Creación de un inventario de proveedores: La base para la respuesta a incidentes de terceros

Ashley: Hello everybody. Ashley: Happy Wednesday. Ashley: We are stoked to have you all. Ashley: Hope you’re having a great day so far. Ashley: I’m going to give everyone a minute to get situated and dialed in. Ashley: And in the meantime, I’m going to go ahead and launch our first poll. Ashley: We’re just curious to see what’s bringing you to today’s webinar. Ashley: Is it educational? Ashley: Are you in the beginning stages of your TPRM journey? Ashley: A current customer? Ashley: Do you just love Bob and Scott? Ashley: Either way, let us know. Ashley: And I can’t forget about some introductions. Ashley: My name is Ashley. Ashley: I work in business development here at Prevalent. Ashley: And we are joined with some very special affforementioned guests. Ashley: CEO of Cyber Marathon Solutions, Bob Wilkinson. Ashley: How’s it going, Bob?

Bob: Going great, Ashley.

Ashley: And our very own VP of product marketing, Scott Lang. Ashley: How’s it going, Scott?

Scott: Hey, Ashley. Scott: Doing great today.

Ashley: Excellent. Ashley: Uh, just a little bit of housekeeping. Ashley: This webinar is being recorded and we will be sending out a copy along with the presentation slides shortly after the webinar. Ashley: Uh you’re all currently muted, but we love participation. Ashley: So please put any questions in our Q&A box, and we’ll get to them at the end of the webinar. Ashley: Uh so today, Bob will be sharing his insights into efficiently building a vendor inventory. Ashley: And with that said, Bob, I’ll pitch things over to you.

Bob: Okay. Bob: Thanks a lot, Ashley. Bob: Uh welcome everyone. Bob: We’re going to talk about uh vendor inventory and the role it plays uh in helping us when we come across third-party incidents. Bob: As Someone once said, “There are companies that know that they’ve been hacked and then there’s companies that just haven’t figured it out yet.” Bob: So, it’s a real challenge that we need to be prepared for. Bob: And one of the key things that helps us prepare for managing an incident is having a good handle on our vendor inventory. Bob: And that extends not just to the third parties, but to all of the subcontractors, the fourth and fifth parties. Bob: It extends into this third party software that our organizations might use. Bob: There are a number of ways to slice and dice that. Bob: Where is it that uh our data resides? Bob: Is it onshore? Bob: Is it offshore? Bob: And do we really understand all those things? Bob: So today we’re going to start off by talking about some recent incidents and highlighting the trend that what were once called black swan incidents because of the rarity of them happening is becoming all too much common these days and how that’s putting a lot of stress on organizations. Bob: From there, we’re going to move into an incident management overview and then we’ll talk about incident management for extended supply chains. Bob: From there, we’ll talk about techniques for creating a comprehensive supply chain inventory and what some of the risks are as you try to create that inventory and some things to keep in mind. Bob: From there, we’ll talk about event triggers that can result in incidents and that you should be aware of and factor into your program. Bob: And then who are the key third-party stakeholders who can help us be more effective in the building of our inventory and who should not be neglected in the process as we go about building that inventory? Bob: From there, I’m going to move in and discuss the value of categorizing our third parties into what I refer to as risk domains and how that is a valuable aspect of helping limit risk to the organization and to focus on the really important controls in specific types of vendor relationships. Bob: Whenever we talk about incident management.

Bob: Whenever we talk about inventory management, it’s important to talk about the criticality of the third parties that we’re working with. Bob: What is it that uh we need uh to focus on to determine what the criticality of those third parties are. Bob: From there, we’ll talk about the third party onboarding process and how that is so important in helping us have an accurate inventory. Bob: From there, we’ll move into continuous monitoring and also talk about uh some things we should be aware of in continuous monitoring and the recognition that relationships that we have with third parties change over time and how we need to have a process that will allow us to go back periodically and ensure that we really do have a clear understanding of the nature of the relationship. Bob: ship because relationships do change over time and then we’ll wrap up uh with some key takeaways from the conversation. Bob: So moving moving into the into it, what do the following recent incidents have in common? Bob: And and the important thing about this list is the list keeps growing and and they’re significant events. Bob: So we’ve had several incidents in the Suez Canal where have blocked the canal and it has choked off the global supply chain. Bob: We recently had uh a terrible accident in Baltimore where a ship crashed into a bridge and blocked the port which had significant knock-on effects not just to commerce but to the people who lived in the area. Bob: We all know about COVID 19 but uh memo to those of you who might not follow this Um H5N1 bird flu is now a problem in the United States and if we don’t take sufficient action to address it now that could be our next co. Bob: I lived through 15 years ago a bird flu outbreak in Mexico and it was absolutely terrible and people I know died as a result. Bob: So these are serious things. Bob: We’ve all probably heard of the recent casino ransware attacks that occurred in the case one casino paid the ransom and sent a note to all their members saying uh we paid the ransomware your data is okay perhaps not and the other company that didn’t pay the ransom and had to end up expending four times the amount of money to address the results of that ransomware attack u climate change.

