we haven’t found a a nut to crack on that. Um, we need to make sure that we’re being kind to our vendors because what you want them to work on is remediating the risks, not consistently and con continuously telling you that they have a vulnerability. You want them to work on remediation. So, build that direct relationship with the vendor. Next is we talked about the email reminders, making sure that there’s warnings, whether it’s hard or soft warnings. Confirm receipt that they received it. And then if they’re unresponsive, make sure that you’re reporting not only the good vendors, but also the ones that are unresponsive because then the risk should be flagged for those particular vendors. Now, as we go into the initial risk summary, you’re going to start performing your review. The information is going to come back to you. You’re going to be running thread intelligence reports if you haven’t already. You’re going to hopefully apply embedded risk tolerance to to those risks. And what happens with this is that as you’re looking at the risks that apply for the engagement, you’re able to create initial risk summary reports. And that initial risk summary report should be shared with the vendor, telling them, “Thank you for complying with giving us the information. Here is what we are expecting to take a further deep dive into, and as soon as we have a final risk report or we negotiate with you what those risk remediations are, Then we can then put in a tracking mechanism to make sure that those are closed outside of an annual review because we want to know when they’re closed real time. So Amy, it looks like we have a question.

Amy Tweed: Yes, we have a couple. And one thing we have few people that have joined recently. So if you do have any questions, please use the Q&A or chat function and be happy to um answer them as quick as possible. So we have two here. Brenda.

Brenda Ferraro: The first one is there any set uh template of ransomware questionnaire that can be shared? Yes, prevalent has one that they’re using um within the health care sector and also within other sectors and there’s about 11 questions. We had a ransomware webinar I think it was last week or the week before and it lists those 11 questions. So there is a template that you can use and you can get your hands on that by going to the ransomware webinar and uh registering for that and or contacting Amy tweet at [email protected] and she can get you a copy.

Amy Tweed: Yep. Happy to help. Uh one more question. question we have so far. How do you navigate around the issue when dealing with a vendor that is a much bigger organization than us? Example, the Microsofts and Apples of the world.

Brenda Ferraro: Yes. So, there are what I call the giant corporations. And mainly when I was working with those, I would take the information that they got and sometimes they have shared information gathering questionnaires, sometimes they will fill out a prevalent control framework, but I would make sure that they would at least at least complete what I would call an information gathering questionnaire which is less than 10 to 20 questions and then based on that review their stop 2 report and identify risks. Now um they are more forward thinking in their security posture. We are finding of course that the giants can get impacted like Microsoft as well as the medium and the small companies. So try to make the information relevant and be able to go to their SharePoint site, pull information and put it into your system as much as possible so that it’s relevant for your risk identification. Now, with the Giants, we’re now really focusing on digitization. So, make sure that you’ve got software program capabilities that you’re evaluating their defect management, their pen testing, and those types of things. And that’s what you really want to know when it comes to to the giants since they’ve been working on their security posture for a long time. They sometimes drive our security posture. So, um, do trust them, but trust them to a percentage. I hope that was helpful. Now, if we go into the final risk summary and the updated risk summary, which are the last two things on this particular topic, um, normalize those risks. So, when you are doing your review and having your risks embedded into a platform or using a spreadsheet that tells you your risks, which I hope you’re not having to do because that becomes very manual. But if you have a platform that does it automated for you, then make sure that that information is also tying into your threat intelligence and also tying into a validation assessment if you conduct one. Those on-site assessments that we used to do um we may be able to do in the future, but until then we have virt uh validation virtual assessments that can be conducted to test those controls. And so all those three risk levers need to then be normalized. Um, also inform your stakeholders what’s happening. Don’t keep them in the dark internally of what’s going on with this particular vendor. Give them insight. CC them on the risk summary reports. Let them know what the posture is because in true fashion, your third party risk management team is an awareness function. You tell the business what the warning signs are and they are responsible foreclosing those warning signs or making sure that their vendors are complying with the risk remediation whether it falls upon your thirdparty risk management team or whether they are taking control of it as account representatives. Then continuously track those risks. We need to move everyone from a third-party risk annual assessment, which of course is great for point of contact because you need to do that into an assessment that’s ongoing and essentially real time. Whether it’s you found something that’s flagged in the vendor threat monitoring space or you found something that you end up having to ask them about reactively which we want to get you into a proactive nature such as ransomware or incident or some type of ransom response. So share that risk information share and negotiate them and track them. Another question before I go to the last item.

