6 Ways Data Protection Impacts Third-Party Risk

Amy Tweet: All right, and we’re live. Welcome everyone. We’re so excited you can join us today. If you are tuning in live, thanks for spending a small part of your day with us. As you start to settle in and get comfortable, I’m going to pop up a quick poll question because we are really curious as to what prompted you to join. So, uh, while you’re waiting, maybe this is educational and you’re looking to learn a little bit more. I’m excited for our experts we have joined here who I’ll introduce in just a moment. This could be project research for an upcoming thirdparty risk management project. Um, you might not know where you’re at. In that case, this webinar is called six ways uh data protection impacts thirdparty risk. So, maybe you want to stick around or maybe you are currently a prevalent customer and you’re kind of staying up to date with what’s going on. So, take a moment um as I go through some house cleaning rules. My name is Amy Tweet. I’m in business development here at Prevalent. My job today is to make sure that any and all questions you have for um Len or Alistar um will get relate to them. So you can use the chat function below or the Q&A function is fine as well. I’ll make sure to get those questions. And without further ado, I will introduce our experts here on the call. So we are joined with Len Solom. She is a former chief privacy officer and has been in the regulated service provided business and the risk industry for more than 30 years and also the founder of Solom Risk Partners. Len, how are you doing today?

Len Solom: I’m doing great.

Amy Tweet: Good. It’s good to have you. And we’re also joined by Alistair Par. You can see his face there below. Um he is prevalent’s own VP of global products and risk um and you’ll see be hearing and seeing from him towards the end of the webinar. So if you do have questions regarding prevalent you can ask those as well and we can support you there. As a reminder um we want this to be interactive so please um use chat function use the question function. We’re also recording this so if you have to hop off or you can’t stay for the whole thing um we’ll be sending this to you first thing tomorrow morning via your inbox. All right so we’ll get started. I’ll pass it off to you. Okay. Um, if you have any other questions, please use the chat function. Go ahead.