Bob: Well, if you’re in the United States this week’s odds are you’re have 90° days for the next several days as the heat dome kicks in. Bob: We’ve seen recently um attacks on third party software in many cases which are critical to the infrastructure of the internet solar winds log 4j move it and when those events happen when they when those incidents occur we struggle to figure out whether we’re using any of that software and we don’t have good visibility into it which which elongates the time to respond to the incident and puts all of our organizations at greater risk. Bob: So the bottom line is things are getting worse and what we used to refer to as black swan infinite incidents are becoming all too common. Bob: So let’s start off and and talk about incident management and When we think about it, having a process within our organization that we developed, that we’ve documented, that we’ve shared, and that we’ve tested becomes critical in our ability to respond to an incident and it has many dimensions when we when we talk about it. Bob: But if we don’t have that process well defined and we don’t test the process in advance, when we need it, odds are the process will fail us. Bob: So by having a good incident management process, we increase the likelihood that we’ll be operationally resilient and be able to deal with an incident with a minimal bit of business disruption. Bob: So when an incident occurs, the first thing that we we have to do is after the incident is reported, we have to triage it. Bob: So the language that we usually use is we say we have an event, we don’t know what that event is. Bob: So we do our triage and we determine that it is an incident and then what is its likely impact and urgency and then we know how to prioritize that. Bob: So every anomalous event that happens isn’t necessarily an incident and we need to go through that process to determine whether or not it is. Bob: So, we’ve prepared, we’ve documented our process, we’ve tested, we’ve done tabletop exercises with our businesses so that everyone who would be involved in an incident understands how to respond. Bob: Next, we uh detect the incident.

Bob: And here, it’s critical that we have effective detection and monitoring mechanisms in our environment so we’re aware that an incident has occurred. Bob: We’ll triage and do an analysis of that incident to decide its criticality and what it what its impact and urgency are. Bob: Then we’ll go on to contain the incident and work on recovering from the incident and restoring our services to our customers. Bob: And then finally, in some respects, the most important part of this process is the post incident follow-ups. Bob: And what What lessons did we learn? Bob: I have seen numerous occasions where companies have been affected by incidents. Bob: They haven’t learned from them. Bob: They haven’t gone back and made corrections to their systems and they get hit by the same incident again. Bob: So, taking the time after you recover from an incident to follow up and benefit from those lessons that you learned in that incident are critical. Bob: So, when it comes to Third-party incident management. Bob: The need for an accurate and readily available third-party inventory is critical to how effectively you manage the incident res and respond to it and keep your company’s services available. Bob: Now, when we talk about extended supply chains, it’s important to understand where most incidents originate. Bob: And when we talk about where they originate, one of the things that is important to understand is that most incidents originate with third parties. Bob: What is less well known, discussed, and recognized is that often those third party incidents start at a fourth or a fifth party. Bob: So one of the things that I am uh an advocate of is once you identify what your critical business processes are, spend your time focusing on understanding all of the relationships that are involved in that critical business process. Bob: So your critical third party may be using fourth and fifth parties. Bob: Go deeper on understanding who those fourth and fifth parties are as oosed opposed to going more broadly in the sense that u you want to cover all of your third parties. Bob: You have to start somewhere. Bob: If you’re going to start with your critical third parties, make sure you understand who those fourth and fifth parties are that are involved in that relationship.

Bob: Because odds are when you have an incident, not if there’s going to be a third, fourth or fifth party involved in that inst. Bob: president. Bob: It’s also important to keep in mind that the contracts that you have with your third parties, the terms of those contracts and in including three key uh elements which are the right to audit which gives you the right to perform a risk assessment, the need for the third party to commit to remediate any issues that are identified. Bob: But third, that They’ll notify you as soon as they become aware of an incident that may have occurred that that is also binding on the third parties subcontractors, the fourth and fifth parties, and that they need to follow that same process and those same terms that are in the contract between your company and the third party. Bob: And then with the increase in attacks on third-party software, Organizations have an inventory of who their thirdparty software providers are. Bob: And usually within your software development organizations, your security or your software architecture functions, they may have an inventory of all third-party software. Bob: If they do, that becomes a critical element for you. Bob: And if you can link that into your third-party inventory, You have the ability to much more quickly respond in the event that there is a third-party software incident and in determining where that thirdparty software might be used in your business and whether the the incident may affect you. Bob: So what are some of the key third-party inventory risks that we face? Bob: Oops. Bob: I I think I yeah I skipped a slide there. Bob: Sorry. Bob: Uh when you’re creating your supply chain inventory, how do you create it? Bob: Most people go out and query their different business units and say, “Hey, can you send me a list of all the third parties that you’re using?” Bob: And that process, which is manual, often results in incomplete reporting and therefore your third party inventory isn’t complete. Bob: One of the things that I like to do when I work with an organization is to go to the accounts payable people and ask them, give me a list of all the all the vendors, all the third parties that you’ve paid in the last two years.