Amy Tweed: Yeah, another question. How do you deal with vendors where the spend threshold is too low for them to respond to questionnaire? or accept contract exhibition additions.

Brenda Ferraro: So that was a very interesting situation that I ran into and we made sure that the business units understood that if it was a small company that they would only be asked for relevant information that is not too extensive. Number one, and number two, there’s two techniques that you can use. One, you can make sure that you’re paying that vendor a little bit more in order to answer the responses. And two, if there’s even a medium and largesized company that says, “Hey, if you’re going to get us to do an assessment, we expect a,000, 2,000, whatever the dollar amount is, put that into their contract and then pay them for it so that we can get the information that we need.” So that’s the answer that I would provide to those. And then from the last one, the updated risk summary report, track those changes and adjust the summary report appropriately and then send that out and say, “Thank you for doing better or even send it out and say, “Hey, we found something that’s a ding or something that you need to look into if you want to make it softer and more empathetic, and we need to find out what you’re doing about this particular risk.” And again, inform stakeholders internally and externally and escalate any missed SLAs’s. So, service level targets, service level objectives, and service level agreements need to be reported up to a steering committee. So, that will help with um relationship building inter and relationship building with the vendors as well. All right, so now item number three, which is is going to be a 3A and a 3B. I couldn’t fit everything onto one area. So there are certain reports to support compliance with your vendors. One of them is an entity profile report. So this will help for you as an assessor to really understand all of the different workflows, where they are in their life cycle, how the risks are being applied to your benchmarking, what tasks are being uh applied to work that’s being generated, contracts and agreements can be stored and reflected. And so this is like your one-stop shop for you to understand where your vendor is in their life cycle. The other one is threat monitoring. And you should be using this not only as a secondary tackon, it’s something that you should be doing for all of your vendors. It gives you something rapidly cl enough and share this with your vendor. Don’t just take it and say, “Okay, we’ve run a threat report on you.” And then first they say, “Oh my gosh, you can’t penetrate our system. You’re not supposed to be doing that while we’re live.” And it doesn’t. It’s all open- source information. So, excuse me. Go and and run that and give it to them. Let them see it. And then the financial reporting is also important. So, I’m going to take a breath and a drink for my voice. And Amy, I’m going to let you take a qu give me a question.

Amy Tweed: Yeah. Take a moment. Hot top. Okay. Uh this question, so what automation tools is recommended or industry standard for vendor assessments?

Brenda Ferraro: Ours prevalent is one of them. Um there’s the vendor threat monitoring. There’s our system. You might want to look into homamorphic encryption. That’s something that helps to avoid some of the encryption scenarios. There’s so many. But from a perspective of a platform, do look at at our system and use standards as much as possible. I’m gonna mute and cough just so that I don’t end up getting everybody’s earphones all messed up.

Amy Tweed: That’s all right. Take your time. I had a frog in my throat this morning.