Len Solom: Okay. Excellent. Thank you so much. Well, welcome everybody. We’re going to have uh quite a bit of good um discussion today. There we go. So, as Amy introduced, uh this is a bit of my background. Um I have been in the outsourcers. I have also been on the service provider end. So, I’m really going to weave together today data privacy, data protection and thirdparty risk and there’s a lot of hot topics. So let’s right now get into our discussion. So converging topics as I outlined why are these topics important? Um we all know that you have to follow the data. The data starts the conversation in terms of any dialogue between an outsourcer and a third party. But managing data is much more challenging in today’s environment. Even technology like you know online meetings creates new data challenges right so data protection and third party risk are really converging and as we talk through these these topics today I’ve listed quite a few terms that will be woven into the dialogue and the narrative but what I’m going to focus on is less how you build these things but spotlight some of the challenges and opportunities and things that are shifting. Um we’ve got a lot of divergent topics and uh quite a significant amount of change that’s occurring today that are going to impact almost every element of not only a privacy program but a third party riskmanagement program. So I’ll try and connect the dots where appropriate and hopefully we can learn through this session and through the Q&A uh where some of the other pain points are. So let’s dive in to kind of that road mapap for today’s dialogue. I’m going to highlight kind of six key topics that all are related and we’re going to start with what’s changing in the regulatory landscape, how that impacts contracts, what you then need to do around data protection and safeguards and assessments. Uh but put a little bit of that magnifying glass on data governance because that’s the hottest topic. And we’ll end with kind of where does this road map now affect your thirdparty risk management program where would you maybe need to do some maturity or process enhancements. So this is kind of our road map for today’s dialogue. So let’s dive into the first topic. Uh it might be August and hot and humid where you are but right now it’s raining regulations for data protection and thirdparty risk management. Um our journey really got aggressive when GDPR really accelerated the expectations for sur service providers. And when you think of the regulatory changes that have happened since GDPR became effective only three years ago, um we’re getting the point where 65% of the world’s population is now covered by data protection rags and the US is getting even more aggressive at the state level. Um but it’s not just a regulatory landscape. We are seeing uh focus areas from different regulators, from agencies, um new proposed guidance and we’ll dig into that. Uh, but it’s not just an an industry challenge. Privacy risk is now top of mind for public companies in the United States. I thought it was very interesting that over 60% of companies are citing privacy risk or data protection risk in their SEC reports. And when we first started to think about that, everybody assumes it’s about cyber security and breach. But no, it seems to be more about privacy. ethics, privacy, permissions and data practices, corporate governance, ESG. The topics are broadening um and really bringing privacy, security and compliance together into a better focus on data governance and data protection. So, as we look at this, let me highlight a couple of of key things in terms of developments um in terms of that raining uh regulation. uh for those that do business in the EU, we’re still dealing with shredd and Brexit in terms of the UK and the EU adding a complexity. You’ll see on the right I listed just kind of a visual that talks about how enforcement is accelerating. Uh but now I need a new chart because even though I put this out there towards the end of July, uh the EU regulators issued a fine uh the largest in history of 8 $87 million. Uh and as you look at that, part of the focus is on data practices. So, everyone’s now looking at their frameworks and making changes. Uh Canada’s getting involved with a new update to modernize their privacy framework. Uh many international companies are following suit. E privacy is still happening within the uh EU. Um but there are updated industry frameworks from and ISO that are really putting a spotlight on data governance, data protection, data protection safeguards and really bringing privacy engineering and security engineering together. In fact, for those of you on the call that might work within the financial services sector, the three agencies have come together to propose a new framework and modernize guidance on thirdparty risk management programs. The joint guidance from the three regulators is out for industry comment right now. So, we don’t see these developments slowing down uh because of the new frameworks and regulations and enforcement. It’s it’s going to get even more challenging. Um just to show you a little bit of the checkerboard of what’s happening at the state level, you’ll see that the International Association of Privacy Professionals publishes on a monthly basis um a state privacy uh legislation tracker and you can see the ers of what’s been introduced, what’s in committee, what’s in chambers, and what’s across uh being developed or passed or signed. Why this is important is because when a state like California or now Colorado put out new guidance, uh we’re a global economy. We’re a national economy and a regulation in a particular state starts to impact other states. It’s kind of like the years when we first had breach notification and now we have a checkerboard of 48 states with a law. We’re kind of going down that path from a US state privacy tracking. Um, but we’re starting to see some key themes. Consumer information, disclosures of data to third parties, the sharing of data, and an increased litigation or brand risk. So, it’s less about just protecting the data. It’s really about what does the vendor have the authorized use of the data. What are they allowed to do and what are they not allowed to do. So again, the privacy dialogue I believe is actually evolving as you look at uh the different topics that are that are happening. So let me provide a quick recap of a topic that you might have heard about called Shrems 2. Uh basically uh privacy shield was invalidated about a year ago as a data transfer authorization method for data going from the EU to the United States or to other geographic or non-EU areas. Uh the regulators after this litigation in a court decision um identified gaps in this in the existing standard contractual clauses uh that were in place to address GDPR compliance. Why this is important is that for those organizations that need to manage compliance between outsourcers and vendors or controllers and processors in the EU that standard language was the primary way to address processing in thirdparty risk. So let’s fast forward the after comment period updated new templates. These new templates aren’t just about contract changes. They will impact controls, due diligence, vendor classification, and most thirdparty riskmanagement operational processes. And because we’re talking about a key change that’s uh That’s important. Let’s really think about the business model in today’s environment between an outsourcer and a vendor. Vendor compliance is multi-dimensional. And while the standard contractual clauses apply specifically to address GDPR, they actually represent what’s happening in our ecosystem. When you think of internet of things, the digital environment, cloud hosting, we’re more connected than ever before. And the new requirements that are being um you know put out by the EU tend to be a model that other states and countries tend to follow. We saw that with GDPR. So I don’t think that will u this will not be the only a GDPR type of solution but their agreements really are anticipating that you have to put in place very specific guidelines between all parties in a relationship. So whether it’s the out sourcer to the vendor, the vendor to their vendors, the fourth parties, the subcontractors. Uh it really gets down to the end parties when you start to look at processor to processor relationships. But