Bob: Because if your business is paying someone, there there’s your real list of who your vendors are. Bob: And you have to remember that in some organizations because they may be either federated or more decentralized, you might have multiple accounts payable departments that you need to go ask that question of and then from there there are a lot of tools that are emerging which help you identify business relationships that may exist between your company, a third party and some of their fourth and fifth parties. Bob: And by leveraging that type of software, it allows you to discover relationships that you never knew you’d had. Bob: It also allows you to understand ripple effects when you realize that your inventory may have overlap between different functions. Bob: So your third party might only be providing a service to you but there may be multiple third parties who are relying on a fourth party whether that’s uh for web hosting whether it’s for call center activity whether it’s for a number of things you find that there are ripple effects where you have geographic concentration risk further down into your supply chain. Bob: So if you take the time up front to make sure that you capture this data and that you leverage some of the tools that are available to you, you can discover third-party and extended uh supplier relationships that you wouldn’t be aware of otherwise. Bob: Now what are some of the inventory risks that you run into which can cause you problems u in incident response and in other areas. Bob: The most obvious one is an incomplete inventory. Bob: And when you’re building your inventory, you have to make sure that you’re capturing all of the relevant fields that are important to that relationship. Bob: One of the things that some sometimes gets overlooked is it’s not just the name of the company, it’s where that company is providing the service from. Bob: So for example, if you’re using data processing services and you say I’m using IBM at IBM’s corporate headquarters or in Armach New York and you list that in your inventory, those data processing services are not being provided in Armach New York. Bob: They’re probably being provided in Mumbai or Singapore or some other location around the world.

Bob: And what you need to know is where that service is being delivered from because that has all kinds of implications, including when you’re in an uh incident situation where local rules and regulations can act as an impediment to getting something resolved. Bob: Having current contact information for your third, fourth, and fifth parties in the event that there is an incident and being able to reach out to them and get information when you need it is absolutely critical. Bob: And that means that you need to periodically whether it’s every 3 6 12 months check back with your third party, fourth party and make sure that that person still works there that they’re still the correct contact in the event of an incident. Bob: And that’s why periodic testing of your incident management res and response processes is important because you find breakage over time. Bob: So identifying their criticality and capturing that in your inventory, understanding the volume of confidential information that your third party may have access to, understanding how that third party connects into your network and potentially creates exposure are important aspects of inventory management. Bob: Now another aspect of this is that over time vendor relationships change. Bob: So you should have a process in place at a minimum for your critical third parties to go back on an at least an annual basis and check to make sure that there haven’t been significant changes in the relationship. Bob: with your third party. Bob: Some of the areas where you see that manifested is a pilot program where there’s a minimal sharing of data occurring. Bob: That pilot program over the last year has moved to implementation and where originally only a 100 customer records were being shared. Bob: Now 10 million records are being shared. Bob: Uh third party which may have been doing minimal processing for you now they’re processing confidential information. Bob: So if you don’t go back and check on what’s changed in those vendor relationships over time, uh you can have a real exposure. Bob: Another aspect in maintaining the inventory is don’t do it in Excel spreadsheets. Bob: Automation is key to scalability and end any third-party risk management program and not having a centralized automated inventory.

Bob: leads to gaps and from gaps we get incidents. Bob: Another risk that you run into is having an incomplete extended supply chain for critical vendors. Bob: You need to understand who those fourth and fifth parties are, particularly for your critical business processes. Bob: Some of the things that might trigger an event that could lead to uh an incident. Bob: Uh it’s important to keep them in mind and when they occur, it’s worth checking back with your third party to understand what changes have been associated with these triggers. Bob: So obviously in the case of a data breach, you’re going to want to go back and understand how this happened at the third party, whether the third party has taken corrective action um or whether there still continues to be an exposure. Bob: Changes in ownership either through merger, acquisition, divevestature, whatever the case might be often means that functions, systems will be consolidated. Bob: Um, where processing occurs may be migrated and whenever moves like that happen, they pose substantial risk of disruption to your business. Bob: Always keep in mind that uh regulatory changes are often the source of problems within organizations and that you need to be aware of how they change and you know with the recent uh uh FFIC changes in thirdparty risk management that were published in the last few months understanding what those impacts to your organizations are are important. Bob: Moving a data center uh whether you’re moving it to another physical location offshore or more commonly these days to the cloud can result in the exposure of in of information and lead to incidents. Bob: You need to make sure in your inventory you capture where things are being processed. Bob: And while it gets tricky in the cloud and a cloud service provider will say, well, we’re processing it for you. Bob: You need to push them to understand where your data is actually residing and being processed in the cloud. Bob: Uh there have been several high-profile file outages um with AWS and Azure where you find out that you have a redundant data center in the cloud but they’re both located on the east coast and when Amazon’s east coast uh services go out you’re completely off the air. Bob: So you need to be aware of that and understand it.