Brenda Ferraro: All right. So, um, so with regards to that, it’s it’s basically just making sure that you’re using a platform that has a life cycle that you can track and monitor. And there’s live libraries of questionnaires and ours has that. So I would heavily um ask you to take a look at it and get a demo of it. Um this isn’t a sales call. This is more about talking about process and strategy. Um but to answer that question, there’s there’s us. Um the financial reporting is becoming very important and this is because you need to extend out the cyber threat intelligence into business intelligence and financial intelligence because if a company is not doing well financially, that should be of concern to you so that you can look a little bit deeper into maybe you’re doing a merger and acquisition, maybe you have an affiliate or a subsidiary that you need to assess. This gives us profit and loss statement information, credit information, liability information, and it will put you into a more resilient state if you know that you’re sound in the financial space. All right, going into 3B. So, there are continuous status updates and reports that you can also have done by managed services or even in doing them in in house. There’s the entity report that we talked about before, but this entity report digs more deep into contextual assessment bindings and then overview of risk scores, identifies the key risk domains, helps you to understand the background and workflow um from a managed service. So if you don’t have enough staff members, then other staff can be augmented for you. Contextual risk reports will help you to understand those risk domains that are fluent and vulnerable. Uh fourth party listings and identifying evidence of that the items that are available to go over and having managed services comb through those. So when we were talking about the giants, managed services can help to do that. So they they can go through the giant information from the giant corporations and they can weed through that and make sure that you’ve got the risk just identified for you. And so I’ll stop here for a question. It looks like there is one and then we’ll go into the other two types.

Amy Tweed: Yeah. And I’ve noticed a few more people trickle in. So please ask your questions throughout. Um Bren is happy to answer. So this question, uh many threat monitoring tools show false positives for cloud service companies like Microsoft. How do you filter from meaningful data?

Brenda Ferraro: That’s a a very very good question because I thought of that myself when I started um looking at thread intelligence information. over seven years ago, I was like, this is just a lot of noise. What am I supposed to do with it? So, there are ways within a threat intelligence solution that you are able to make sure that you are um identifying the thresholds of things that are important for you to look at. That’s number one. Number two, false positives are um if you’re sharing the thread intelligence with your vendors, those vendors are going to tell you right away what’s false positive and what’s accurate. it. And that’s why I say do it at the very get-go. Inform them of what their thread intelligence says. I think I’ve talked about this a couple times, but when I ran a thread intelligence on my company, it took me a month or two or maybe more to clean up the thread intelligence report. And if you clean it up with one type of thread intelligence where whether you’re using our vendor threat monitoring or whether you’re using uh recorded future or um bitsite or security scorecard or risk recon if you clean it up in one it will clean up for all because this is open- source intelligence that’s being displayed and um aggregated and provided to you. So whatever you’re seeing in one of them you will be seeing in the other and then if you find that there is something that’s a false positive make sure that you’re using a system that you can report that back that hey this is either not right or um by the way we remediated remediated this three five 10 years ago. And then as that gets cleaned up, it’s just it’s almost as the same as a a credit report for your, you know, getting funding for your house. You may have some things on your credit report that you need to make sure is accurate or maybe you’ve got fraudulent activity that you need to clean up. So, it’s the same aspect as that. Okay, Amy, another question.

Amy Tweed: Yeah, great questions. Thank you. So, what are your thoughts on options techniques for obtaining financial data on private companies that do not have obligations to public their financial performance data?

Brenda Ferraro: So, the the biggest issue with not having to publish it, some financial reports have information um of course based on published data. You can always ask them and if they’re able to give it to you, don’t fear asking it. Um I I don’t think I’ve ever had a problem with a financial report not coming to me based on an ask. And if you build relationships and you tell them the reasons why, and you say that it’s a requirement, uh, I assume that they would show it to you because I don’t think I’ve ever had a problem with them not showing it to me. So, if you’re not getting something from a public space, ask.

Amy Tweed: Nope, we’re good. Go carry on.

Brenda Ferraro: When I see your pretty face up there still, I’m like, another one.

Amy Tweed: I was really interested. I just wanted to stay.