the themes that came out about the standard contractual clauses in the simplest terms, it’s not just a contract exercise. It’s it’s a warranty of data protection safeguards. It’s a maturity in due diligence. It requires more evidence. some proof of controls or proof of ongoing monitoring and there are some exit clauses that if the vendors can’t comply uh there’s ways to get out of the contract. So it really will put a spotlight on thirdparty riskmanagement governance. And the reason that I highlight this as such an important trend is the timeline. And I know you’ll get a copy of the slide because the text might be a little bit small but when you think of what was released in final language on June 4th um new contracts with new vendors if they need to meet GDPR compliance and use standard contractual clauses, they need to be in place by the end of September. So that’s a short ramp period. And if you’re an existing vendor and you have to think about that, the contract with that data controller for all of those existing vendors will all have to be updated by the end of 2022. So that’s less than 18 months to assess the new language, look at the new data controls, identify the impact to due diligence, update your processes, and execute a repapering of contracts and due diligence and document everything that you did. So, this is absolutely a key thing on data protection and what’s changing in the environment for thirdparty risk. Um, just to provide a highlight on why this is important is that while most contracts really define the processing relationship, this new proposal really crosses the line into data governance and third party risk management programs because within each contract there’s now three annexes and the first all talks about things that as a privacy professional I’m familiar with but a lot of procurement sourcing and risk teams may not understand that they need to docu ment. Now the business model context, the category of data subject, the data classification of the data, descriptions of the processing, the purpose, the retention, all of that context that’s always been in the privacy world now needs to be brought into the vendor contract. In addition, the they’re getting more detailed in describing the data protection safeguards. So what you put now in the contract is what will be inspected in the third party risk management process or assessment process either with the on-site or virtual assessments or ongoing monitoring. But the contracts also require the list of approved subcontractors. So again, higher expectations, greater focus on governance and compliance, and really a a greater emphasis on keeping track of the different activities that are being performed because you have to prove prove that you’re doing what the contracts say and you’re holding things accountable. So, it’s really driving maturity in a lot of these processes. So, let’s dig into those processes and really what’s changing around data protection safeguards. Um, while regulations may put out guidance, uh, frameworks tend to get out at a control level. So, you really have to assess both drivers to understand how data protection safeguards are evolving the themes that I’m seeing whether it’s coming from the regulators from the frameworks or from an external assurance or audit report but it’s really holding people accountable it requires a deeper concrete description of the control environment evidence of controls is critical maintaining due diligence artifacts u I think we’ve learned through having to do assessments now in a virtual environment, the documentation beyond the policy is even more important to show the evidence of the controls that are in place. So, it’s really driving a maturity in a lot of different areas of data protection. Um, and I think we’re going to see that what’s happened for many organizations due to the pandemic and having to go to the remote environment, there will continue to be a significant footprint of remote workers. So the actual environments changed in the last year and many organizations are seeing the need through resilience or through the migration to cloud hosting the the footprint of their vendors is changing who’s critical uh may also have been impacted by the remote work because obviously online collaboration is pretty critical but these platforms probably weren’t in the high-risisk vendor uh category in a lot of third party risk management. programs. Um, so we’re really seeing a shift in the need to look at controls at a broader area and these focus areas are I think are really bringing privacy and security together. Cyber security will always be important whether you’re focused on technical controls, breach, ransomware. Uh, but what we’re seeing through the frameworks and a driving of a migration to data governance is that it’s more riskbased. It’s more methodology focused. So it’s beyond the yes no of a control is in place or not in place. It’s is the control sufficient to address your risk your risk posture. It’s driving a maturity in the process and instead of just technical controls um it also becomes contextual controls. So minimizing the amount of data that’s collected or used. Ensuring that data has a purpose limitation, working on limiting data retention or data portability from one vendor to another. So you’re seeing a lot of data governance topics that all start with understanding business model type of data and the roles between parties. And each of these controls impacts the third party risk management process. process because you might need to gather additional information. You might need to conduct additional discovery um and you may need to focus on data protection impact assessments in a different way as you look at changes in the environment be it change management or thirdparty risk or the SDLC process because you’re not just looking at the technical security control you’re looking at the use of the data the authorization of the data and what are the expectations of the individual or the data owner. So the safeguards conversation is really broadening into ethics and permissions and not just the technical uh bits and bites of the control environment. So when you look at that evolution uh data governance um and how does that impact thirdparty risk uh it’s a critical element because it becomes one of those foundational building blocks in thirdparty risk management. As I outline the context of authorized use of data, one of the challenges with data governance in thirdparty risk is probably the most common theme I hear from clients is how to maintain vendor and data inventory. It’s a continual battle to you always know who your highest risk vendors are and you have a good idea of the lowest risk, but it’s all of those vendors in between that create the the operational challenges. And when you start to look at disclosures, well, that’s not just to the third party. It’s understanding the ecosystem and the fourth parties and nth parties and all of the people that participate in the delivery of a technology product or service. So, as technology emerges, Whether it’s artificial intelligence, IoT, 5G, the cloud, you’re bringing in more third parties, more technology integrations, more network connectivity between parties and different paths for the data to follow. So managing that environment becomes not only a people resource issue, but it’s technology and its process op processes and optimization. But it’s really taking a look at not just the padlock of securing the data but understanding the path of the data within the organization and outside the organizational boundaries. Those are some of the key areas that we’re seeing really evolve in terms of data governance. So how do you look at data governance in thirdparty risk? So there’s terms that that are discussed whether it’s called data maps, data flows, devices, there’s a data governance explosion happening. So, you really have to really take a look at data and really kind of profile with at a vendor, not just who the vendor is, but what’s the product, service or system that they are delivering. So, from an outsourcer perspective, it’s not enough to know that company ABC is in my vendor portfolio. I really need to know what that company does for my organization. Do they interact with my end customers? Do they have higher sensitive data? Are they critical to my operations? And then what data is used within