Bob: Um the expansion which we just talked about of new business functionality or significant changes in volume is a trigger and you need to understand the implications of what that might do in your organization. Bob: And then finally, deterioration of a third party’s financial situation is a definite trigger. Bob: It could be anything from the third party going out of business and you lose the functionality. Bob: Um, usually you have pretty good advanced warning of that, particularly if you’re monitoring the financials of your third parties. Bob: that they’re in trouble, but when when they start running into financial difficulties, the first thing they do is cut back. Bob: When organizations cut back, the first thing that goes is controls. Bob: So, being aware of these event triggers could be helpful to you and helping you to be aware of where incidents might originate and taking steps proactively to prevent them from happening. Bob: Your TPRM inventory stakeholders One of the things that I think is essential to an effective TPRM program is building relationships AC across your organization with other key stakeholders that you have and that you need to work with. Bob: So for example, uh too many times I’ve seen third-party programs that try to operate in a vacuum. Bob: Organizations are large, they may be bureaucratic, But by taking the time to reach out, and I always suggest starting with your procurement and sourcing organizations because they’re the ones who are usually contacted by business units to establish relationships and and and get a contract in place with uh a new third party that can give you a heads up in who the new third parties are that are being onboarded by your company. Bob: Too many times we’ve seen thirdparty programs get contacted the day after the contract is signed and it’s going live the following Monday and they say, “Oh, go do a third party risk assessment.” Bob: Well, that’s perhaps the most uncomfortable position to be in.

Bob: So, by having that relationship with your procurement people, that uh that helps with avoiding those types of scenarios, reaching out to your business business units, understanding what their key business initiatives are and understanding whether they plan to make use of any third parties as part of those business initiatives allows you to partner upfront with those business units and address any concerns early on in the relationship that will keep the project on track and allow the business unit to leverage the third party’s capabilities sooner. Bob: Um, your operations and technology functions, particularly um as it relates to things like business continuity and disaster recovery. Bob: If you’re starting out and trying to figure out who your critical third parties are, one of the best places to start is talk to the people who work in your business continuity and disaster recovery teams. Bob: They’re going to know who the critical third parties for your company are. Bob: Um again, finance and accounts payable, uh They pay the bills. Bob: They know where the money’s being where it’s going. Bob: Your legal and compliance people just like procurement and your business unit. Bob: Many third parties come into the organization through the legal and compliance function and any third parties that come in need to be compliant uh with both law and regulation. Bob: So the having a relationship with your legal and compliance people is very helpful. Bob: And then Finally, you have enterprise risk management. Bob: Now, in the in the case of enterprise risk management, um by telling your story, what you’re doing in your program, the things you’re focusing on, and including sharing some of the challenges that you have, you can leverage your enterprise risk management organization to help highlight those changes to increase visibility with your senior management and your organization. Bob: and also to help the board of directors understand what’s going on in the company as well. Bob: So for me in all of this, if you want to have a successful third party risk management program, knowing who your stakeholders are, establishing relationships with them and working with them is one of the most effective ways to do that. Bob: Risk domain categorization.

Bob: So So what I’m getting at here is when you onboard your third parties, do you have a methodology for categorizing them uh based on the functions or the services that they’re delivering or other criteria such as do they have access to PII or PHI? Bob: Um other things that you might look at where’s the service or product being delivered from? Bob: Is it on on shore or offshore? Bob: By doing this, you are identifying the services that are being provided to your business so that when when a business comes along and says I need a third party to do X and where this is particularly helpful is also working and sharing this with your procurement and sourcing people so that when a business says I need a third party that does X X you can look at your inventory and see that you already have three or four third parties who are providing exactly that service. Bob: One of the best ways to mitigate risk and to lower the cost of your third-party risk management program is by avoiding the duplication of endlessly bringing on new third parties who do a function that’s already provided. Bob: by another third party to your organization. Bob: That’s not to say you want only one because you need redundancy, but you don’t need five doing the same service. Bob: When you leverage those companies that are already providing a service to your company instead of bringing on a new third party, you decrease risk because you’re decreasing the amount of information you’re sharing, the access to your infrastructure that you’re sharing. Bob: You have a proven relationship with the existing third party. Bob: That relationship can move from tactical to strategic and be expanded and you don’t have to go back and constantly do new risk assessments or additional monitoring because you’ve already done that and you have these things in place. Bob: For me, that is an absolutely essential part of the conversation. Bob: Organizations are experiencing rapid growth in the number of third parties they’re using. Bob: Anecdotally, that might be 10% a year. Bob: Nobody’s giving you 10% more budget or 10% more resource to manage all those new third parties who are coming into your third party risk management program.