Brenda Ferraro: All right. So, the risk rem remediation report should give you a summary of all the risks that were identified. and make sure that that is very uh digestible by your third parties or your vendors. Have it so that if you’re showing them the things they need to fix, great. If they ask for all of the risks, whether it was something that it’s critical, high, medium, low, uh mitigated, and they want to know that, then make sure that you have the ability to toggle and filter that report so that it can show them everything. But be very explicit what you want them to work on. Um, basically there was a there was a time and it’s not basically, but there was actually a time where I sent a risk report to a vendor and they had over 50 of them and they came back to me and they said, “Brenda, there is no way we’re going to be able to service your account because we’re going to be working on mitigating all of these risks. Which ones apply to what you want me to really work on or prioritize them?” And so that’s why you want to make sure that as your risks have likelihood and impact and the critical and high. Have them work on those first. Make sure that the criticals are met because those should match to your key controls and then have them work on the other ones. But put put a a a date on there that’s appropriate for them to complete them as well. There could be three, six, nine month within a month, you know, all those different types of timelines. Yes, Amy.

Amy Tweed: Question. All right. Is there an easy way to determine if a company has any material claims or judgments against them?

Brenda Ferraro: Yes. So in the thread intelligence and in the business reports and the financial reports there are sections that will help you if there’s any judgments. So you can look within the business section and and in the financial section of course both of those will tell you if there are judgments and that’s why we’re saying don’t just use cyber intel as your thread intelligence feed. You need to look at the business sections as well. Now the control validation report going back to this slide is something that I was talking about with regards to validation and fulfilling the on-site visits. So, we’ll be talking about an approach to do that, but the list of controls are subject to review and evidence and we use a scoping system and then we make sure that there’s recommendations and we tie all of those risks together to normalize the risk and that report should also be provided to your vendor. So, what you’re actually doing is giving them not only a maturity perview of how they’re doing in security, but you’re telling them what the risks are and what to fix. It’s going to make them healthier across all industry ecosystems. And you’re being empathetic and being a relationship builder where you’re saying, “Okay, I’m going to help you become secure. I’m not just going to test you and find out what you’re doing wrong. I want to say here are the things that you can do to fix those um disconnects and gaps.” Amy, what do we got?

Amy Tweed: Okay. Yep, we got two. So, if they don’t have a sock to or are not publicly traded, what financial report should I ask for?

Brenda Ferraro: Um, I will have to get back back to you on that. I don’t think that I’ve ever specifically asked for a specific financial requirement, but I’m sure that there are some. So Amy, if you can take a note and find out if that person is not anonymous, if they want to be contacted back, we can give them a list of what those financial um areas are or if our financial um section in prevalent can give them those answers, too.

Amy Tweed: Sounds good. Yep. It is taken down. One more uh question here. If a vendor is willing to provide its thirdparty audit reports, Type two, type two or high trust etc. Is it a good idea to still uh need to do a deep dive with questionnaires?

Brenda Ferraro: Yes. The reason why I say yes is um the sock 2 type two can be engagement by engagement. So first make sure that that engagement is the right one. Number two make sure that you are looking at the high trust or any other certification as They get a plus mark or a gold star for doing an assessment. But some of the sections within each of these certifications and/or assessment types may not have everything that you need such as if you want to start asking ransomware questions. High trust may not have that or if you want to start asking software um mobile and development type information that you need to gather. So make sure that you’re benchmarking what you’re receiving. to what you need to know. Um, so I I would say there is a a hybrid approach that you can use or you might have a key control approach that you just have maybe 20 to 25 items that you want them to answer anyway. And then make sure that whatever you received from them is applicable to the responses that you’re getting in your own questionnaire. So it just don’t make it too lengthy. You don’t want them to have to go through a whole pickme up again. But I I would agree with you need to do an assessment as well. Now, the vendor expose and conferences, this was one of my favorite things that I was able to do as our program matured. And what we did was we implemented a threat level protocol identification system that we were able to expand out to those vendors and say, “This is information that we’re giving you on a monthly basis or a quarterly basis, and it would be green. Um, this is amber. We want you to be aware of it because we’re seeing that there is a threat. crawling across our ecosystem or here is something that is red or amber that we or red threat level red which is we need you to respond to this ransomware response. So we were we were using that as well as collaborating on information sharing for incidents and that was very helpful because not only were we able to outreach to them to tell them hey we’re seeing something that’s happening but also here’s what we’re also noticing to fix it and so it was being very proactive. We would have a conference that would give education certification courses on how to do thirdparty risk management, bring in and engage all of our key stakeholders internally. So, we’d have a privacy section, a compliance breakout. Um, we would have procurement that would join and talk about their program and we would invite all of our critical and high third parties as well as our internal resources to learn together on how the program was responding and or building or growing or maturing. So th those are the things that get very fun. Right now we’re doing them all virtually as you’ll notice in this slide. I tried to make it so that it was a virtual situation and I miss going and seeing all of you in person and hopefully we’ll be able to do that and build relationships in person as well in the very near future. Now we have a polling question before we get into realistic expectations. So let’s go into that.