that relationship? And then let’s follow the data. Where is it located? Where is the data backed up? So it’s it’s become a broader conversation in terms of location management because it’s not just about physical addresses. in physical buildings, right? We now have remote workers. That means we have remote vendors and how you’re connecting can be through multiple devices. So that mapping exercise really becomes a critical pillar within your third party risk management program to understand how often and how frequently you have to update your vendor and data inventories and be able to connect the dots between the vendor, the data, and then your due diligence process based on what contractual obligations or regs apply to that relationship. So, as we look at these changes, we kind of started with the reigning regulations and then what’s happening, spotlighted a few highlights, and then we’ve talked a little bit about data governance. But let’s think about things from a a third party resp. management program in and of itself. And we, if I look at the last 18 months, um, I really started to look at kind of three big drivers that are starting to trigger the the need to modernize third party risk management programs. And obviously the first column is the pandemic factor because we as an industry, as a global world, we had to evolve. We had to quickly figure out remote workers. That means We might have had to shortcut some security controls or build new bridges or new paths. Now we need to go back and correct those areas. We had to start to bring the concept of zero trust. We had to start to do our assessments for thirdparty risk virtually. So that changed the skill set of the assessor. It might have actually changed how we document the workpapers or document what works been performed. And if you’re a service provider and you have to and you go through an annual attestation or audit report. Well, now you’re doing that virtually with your audit firms. So, resilience, cloud, remote technology, all of those things that are critical to enable business operations also impacted how vendors deliver their services. So, looking at thirdparty risk through the pandemic lens, not only do you have to look at how the existing vendor relationship works within your contract or your due diligence, standard, but you have to understand how did they adapt? What changes did they implement now due to the pandemic and remote work because those factors might require additional due diligence on your side? But I think the conversation is also evolving a bit into nonIT risks because of what’s been the focus on so many different areas. Um it’s not just about data security and cyber security. you look at thirdparty relationships uh environmental social governance ESG are top of mind um in the boardroom uh but also in the shareholder or the consumer the buyer there’s a greater focus on geopolitical human rights diversity the supply chain and that’s not just a United States factor I’m seeing these nonIT risks and guidance driving maturity of across the board. And I really think when you start to look at the nonIT risks, it almost requires a different level of viewpoint into your vendor risk rating system, the way you classify vendors. Um, it’s it’s less just about the company. It becomes a broader conversation and that may actually require different types of assessments. So instead of one large vendor assessment, I’m seeing Party risk management programs obviously need to do a deep dive on the onboarding, but then they might be doing very topic specific assessments for a particular vendor. They might have to dig deep into resilience uh and remote access and securing data. Or depending on the nature of the product, if they’re helping you with marketing, sales, or advertising, you might need to do a deeper dive on consumer protection and fraud authentication. and privacy. Um, or if they’re in the supply chain, you might have to focus on a a broader environmental factor. Um, so these topic specific assessments are layered into your overall program. So, organizations need to modernize and understand their staffing levels. How do they rightsize assessments and manage multiple assessments? Um, in one of my prior roles, um, at a service provider for certain clients, I I would have to undergo at least seven to 10 assessments on an annual basis because they were tailored at the product or service. So, not only are thirdparty risk management programs evolving in terms of the requirements, but it also starts to impact workflow and really having to take that that riskmanagement approach as to what’s sufficient. And I think the the the drivers that I’m highlighting here are actually very similar to the FAQs in the questions that the three primary regulators in the financial services sector have put out for comment as they’re looking at the original OC guidance that was for national banks in terms of thirdparty risk management. How do they bring that type of guidance across the board to community banks, regional and other areas within financial services? You know, even last week, FINRA just announced in the financial services sector uh they’re seeing audit issues on lack of maturity in thirdparty risk management programs and and that’s a concern. So I think we’re starting to see the drive for modernization come from a lot of different areas and that really is going to require some investment in making some changes to your third party risk management program. Um it might be a project to address regulator changes if you have to address GDPR and standard contractual clauses, you’re going to start with what you have today and where you need to be by the end of 22. Uh, but you also might be adopting a framework, whether it’s NIST or ISO, to help mature your information security and your cyber footprint and bring privacy into that conversation. But anytime you’re looking at changes to your program, um, it really starts from that outside in perspective. What are the external drivers? Then the internal what’s changing within your organization sometimes it could be M&A activity it could be new products and services consolidation efficiency but all of those things now require that review. Do we need to change the definition of vendor criticality in today’s landscape? Do you have a commonly understood definition within your organization of who is critical and as thirdparty risk management programs broaden in scope to include ESG and these others you’ll really see that it becomes an integral part of an organization’s enterprise riskmanagement program. So while the project teams may understand what they need to do to operationalize changes to thirdparty risk management programs actually doing that changes the story also though in terms of how you gain you know management approval of all of these changes or if it has to go up to the board or executive reporting. I think the other key thing that I think that is really evolving obviously thirdparty assessments have evolved from on-site to kind of a virtual environment. Uh the old kick the tires type of approach uh of a site visit is not going to come back because people have realized the cost. of the travel and the level of of value that they get. There will certainly be high-risk suppliers or vendors that need that deep dive or physical inspection. Um, but I think people will be starting to use a combination of different techniques. But I think the key factor that I think you know puts a wrinkle into existing thirdparty risk management programs is really the contract and due diligence synchronization. So I use the example of standard contractual clauses. The legal team and the privacy people are all over this. But now that work product has to be implemented by the third party risk management teams and they don’t have a clue what all these privacy terms mean. So we all of a sudden have to build a bridge even within one company to figure out how do I sync up what I have to put out into a legal contract that impacts how I audit the vendor and now my audit of the vendor can be viewed by the regulator and they’re actually saying you need to have very good workp papers to document what you’ve done. You’ve got to build a really strong dialogue and collaboration between very different and divergent teams and a lot of that may start with education or doing a gap analysis or figuring out how do we sync up due