Bob: So, the best thing you can do to limit risk and be effective in managing it is to challenge the addition of new third parties when you already have third parties who uh uh are providing a service. Bob: So this risk domain categorization really helps you to more effectively manage overall risk in your program and that definitely cuts down on the number of incidents you have. Bob: If you have less third parties you’re working with the likelihood of incident goes lower and at the same time the total cost of ownership for your program goes down. Bob: criticality of thirdparty services. Bob: Establishing and capturing that in your inventory is absolutely critical. Bob: Haha. Bob: Um criticality of third party services drives your focus for where you apply your scarce resources in order to more effectively manage risk to your organiz. Bob: ation. Bob: So I use a straightforward definition when I’m trying to determine uh the criticality of a third party. Bob: What are your key business processes? Bob: If it’s a key business process, odds are that third party is critical. Bob: The function that they provide, especially when they’re providing key internal control functions, organizations sometimes outsource these. Bob: You can think of vendors like Octa for single sign on and things like that. Bob: What information is the third party handling and what volume of information? Bob: If it’s confidential or restricted information, odds are that’s a critical third party. Bob: And then depending on the access to your infrastructure that you’ve granted, that may be sufficient reason to categorize a third party as critical. Bob: But remember, you can’t just focus on your critical third parties. Bob: You need to understand a full inventory of all third parties and by classifying them into risk domains and understanding the service they deliver, you can more effectively manage them. Bob: And I’ve seen and I’ve been victim of excluding certain third parties from uh active monitoring and found out later that in fact they were critical and I made a significant oversight. Bob: So third party onboarding is a key control point where you can capture this information. Bob: If you have a third-party relationship manager in your business unit who is responsible for managing that third party relation, ationship.

Bob: They are a great source of information for interacting with and overseeing that third party relationship and also to help you be made aware of when new third parties are being brought on. Bob: So you should leverage that relationship with third party relationship managers. Bob: It is important to remember and this is a problem that happens with third-party uh programs all the time. Bob: is the third party program ends up being somehow responsible for managing the relationship with the third party. Bob: The person who is responsible for managing the relationship with the third party is the person whose name is on the contract between your company and that third party. Bob: And while they can outsource to the third party, they cannot outsource their responsibility or accountability. Bob: They sign for it. Bob: They own it. Bob: It’s theirs. Bob: And when something goes wrong, it is their business unit that will have to deal with the direct consequences of it. Bob: So again, does my business need another third party to provide the service or product? Bob: It’s the first question you always want to ask the business. Bob: But you also have to have access to an inventory where you can propose alternative solutions with third parties that you already have in place. Bob: Another aspect of this is particularly in larger acquisitions, larger companies that are prone to doing acquisitions. Bob: Um, when an acquisition is made, you’re not just acquiring a new company, but you’re acquiring all the third parties that supplied some service or product to that acquisition. Bob: You need to understand with acquisitions which of the third parties that acquisition used are critical to them. Bob: And then secondly, you need to decide whether they’re necessary or duplicative of other third parties that you already have providing that service to your company. Bob: This is an area which is generally neglected and which results in the growth of third parties and the failure to capture those third parties in your inventory and that leads to incomplete inventories and it leads to incidents. Bob: So the onboarding process is a key checkpoint to understand where new third parties are coming from. Bob: Continuous monitoring.

Bob: Continuous monitoring offers us the ability to see what’s going on a going on on an ongoing basis with our third parties. Bob: And we c we we we don’t live in a world where doing a periodic assessment or an initial assessment of a third party is any longer sufficient for managing risk in a third party space. Bob: When we complete an assessment, it’s only good for the day we completed it. Bob: The next day, we could have a security incident and you run the risk of exposure for the next 364 days a year. Bob: So you have to have a continuous monitoring program in place to monitor the ongoing health of your third party and that continuous monitoring has three aspects to it. Bob: The first one is understanding the tiers the subcontractors the fourth fifth and nth parties that exist within that relationship. Bob: The second piece of that is is making sure that your third party risk management program is actually managing the risks that exist. Bob: And it’s not just cyber risk or business continuity risk. Bob: It’s financial risk. Bob: It’s geographic risk. Bob: What’s going on in the countries where your data is being processed. Bob: It’s operations risk. Bob: Degradation and performance key people leaving. Bob: Reputational risk. Bob: Um negative news about one of your suppliers and um unethical labor practices or environmental exposures that may exist or violations of regulatory compliance, human trafficking, anti-bribery, all of these things. Bob: You cannot just monitor for cyber or business continuity risk. Bob: If you’re not monitoring for all these risks and monitoring on an ongoing basis, you’re exposed that leads to incidents. Bob: And then continuous inventory discovery because just like your company is constantly adding new third parties and new business relationships, so are your third parties and you need to understand what those relationships are as they pertain to the relationship that third party has with your company. Bob: One thing to keep in mind is a continuous monitoring program requires skills and knowledge that are different than those used by your third party risk assessment persons and that you need to make sure that you understand you have a good match of skills in your continuous monitoring program.