Amy Tweed: All right, launching right now. Question is, do you use a one-sizefitsall fall assessment questionnaire. Yes, no, not sure. Take a moment to answer. Oh, this is interesting though. It’s kind of all over the place right now. I know it’s early. I’m talking to some people, but interesting. In my strategy um sessions, there there are a mix of so many. They’re using hybrid approaches. They’re using a one-sizefits-all. They’re using an att testation, which scares the behit out of me. Um but there there are are very very different approaches.

Brenda Ferraro: An a approach is better than no approach.

Amy Tweed: That’s true. That’s totally true. I’ll give us about five more seconds. Really interactive. I’m really happy with all the questions and a lot of people are um doing the poll. So that’s really great. Thank you everybody.

Brenda Ferraro: My speaking fun.

Amy Tweed: Yeah. All right. I’m ending the poll. I’ll share results here. Okay. 42% yes. 35% no and 14% not sure.

Brenda Ferraro: Okay. Well, great. So, the ones that are using one-sizefits-all, I guess the information that I would provide to you is that if it’s a small questionnaire or you’re a company that’s in an industry that doesn’t need to ask very many control questions, then I would understand that. But I would also encourage you to start branching out and thinking about not just finding out about controls, but being proactive in finding out about how healthy they are. are and effective of those controls. So I have put in an adaptive enablement area here for you. You could take a picture of this but there are the key control standards that you create and the reason why you want to do that is make sure that they are are mapping to your engagement types or your categories of vendors. Ask them what you need to know, not anything more. Because I don’t like being asked questions that aren’t relevant to me. I’m sure they don’t like being asked questions that aren’t relevant to them. It just doesn’t make for a good relationship building technique and it wastes time. Um, define your critical risks and benchmark those. Make sure that you embed those in your platform if you have one and then create the due diligence classification model so that you’re applying the appropriate automation on what risks are applicable to what due diligence to what profile to what engagement. And so it’s like a daisy chain of making sure that there’s a connection and then hold quarterly performance uh reports on key controls. So evaluate those because they change. We found a drastic change last year and now we’re heading into the software management chain that if you didn’t have software, mobile and device um type of development assessments in your portfolio today, you better have them tomorrow because that’s where we’re getting hit. Um report those incremental statuses. So, in order to adapt your um culture internally, make sure that they understand what you’re doing from the get-go. Say, I’m having a program and I’m going to be running assessments on your vendors and here’s the ones that I’m going to start with and here’s the ones that I’m going to get to on a road map.

Brenda Ferraro: And then, uh, by the way, I’m just going to share with you the ones that are weak and or andor unresponsive. And I usually send these to the department heads or the VPs. And then I say, “Oh, by the way, I’m going to run a holistic report and we’re going to share with everybody and we’re going to have a healthy competition on who’s more secure with their vendors.” And so, it’s very interesting to watch them. At first, they’re like, “Oh my gosh, I have a naughty report. Don’t tell me my naughty report.” I’m like, “It’s not a naughty report. It’s an awareness report.” The next one is, “Okay, now this is what I need you to do with that awareness report so that we can get you very, very clean.” And then we’ll share with everybody and then all of a sudden it’s because the VPs most time are friends with each other or they have a good relationship, they’ll say, “Oh my gosh, why is that person doing so much better than me? Help me, Brenda. What can I do?” And so that four month cycle will make it so that organically things will change and you get help with your culture. So Amy, it looks like there’s a question before I get into relevant data gathering.