diligence and thirdparty risk assessments with contract expectations. and how you manage the gaps is even more critical. So I think all of these factors are really driving um organizations to really start to take a look holistically at their processes. And I think connecting the dots across different processes is an area that is sometimes very under um undervalued or under reppresented in terms of the the need for clarity of roles and responsibilities between within and across teams. So let’s think of some examples today when you have all of these changes that are happening in the internal and external environment right technology transformation migration to the cloud new regulations you know fines and enforcement and obviously we always have the threats and vulnerabilities in terms of the bad actors all of these things teams are coming at a third party riskmanagement team, but they’re also coming across the newswire of the CEO and the boards of directors. So, organizations need to really be able to tell their story. Here’s what’s changing. Here’s what we’re doing about those changes. Here’s what’s important. And here’s what I need from the organization. So, if you need to modernize your program, it’s about that business It’s about explaining here’s the role that these teams play today. Here’s what the new expectations are. Whether that’s by the reggg, by a framework, by a customer driving language in the contract. All of these things can now change what you need to do on your policies for thirdparty risk, your due diligence standards, your assessment process. And so there’s almost that layered education not only to keep everyone on the same page with the changes but also make sure that folks understand uh that the with the heightened expectations there’s now a a a better level of what I call uh change management maturity we know in thirdparty risk we always think about change management purely from the IT coder you know the developers point of view and IT operations uh but now you have the pandemic and you have security DevOps. But now when you look at privacy and data protection, it’s a whole different conversation to be managing regulatory change around devices, privacy permissions, settings on a smartphone, use of a web application. So what I’m seeing emerge around data protection is really broadened conversations around change management and process integration, but It’s really bringing these teams together and bringing these processes together because that’s what’s critical to be able to demonstrate here’s how I am managing expectations not only to manage and mitigate risk but also ensure that my risk management process is in alignment with really the expectations coming from the market clients regulators or investors even. And I think what we’re going to see as we look at, you know, the challenge with connecting the compliance dots is that it’s it it’s not just a volume issue with staff. It could be skill sets of staff. People have to adapt to a new way of doing work or some of the changes that we’re seeing around data governance or even things like the standard contractual clauses may require organizations to assess how many vendors do I have? Do I need to do some consolidation of vendors? So, I think we’re going to see some evolution of even KPIs and metrics in terms of managing the third party risk management program. Um, scorecards I could see uh becoming, you know, even more important in terms of process maturity in terms of not just the status of the vendor, red, yellow, green number of findings, red, yellow, and green. Um, but it starts to look at the risks across vendors, not just within a particular vendor relationship, because you’re managing different touch points, and you’re managing different types of risk that different organizations and different stakeholders are going to say that are important. So, I always like to, you know, think about, we talked about a lot of topics, but when we look at some of that, the guidance that’s coming out, you know, there’s some simple steps to do to kind of get your arms around these environmental changes, uh, the six-step process, uh, putting guidance into action. U, what I liked about these messages, even though they originated in the EU guidance, I think they apply across the board to any organization that’s really trying to modernize or update their third party risk management program. First up, update your data maps and inventory. Know where the data is located. How what what the purpose is, what they’re authorized for. Verify and understand any transfers or disclosures between third parties, whether that’s financially by contract, a trade, or any type of benefit, any data transfer or access between parties. I think it’s also critical to conduct due diligence not just of the third party but understand is this transfer or disclosure to a third party allowed by law by contract is is there are restrictions are there hoops I have to jump through to enable that disclosure so there’s more maturity happening in the regulations getting more complex that changes your processes on your side for how you even trigger the d diligence activity and I think you’ll start to see the evolution of due diligence beyond just the technical controls and really get into organizational and contractual measures. Um I think another key area for modernizing programs is really focusing on that uh fourth and party relationships because at the end of the day uh everyone has multiple third party relationships. No one is very few organizations are hosting their own data in the cloud or hosting their own applications. They’re all using technology service providers to enable their footprint. And all of those providers have their own vendors. So it’s not just critical to understand who they are, but really understand what the contract says in terms of who owns which controls. I’ve done quite a few gap analysises and assessments and I I will hear from a client, well, you know, they had a stock report, so I didn’t think I had to do anything else. Well, if you read the report, it says, “These are all the controls that the vendor owns, and these are the controls that you own.” At the end of the day, you can’t outsource accountability. So, it’s really important that your third party risk management teams not only understand their process, um, but the standards and the requirements and kind of how you maintain your evidence across your entire program because how the program in and of itself um comes under a greater you know inspection and oversight. So as we look at this I know in one hour we’re covering a ton of information um and I think it’s always important to be aware of privacy fatigue and you could use the word privacy fatigue or you could put in that replace that with cyber security fatigue. Regulations are emerging faster It’s happening all at once. You’ve got to build a road map. Find some quick wins. Do the quick hits. Make it manageable. Break the work up into manageable parts so it’s not feeling so overwhelming. It requires prioritization. Uh but I think data protection and third party risk the number one thing is that it should be a strategic conversation and not an operational tactic. Ensure that the board board the seauite understands the linkage to revenue so that the third party risk management program is not just looked at as an administrative burden or it’s table stakes you know it actually can drive and enable the business to succeed because you need the vendors to run and and help you grow your business so really make sure that the board and the seauite understand their role in ensuring that the thirdparty risk management programs have the business case and the investment and the resources they need to manage the risk because the regulators don’t give you new budget when they change the rules. So each organization has to adopt their program or have that conversation to say this is what’s changed, these are our gaps and we can either fix the gap or accept the risk. So you’ve really got to have that conversation um and really then look at your processes to say what can we do better to really drive process efficiency um you know into those recommendations. And with that, I’m going to turn it over to uh to the prevalent team to cover a few topics and then we’ll jump into the Q&A which I can see some things that uh Amy’s probably monitoring in the chat.