Bob: But even more importantly that operationally if you’re going to do continuous monitoring you have incorporated in that continuous monitoring into your ongoing business. Bob: operational process workflows because I’ve seen many times with continuous monitoring the monitoring begins and when alerts are generated or when there’s events that should be action be taken on nobody’s looking at the information that’s generated and nobody does anything. Bob: So if you’re going to implement or you’re going to enhance your continuous monitoring make sure you take an endto-end look at the process. Bob: Understand where the monitoring alerts are going to go to, who’s going to take action in what time frame, and that you’ve documented the process. Bob: So, here’s a list to help you with um continuous monitoring and uh some of the points that are useful to keep in mind as you go about doing it. Bob: You need quality third-party information. Bob: If you have gaps or there are data quality issues, your continuous monitoring program is not going to be as effective as it could be. Bob: Have you implemented those operational processes that I just talked about to manage and to respond to the alerts and potential incidents that get generated through continuous monitoring? Bob: Is your third party inventory complete? Bob: It’s not a oneandone. Bob: It’s constantly evolving and How do you keep up with the changes and and and start to drill down starting with your critical third parties on who your fourth, fifth, and sixth parties are? Bob: It doesn’t take much to add the fourth, fifth, and nth parties to your continuous monitoring platform so that you have deeper visibility into your critical business processes on an ongoing basis. Bob: Do you have reliable and regularly updated information about the classification and volume of data that’s being shared with your third parties periodically checking back with the business to understand starting with your critical third parties how relationships have changed with third parties helps you focus on those areas where the greatest risk exists? Bob: Do you understand what access your third parties have to your corporate network, systems, data, etc?

Bob: Do you know the physical locations where the management of your information is occurring, where the data processing is actually happening, where the data resides at rest? Bob: What fourth, fifth, and nth parties have access to your sensitive information or your corporate networks? Bob: Third parties are notorious for taking access to information or access to systems that you may have granted them and granting them to fourth and fifth parties without ever telling you. Bob: You need to be aware of those kind of things. Bob: Do you have updated and currents with your third parties so that when events and incidents occur, you reach out to the right people timely and you don’t have to go hunting for who to call? Bob: And have your resources been trained on a effective log monitoring, review, escalation processes so that when an event occurs and it’s determined it is an incident, you can take the proper steps. Bob: And have you done tabletop exercises with your business people so that in the events of an incident, everybody knows what their role is and how to respond? Bob: So to recap, key takeaways, understand and let the key resources and stakeholders you have at your disposal in your organization. Bob: For every one of those stakeholders that I talked about, take them to to lunch. Bob: Pay for the lunch. Bob: It’ll be the best investment you ever made for your third party risk program. Bob: You need to continuously validate your inventory because it’s constantly changing. Bob: And that means at least annual reviews of vendor risk classification and the Key factors in the relationship. Bob: Ensure that vendor criticality is understood before onboarding. Bob: What do they have access to? Bob: What information? Bob: What infrastructure are they performing a critical control process for you? Bob: What business process are are they associated with? Bob: Vendor inventory extends to software and is optimally cross referenced to critical third parties and business processes. Bob: that you have in your inventory. Bob: Work with your s your software development and software architecture organizations to see if they have that thirdparty software inventory. Bob: And if they don’t, work with them and figure out how to get it. Bob: Leverage automation.

Bob: The only way that you get scalability and you’re effective is by automating your program. Bob: No more Excel spreadsheets and oneoffs and and maintaining a list of inventory. Bob: That way you need to have it centralized if you’re going to scale it. Bob: Ensure you have effective upto-date incident response programs as we talked about right at the beginning of this. Bob: Make sure you have the contacts defined, the phone numbers work, the emails work, and that periodically when and when you do tabletop exercises for those critical third parties that participate, you might have them as part of that tabletop exercise as well. Bob: And if you implement these third-party inventory management practices, your incident management will be more effective. Bob: Your operational resilience will be improved. Bob: You’ll avoid potential negative reputation, financial, and regulatory impacts. Bob: And in closing, that’s my contact information. Bob: If any of you want to reach out to me, if any of If you have any questions about what we discussed here, if anybody wants to talk about the problems that you’re having in your business and how to go about solving them, uh, the phone call is free and the advice is free and I’m here and I encourage you to take me up on it. Bob: So, that’s what I have for today. Bob: Scott, over to you.