Amy Tweed: Yep. Nice and simple. Is 80 questions a lot?

Brenda Ferraro: No. 1,500 questions is a lot. So no, 80 questions is not a lot. I would I would hope that a benchmark would be or a litmus test not to go over 80 if possible, but you don’t want to look at the number of questions. You want to look at what you’re contextually gathering. So, um if if it goes to 80 and then you’re like, okay, we need to add another one, then you might want to look at those 80 and say, is this one really that important? Can we add this one in its place or can we reword something that’s going to be more um an effectiveness control gathering versus the yes no binary scenario. So that’s kind of what I would do. Um I’ve used 75 as my litmus number, but I have had questionnaires that have gone into 145, 125, 350, and it really really depends on the engagement and what they’re doing for you. So um if you’re talking about an initial questionnaire just to get your grip around what is the inherent risk and the residual risk from my key controls, then No, 80 is not too much.

Brenda Ferraro: And if you’re doing deep dives into larger situations of engagement, then don’t fear going over that. Only ask what’s relevant. And that just feeds me into what I was going to talk about is that um there really is no one-sizefititall assessment. Um there is a assessment that will give you information, but when it comes to due diligence, unless you’re a smaller company that only does one type of thing, that only has a couple vendors, then yes, I can understand using one assessment type. But as soon as you get into 25 or more vendors, then you really have to start categorizing them if they’re different types of engagements. Um, but make the data gathering easy, fun, um, reuse data that you can reuse and and take standard questionnaires that have already been completed. Become part of a network. And again, the response time is all going to depend on the assessment due diligence requirements. If you’re asking them to include evidence documents. If you’re asking them to um answer more than 80 questions, uh you have to really put in your brain that when you send things to them, they have to respond. They may have to share it with other individuals to make it easy to share the responsibility or of answering and responding back. And I really really hope that most people will start to get into an exchange or a network environment that repurposes information based on approval to get it. Uh the security wrapped around that is very very important as well. All right, pulling question. Points of contact challenges is next.

Amy Tweed: All right, here I am. Okay, launching now. Do you have point of contact information for all your vendors? This is really timely because I was curious about the same thing. So, take a moment, answer the poll if you are able to. Again, overwhelmingly all across the board here It is everywhere. Okay, this one has been a sticking thorn in my side for a very, very long time. I am excited to hear more. Okay, I’m going to end this in five, four, three, two, one. Some last minute answers. Okay, sharing results. 52% yes, 40% no, 9% Not sure. Excuse me. I have that frog in my throat, too.

Brenda Ferraro: All right. Well, good.

Brenda Ferraro: So, the ones that are doing it already in in a capacity where they’re annually reviewing those point of contacts or they’re making sure that they’ve got some kind of a um a fix for that. Kudos to you. For those of you who are still struggling, um there are a couple ways that you can address this. Use your thread intelligence reports because there are some ways that you can find out exactly who to address in some of those thread intelligence reports or start with your accounts payable or your procurement or sourcing lists. Another thing that’s happened is that you can take and conduct an internal or an external campaign by doing an information gathering questionnaire of less than 12 or 15 questions to say who is the vendor, who’s the point of contact internally, who’s the vendor point of contact externally, what are you doing for us, are you handling hostess posting, processing, um, sensitive data, do you work in different regions, those types of very, very high-profiling information. So, don’t fear contacting your vendors and asking them what you do and who their contact is internally. If you don’t have any way of getting a list internally from your procurement or your sourcing agents, and then if you do get a procurement list and things bounce back, send it back to them and let them know, okay, this point of contact email is no longer valid. I need you to find another one. for me or that you can also use a contact lookup feature in in some platforms. Us at prevalent we have a contact lookup feature that you can use to at least get a name at the um organization that is currently working there and they have the ability to forward on the assessment questionnaire to them. So then it will update who that individual is and magically you will know exactly who you need to talk to by doing that lookup. It will give you a couple names or or one of the important names to go forward to. Um, it could be a CISO, it could be a a person in the procurement organization, but we have a way of giving that information to you. And then use this campaign to shore up your records.