Alistair Par: Thank you very much. Really insightful and it’s it’s interesting because we we very much agree with what we’re seeing. So the whole privacy privacy angle of course is symbiotic to the broader third party program and we appreciate and totally agree with you when it comes to right sizing and making sure that that program is proportionate whether it’s riskcentric from an infosc standpoint whether it’s looking at uh contract due diligence clauses or privacy as well. So it completely resonates with what we’re hearing and seeing as well. So what really what we’re looking at in front of us is is something that we tend to focus on as part of the analysis and interpretation of the program because invariably we find and I’m sure you do the same that Most people have some some semblance of a program whatever it may be. It might be a couple of spreadsheets sitting on someone’s laptop somewhere or they might be involving the seauite and they might be getting steering committees involved etc. But it’s that taking that moment to passively review what you’re actually doing and considering uh before applying changes and proportionate changes to to right size demonstrate return on investment. And some of the key things we’ve seen on that is is some of the insights you see in front of you now. So the maturity assessment up front this applies to the entire pro program uh from a privacy standpoint and beyond which is understanding well really what are we trying to achieve where are we where do we stand against our peers is that actually good or not and are we investing the right amount in order to achieve these obligations whether that’s regulatory in nature or based on a framework or just internal risk appetite so we often see people using a CMM model carne capability maturity model to grade themselves and compare themselves to the peers and then that beats the the metrics the KPIs KIS as to what the steering committee the sea level really want to try and focus on and then that drives that uh that scoping and that perception up front and completely agree with you and you can’t outsource accountability is at this point where we help to define well what does accountable look like you know what can we bring in house and and effectively managing governance and u you know it sounds sounds very much similar to what you’re seeing in your expertise in the field. and when we start looking at the sort of the rest of the circle per say in it’s about that comprehensive profiling I know We agree you start looking at the end of parties and understanding the data points and elements that that we can build this sort of holistic profile of them on whether that’s data processing activities uh whether it’s their security controls and governance uh it’s it’s multifaceted. So we we look at it from a comprehensive profiling lens which is you know how can we amalgamate all these data sets and end parties into something that’s actually coherent that we can action against and then benchmark everybody uh against one another. So these being the third parties themselves. Uh then of course we can compare that to to the regulative obligations and frameworks that we need to consider. Uh and then factor in well what can we actually do about it and how engaged is the business. So the human effect of remediation planning. Now it’s it’s interesting hearing you talk and correlate to seuite so much because it’s a challenge we always see which is that human factors and how can we get the business involved and multiple people to participate. Uh and that’s always an ongoing challenge that that we also try and pay attention to and and advise on. So it’s it really resonates. So on to the next slide, if I may. We talked about that holistic profile and and again I think you’ve you’ve really hammered home and touched very well on some of these points, but some of the things we like to see working quite well is building up this vendor profile and that’s multiple f factors and facets and you understanding the data processing, understanding the context around what they do and why they do it is is really really foundational. You know, context is really key and to address privacy, all of these other symbiotic factors, understanding what articles there there may be relating to them in in the world, broadly speaking, are they expanding territories, are they processing data in other areas, have they had any data breaches that we need to be mindful of that they haven’t reported back to us? Uh, and then of course, even things like financial stability feed into that, being aware of any changes, M&A, that may impact them in the next 12 months. That that perception on how your data is being managed and how you’re adhering to any regulations is is going to be very much dependent on pretty much everything that you see in front of you. We do find it quite challenging for people to spend the time to be able to aggregate these data points as best they can and react particularly when you’re dealing with it at scale. So on the final slide before I pass back to you and go to general Q&A just something that we’re we wanted to share because again I think it resonates quite well with what you’ve been talking about is some of the processes that we see and we consider which is the life cycle of third party management. You know, I’ve obviously spoken and you’ve spoken about that comprehensive profile, but beyond that, it’s the broader life cycle and and I think you rightly touched on the contract and due diligence clause reconciliation piece up front is is generally pretty on point for a lot of organizations that doesn’t necessarily carry over to the rest of the workflow. Things start to to dwindle until contract renewals and so on. So, we like to spend a bit of time focusing on post selection, how can we apply that through life cycle. So tracking the regul the regulations the obligations associated to that making sure that the seauite uh the legal councils etc feed into us to let us know really what do we need to deal with you whether that’s the data protection officers of the business uh or whoever’s owning that. It all feeds into how we interact and govern and take accountability of uh of the third party program and and the risks that they present to us. So we like to see through that life cycle that degree of ownership. You we like some maturity and expanding that maturity past procurement and contracting into the life cycle and tracking those contractual clauses through the outset. So what we often tend to do is build workflows around that where we see customers or visionaries really in the space starting to collect the data look at it cohesively uh drive remediation on targeted focus points and then really try and drive their programs iteratively and improve and optimize them over time. So establishing that best practice internally and driving it through steering committees etc is is really something that we we’re seeing as well. So, I’m glad to see that nothing seems to contradict really what um hopefully you’ve been seeing.