Scott: Thanks so much, Bob. Scott: I appreciate that. Scott: Uh, thanks everybody for listening into uh, our presentation today. Scott: Bob’s presentation on vendor inventory and uh its critical role in incident response and uh an overall third-party risk management program. Scott: Uh what I’m going to do in the next 5 minutes or so is just to explain some ways that prevalent can help you achieve the objectives that that Bob talked about in uh in his presentation uh uh today. Scott: So I just have a few slides. Scott: Uh first off, oh and by the way, while I’m uh uh kind of going through kind of the prevalent uh perspective on this, this is a great opportunity for you to um think about the questions you’d like to ask, enter them into the Q&A window in uh in Zoom and then uh Ashley will kind of triage those questions and uh elevate those to to Bob as soon as I’ve kind of wrapped up my part of the presentation. Scott: Okay, so first off, everything that Bob talked about today, I think from a challenge perspective revolves around one of these three things. Scott: Number one, um a lot of companies are still using spreadsheets to manage their third party inventory or to execute their third-party risk assessments. Scott: We know this because we survey the industry every year. Scott: Uh and earlier this year, uh we released the results of our annual thirdparty risk management study showing that 50% of companies still use spreadsheets uh to manage their third party risk, their auditing, and their controls. Scott: So, look, I understand it’s hard to get away from spreadsheets. Scott: It might seem easy. Scott: There’s some benefits to it. Scott: It’s free. Scott: You’re already paying for it with your uh IT license of office, you know, whatever. Scott: I get it. Scott: Um but there comes a time when that spreadsheet just can’t scale. Scott: It doesn’t have the controls validation. Scott: It doesn’t have the reporting and the metrics. Scott: in it that will really help you dive deep into you know what a what an enterprise third party risk management program should be. Scott: Problem number one. Scott: Problem number two uh not enough coverage. Scott: Uh you know the results of our our survey said that organizations are only actively managing about a third of their vendors. Scott: Uh which was pretty shocking to me. Scott: The average company um you know 30 to 33% of vendors actively tracked monitored remediated risks. Scott: The other twothirds uh get a ing blow occasionally or maybe a little bit of effort during the onboarding phase or maybe a contract renewal but there really isn’t a whole lot being done to to manage that um that twothirds of vendors. Scott: Third big problem is a no life cycle coverage. Scott: Uh we find that a lot of companies uh you know roughly 29% only 29% of companies are actively tracking risks across the third party vendor supplier life cycle. Scott: Right? Scott: So half of you are using spreadsheets a third of you are uh you’re only able to manage a third of vendors and you know roughly 30% uh are are looking at risk across the life cycle. Scott: Look, I get it. Scott: It’s a problem. Scott: Third party risk is a challenge and it’s getting worse with the more regulations, more thirdparty breaches uh and uh and increasing numbers of third parties you have to manage. Scott: Look, what I think the outcomes are for a good third party risk management program are three-fold. Scott: Uh number one is get the data you need to make better decisions and that’s where a solution can help uh by centrally aggregating uh into a single uh vendor profile, the information that you need to manage that vendor across the life cycle, basic uh demographic information, uh ultimate business owner information, reputation, uh finances, cyber security post or whatever, all in one place so that everybody is singing from the same himnil. Scott: Second, uh that helps you to increase your efficiency for not just your team responsible for conducting those assessments, but breaks down the silos between different teams that also might want to have some sort of a say in thirdparty risk, procurement, risk management, intern audit, uh, legal, others. Scott: And then third, that enables you to evolve and scale your program, uh, over time. Scott: You know, we we know that spreadsheets are problem. Scott: We know that, uh, you’re not managing a life cycle because a lot of those spreadsheets just get in the way. Scott: Uh, this allows you to um, you know, good a good third party management solution allows you to evolve and scale your program over time using automation, uh, using analytics, and maybe even using AI to help automate the process. Scott: You know, here’s our tips on on building a a a comprehensive vendor inventory. Scott: From our perspective, it it all starts with um you know, centralizing your vendors, getting all your vendors uh under one pane of glass out of the accounts payable department, out of the procurement department, out of the individual business units to central management. Scott: And that has to happen easily. Scott: It can’t be a cumbersome process as you know. Scott: It could be as simple as a spreadsheet upload, automatic mapping of fields into kind of a preset form uh you know, in a platform. Scott: or an API connected into an uh account accounts payable tool or maybe just a simple questionnaire that’s available to anybody across the enterprise without requiring them to log in or or whatever just via an email link have everybody contributing information so that you know you begin to set that foundation for for vendor inventory. Scott: Second, once that vendor inventory is create uh created the next best practice is to um aggregate intelligence about that vendor so you have that one source of the truth that single source of the truth and that can include demographic info, UBOS’s, fourth party technologies that that vendor might have in place so that you can kind of visualize, you know, potentially weak points or concentration risk in your in your ecosystem. Scott: You know, CPI scores, modern slavery statements, ESG scores, things like that that provide a level of information about that third party from which you can then make decisions on and kind of build, you know, a broader risk assessment strategy around. Scott: And that really starts with conducting an inherent risk assessment, which is the third best practice here. Scott: Um, asking a set of simple questions on calculating the risk that that particular vendor or supplier introduces to your organization, which then dictates your due diligence strategy going forward. Scott: Um, and then as you tar and categorize those vendors based on that inherent risk score, that allows you to go kind of that the final mile and um, prescribe an assessment strategy and a continuous monitoring strategy to bring in information in and kind of help you bear with the rest of the organization, recommend remediations uh and ultimately close the loop on on thirdparty risk. Scott: Um that’s our approach to addressing thirdparty risk management. Scott: We look at risk at every stage third party life cycle from the point where you on uh store them select a vendor to the point where you uh offboard and terminate them. Scott: We deliver our capabilities through a combination of our expertise uh the data and the intelligence in the platform and in the platform itself in terms of its uh reporting, analytics, uh workflow and compliance mapping. Scott: And I realize you can’t click on this uh link because uh uh you’re watching the presentation, but watch for the presentation and the recording tomorrow. Scott: Uh we have a thirdparty incident response strategy guide available to you as well that has a lot of the information that Bob covered today in terms of building an inventory and kind of understanding, you know, who your vendors are, what risk they pose to the business before you, you know, go about uh um you know, determining the the best approach for assessing those vendors on an ongoing basis. Scott: So, that’s what I wanted to share with you today. Scott: Um, I will turn it back over to Ashley. Scott: Ashley, open it up for questions.