Brenda Ferraro: So, if you’re not the master hold record in um the the TPRM team, but you have that in procurement, doesn’t mean that it’s just as important for you to have this information, especially when incidents come. That that point of contact is is important. So, make it a risk. If you don’t have a point of contact, then there’s a risk to that vendor and the resilience of your company and you need to remediate that. It’s very, very important. So, um, if you’re interested in finding about the internal and the external campaign capabilities, you can reach out to Amy at info prevalent.net and we can tell you more of how successful it’s been for other companies that we’ve um, helped in the past. Next polling question.

Amy Tweed: All right, here I am. Okay. polling. I see the question is here. Do you feel like the main part of your job is to chase down vendors to get them to respond? Sounds like a lot of fun. Yes. No. Not sure.

Brenda Ferraro: So, I call this administr like did we launch it? Did we get it back? Are they responding? Why aren’t they responding? How do we get them to, you know, give us a response? Why are they, you know, all those different things? And I gave you some techniques that the very beginning of how to build the relationship and make it so that email generation reminders are helping you with an automated cap cap capacity um if you’re using a platform like ours. But um we’ll let you close this one up.

Amy Tweed: Yeah, about three more seconds. Last one response. Okay. Sharing results. 38% yes, 53% no, 9% not sure. I guess with all the fatigue we’re already experiencing, this is just one less thing.

Brenda Ferraro: Well, it could mean that those 53% are using a platform that’s automated and or they’ve figured out how to um migrate their program from collection to risk remediation. So, um hopefully their risk remediation is also as cohesive as um collecting information. So, the one thing that I would recommend is if you um are fatigued and you don’t want to do this yourself anymore, there are are risk assessment services that you can hire and or implement automatically within your platform. From the collection to the analysis to risk reporting that we talked about before to the validation of the on-site visits that we’re doing virtually now these days and then tracking the remediation. So there are definitely things that can be implemented um whether you use a risk operation command center perspective on managed services which our company as well as others have. And then also um using them as staff augmentation. Even if you’re just building your program and you want to do a lot very rapidly at the beginning of the the build, then that’s something that you can engage in and then it can be handed back to your team so that you’re not in the administration and making sure that you’ve got what you need. So this is all for you to um peruse through it. another time. But there are staff augmentations that can help and managed services that can help to embed uh configure your platform to do things automatically for you. All right, next polling question.

Amy Tweed: Okay, we’re launching right now. Does your third party risk management program use vendor thread intelligence for more than risk scoring? And the same as before, yes, no, not sure. Take a moment to answer. Again, thank you all for your questions. Keep asking them. Um a reminder, this is being recorded, so if you have to pop out, um, we’ll be sending this to your inbox first thing tomorrow, so can watch at your leisure. Okay, we’ll give it a few more seconds. This hour is flying by. I can tell.

Brenda Ferraro: I know there’s only like nine or five minutes left, so we’re going to speed through the rest.

Amy Tweed: All right, I’m gonna end this in about three seconds. Okay, end polling. Sharing results. Yes. 46% no 44% not sure 30%. Okay.