Len Solom: Absolutely. I mean, it is a life cycle and I think that, you know, is is a common concept, but the life cycles are are shorter and uh even more complex today.

Alistair Par: Definitely agree with that. Lovely. So, uh, we can move on to the Q&A section.

Amy Tweet: Yeah, I’ll give you guys both a moment to grab a sip of water and take a breath. So, thank you so much for information. Yeah. Um, so a couple questions have popped in. Um, I’m going to throw up our last poll question from the prevalent side here. Um, before you head out today, are you looking to either augment or establish a third party risk program in 2021 or maybe even looking into next year as we’re approaching ing um towards the end of the year? Um we would love an answer. Yes, no, I’m not sure. We are here to help as Alistister mentioned. Um so, you know, let us know. And these last couple questions here, and I think it can go for either Len or Alistar. The first one is, could you please recommend additional KPIs or KRIS to help better track data risk?

Alistair Par: Sure. I’m happy to go first. And by by all means, so Wayne Yeah, thanks. So yes, certainly on our side, the KPIs and KIS that we need to see. So data risks of course is is a subset of the broader risk uh piece on a whole and we would see similar outputs which is how can we make sure that when we’re looking at our scoping and triaging process that we are adding context to the risk criteria. So I appreciate context is quite hard to to qualify when it comes to KPIs and KIS but if we can at least aportion the tier ones the criticals the in scope for regul uh the regulatory obligation vendors and uh key data risks at least we can focus on those and then start focusing our efforts and prioritizing the efforts on on that subset that percentage. So from a KPI KI standpoint I would very much say segment the uh the data risks that have regulatory obligations or framework obligations and then looking at progress against those.

Len Solom: What about yourself? Yeah so just to add on to that just a couple of things to think about is that that when you look at a particular vendor relationship and you establish your risk rating or what you’re measuring, you know, high risk, tier one, tier 2, tier three. Tell the rest of that story. What is the risk of the vendor in resilience? They might be a high-risisk vendor because they’re critical for resilience, but they’re a lowrisk vendor for consumer protection because they really don’t interact with your end customers. So, add some context to your risk rating and your vendor classification. And when you look at metrics, um, a lot of organizations may overlook the power of tracking complaints. So, a a complaint is different than an issue or a fix, but complaints are about context. So, if there are complaints or things that are happen, usually that’s a symptom of something else going on. So, have a good escalation process uh for those nonit key areas because you you can learn about something that’s happening even faster.

Amy Tweet: Awesome. Great question. U we have one more from the audience and we have a few more minutes. So if you do think of anything else you want to ask Len or Alistar, please take a moment to um write out your question. This last one’s really good. So um if you don’t have a direct relationship with a fourth party, how can you better um handle and remediate any issues that you see with them?

Len Solom: Great question and I would start start with, you know, the challenge with fourth parties is is that lack of control, right? You don’t have the direct relationship either financially or by contract. But what you need to do is hold your third party accountable. So instead of just inspecting your vendor, you need to inspect and audit their third party riskmanagement program. And it is good for you to audit their program, require them to provide the evidence of the controls. And if you’re on the service provider side, uh don’t just push back at the client. Figure out how to tailor your documentation in a way that provides your client base sufficient documentation to feel confident that you’re doing a good job of managing those fourth parties and endparty risks. Because if you’re a service provider, if you do a good job with that, that can enable client value. Um So it’s really to drive maturity in it but inspect the third party program.

Alistair Par: Absolutely agree with you Len on that. So it very much starts what we’re saying as well that starts with that procurement lay exercise up front when you’re doing that contractual obligation. So uh establishing what their obligations are on them with the third parties and then parties that they manage is really key. And unfortunately I think it’s a good question. I think you touched on that as well which is that most organizations don’t have that maturity and agreement up front to be able to govern their third party to make sure they’re managing it effectively. It’s sort of a a reactive ask to make sure that they’re dealing with it. So, you know, we are seeing more organizations get more mature in establishing some contractual clauses up front to make sure that they are g governing the fourth parties, but again, you’re not going to be able to completely outsource accountability there. It’s not going to work. There is a an expectation that you will be working with them to identify and track those issues.

Len Solom: Well, and I think it’s also important not just to rely solely on a certification of an audit report. It it’s you know I I worked in thirdparty risk long enough I you know back in the olden days you had the SAS 70 certified and I kind of went what but now you’ve got different levels of external audit reports but you have to peel back and look at it especially in the cloud environment or in the other environment to know what control does the vendor own what control does the client own and what it’s almost that configuration and you need to require evidence that they’re actually looking at the reports and doing a riskbased analysis of what they’ve learned and seen in the report. So, it’s not just required by contract the sock two, it’s what do you do with the sock 2 once you receive it?

Alistair Par: And I second that by saying always check the scope as well if they’re uh their scope happens to be their broom closet somewhere.

Len Solom: Absolutely. Because it’s at product or service level. And I think that’s too where the data governance comes into play because physical locations sometimes become less important in today’s digital environment. Um you know but certain industries you know the physical location for manufacturing is very critical but it’s really do that analysis in the vendor profile to know that you’re getting the the assurance that you’re looking for or where you need to supplement assurance on a particular particular topic that’s critical to your organization or to your customer base.

Amy Tweet: All right, thank you. That’s a great question. We’re going to move on to this one other one that just popped in. I think this is a lot to do with um the times in COVID. So, a lot of vendors don’t allow physical visits. Should this be a problem or what alternative procedures would suffice?

Len Solom: That’s a great question and it’s almost like we sometimes need webinars just for ification on the service provider side. Um I I think the key is recognize that certain vendors aren’t going to be equipped to have you come on site, but then the vendor needs to have that collaborative conversation with their client base to say, “Okay, but here’s what we can provide in lie of that.” Here’s additional evidence. Here’s additional documentation. Here’s add additional proof of controls or how can you use virtual or web technology in different ways. It shouldn’t be a yes no. It’s just we need to perform the same function differently. So how do we do it? And it really starts with that con with that conversation and being flexible on both sides. Uh just to recognize the challenges that organizations are facing.

Alistair Par: Absolutely agree. And we we’re seeing virtual validation being a real driver over the last as you you’d expect over the last 18 months as well. Um And the the key that we’ve seen to that is being concise and concentrated, which is you’ve only got a limited amount of time because people get fatigue in in Zoom as much as anything else. Uh so we we’ve seen success generally in giving them the rough criteria of the evidence that you’d want to validate. You’d litness test certain controls that are critical to you, but wouldn’t give them necessarily the aspects of that control you’d want to be looking at. So they can’t necessarily gain the system up front, but have time to prepare the relevant materials. So that that concentrated validation exercise, that lit test, of checking certain controls at least gives insurance as seems to be the a common theme over the last 18 months for us.

Len Solom: right and last year we had the virtual assessment webinar series and we even saw shifts from the first time that the prevalent hosted that event in you know early in Q2 to how people’s perspectives on virtual assessments and virtual evalidation had changed by the end of the year because they’re having to deal with a virtual internal audit team. They’re having to deal with a virtual external audit team and virtual vendors and virtual thirdparty risk assessments. So, um, a lot of processes have changed in the last 18 months and I think that’s going to continue to evolve.

Amy Tweet: I love that term, virtual validation. That’s great. That’s really great question. Um, we’re here at the top of the hour. Um, want to make sure everyone gets, you know, the rest of their day in and if you have any last questions, you can reach out to Lana Solom. I think LinkedIn good for you or a good place to reach out to you.

Len Solom: Yep, that’s fine. And I’ve also listed my um.

Amy Tweet: there you are. I see you. I had to move the poll question out of the way. Um but in terms of prevalent, if you have any questions for us, you can email us at info prevalent.net. Follow us on LinkedIn or Twitter. Again, we really appreciate you spending um this last 60 minutes with us, and I hope you learned uh some best practices on how to address data protection risk in your third party uh ecosystem. Thank you every Everyone, thanks Alistister. Thanks Lene. I hope to have a great rest of your day and everyone else have a good one.

Len Solom: Excellent.

Amy Tweet: Bye everyone.

Len Solom: Bye. Thanks.