Brenda Ferraro: All right. So, with regards to your vendor security information, we talked about this before. Make sure you’re using cyber security and run these early. If you can get them to your procurement and sourcing organization and have them share that with the vendors even before they’re selected, that’s going to be helpful because then you know what kind of a heavy lift you’re going to have with regards to the assessment deep dive. the the cyber security is important for all of those data handlers of course but then for those t types of companies that are doing other types of businesses and you need financial information um we’ve talked about this already make sure you’re using these three components for your thread intelligence and make sure that it’s normalized. We want to have the normalization of risk so that you don’t have duplication of risk showing them that they’re more uh off than they really are or they’re greater. than they really are. So, that’s the those are the things that I would mention with that. And I was very adamant about not using threat threat intelligence at the get-go. And then I finally saw the light and realized how great it can help with prioritization. It can help with knowing um where their posture is. It can give them information of what they need to work on even before they become a vendor. And it’s bas it’s it’s just a community support system that can be used as well as normal izing that with the trust factor of responses that you get from questionnaires andor reports or certifications. All right, so key takeaways even though we sped through the end um let’s see what you liked the most before I remind you what they are.

Amy Tweed: Yep. So this one’s polling question you can choose um as many answers as you would like. Um every single topic we covered is here. So let us know what you found the most valuable, what you like the most. If you didn’t like any of it, That is an option, too. We want to know. We want to make these um educational for you. So, please let us know what works best.

Brenda Ferraro: I like the one. I didn’t like any of this. That would make me have to go and figure out if I need to get another job. We want to report this to your management. This was not okay.

Amy Tweed: I’d like to know more information on why, but um

Brenda Ferraro: but it’s all anonymous. It’s not like

Amy Tweed: Right. We’re not going to come hunt you now. Don’t worry. We’re just really Okay, we’ll end this in a few seconds. Then there’s a poll right after this one as well. Um, as we get to, I think Q&A here at the end. Um, so if you do have a third party risk management project upcoming, are you working on one? We’d love to know. I’m going to end this poll right now. So, thank you all. Okay. Am I gonna have some bruises? A I have 4% bruises. That’s okay. always room for improvement. So, um, great. Well, this will help me in, um, better understanding as I move forward with presentations, the topics that matter most to people. So, I’m glad that you got some value out of it. You want to pop up the next question or pop?

Amy Tweed: Yes, I think we might actually have a question, too. So, I’ll pop this one up while I check that out. So, like I mentioned, um, you know, are you looking to augment or establish a third party risk venture program in 2021. If so, let us know. We are really here to help. Uh myself and Amanda Fina, my colleague will we can reach out. We can chat with you and connect you with a product specialist here if that makes sense. So, let us know. I’m going to check out the question here. Oh, just a thank you. So, we got to thank you.

Brenda Ferraro: It’s a band-aid to my The top things to take away today, just as a reminder, are um communications, build a relationship, be empathetic for your vendor, um use adaptive enablement in efforts to change your culture and to get those vendors to respond. Points of contacts are a must. So use the vendor contact lookup capability. Um go to your procurement, use your sourcing agent, who do you pay? And then just start campaigns. That’s the best way to go at just if you can’t find anything. Uh managed services is here to help to get you started andor to uplift your program so that you can get out of the tracking and chasing and administrative fatigue as well as platforms. Do as much as you can in a platform versus a spreadsheet. And then vendor risk intelligence. Don’t only use that to validate. Use it throughout your program. It helps to prioritize in a multitude of areas. So lastly, if you ever want to see a picture of everything we do, this is the one. So we’re intelligence from every corner and Prevalent is here to help you. We’re help here for many, many different reasons, but today we talked about how to get those risk assessments completed and for those vendors to respond and if they respond in certain ways, the hybrid approach that we can help you take. We are um a trusted partner and in the magic quadrant as a leader. So, we’re very very happy to help you. And then here, I’ll put up our information at [email protected] to contact Amy. And I believe we’re at the end if you want to squeeze in that last question.

Amy Tweed: Unless that was just the thank you. Yep, that was it. So, uh No other questions, but uh yeah, we’re just a minute over the hour here. So, we thank you everyone for joining. Again, this is recorded, so it’ll be sent to you. Feel free to reach out to myself, Amanda. Um we’re here to help.

Brenda Ferraro: Thank you for spending time with us. Have a great day.

Amy Tweed: Thank you, Brenda. Have a good one. Thanks, everyone. Bye. Bye. Bye.