Ashley: Thanks, Scott. Ashley: You guys might have noticed I went ahead and launched our second poll so we can follow up with you regarding any initiatives or projects that you may have. Ashley: We’re just curious to see if you’re looking to establish or augment a third party risk program within the year. Ashley: And please be honest because we do follow up with you. Ashley: But we got a couple minutes left on the clock here. Ashley: So, let’s go ahead and get through some of these questions. Ashley: Uh Bob, I have one for you. Ashley: Krishna asks, could you please give an example to relate third, fourth, and fifth parties? Ashley: Sure. Ashley: Um that’s pretty straightforward.

Bob: So you sign a contract with a call center provider for your business who will answer phones when people call in with questions. Bob: And that call center provider has insufficient resources to address spikes in the call volume that may occur. Bob: So that call center will sign a contract with another call center to provide overflow capability to them and they will provide that capability but it’s a separate company. Bob: So the fourth company, the fourth party, the third party are two separate companies. Bob: and they’ve established a business relationship together. Bob: Another example might be um payroll processing. Bob: So you you outsource your payroll processing to a company and this is a real case, a real incident that I was involved with. Bob: That company outsourced parts of the processing for payroll to a fourth party who outsourced it to a fifth party who outsourced it to a sixth party who outs forced it to a seventh party and the seventh party really screwed up and it was a hugely embarrassing incident. Bob: But companies do not always have the capabilities on their own and particularly software development companies. Bob: So you want them to develop a new app for you, they’ll develop the app. Bob: They can’t host the app. Bob: They’re going to go to a fourth-party web hosting company to host that app for you. Bob: Those are some examples.

Ashley: Thanks, Bob, I have another one for you here from Bradley who asked, “When you say inventory, are you only referring to documenting data, software, hardware, networks, etc. or do you also mean physical goods in inventory such as customers and manufacturing would think about?

Bob: Um, typically what we talk about in these webinars because third party risk is a topic that’s to some extent driven by regulation and financial services companies, we tend to talk about services but everything we talk about here is absolutely relevant to the product part of the equation. Bob: So manufacturing processes um for example take a company like uh Proctor and Gamble or Campbell Soup in their case they will use somewhere between 50 and 150,000 third parties to provide different elements of the products and goods that they produce and sell in the marketplace. Bob: So everything we talk about here which is generally servicesoriented is equally true on the product side. Bob: And when you get on the product side you have other different concerns and controls industrial control processes. Bob: Then you start to talk about OT a and and IoT a lot more than you would normally talk about here. Bob: So those are other examples um where it’s relevant. Bob: So generally we talk about services but it’s equally uh relevant on the the products global global supply chain aspect.

Ashley: Thanks Bob. Ashley: Uh Scott got a couple questions for you here as we wrap up. Ashley: Uh Schilpa asked why quantify inherent risks versus residual risk score.

Scott: Yeah great question. Scott: Uh I would do both. Scott: Um of inherent risk helps give you an initial picture of how to potentially tier and categorize that vendor based on a bunch of criteria like access to protected information uh systems access uh uh applicability or criticality to customer processes things like that. Scott: And once you have that um inherent risk score calculated based on you know you know that criteria that can help dictate your ongoing due diligence uh strategy which ultimately helps to reduce the amount of risk that ongoing residual risk down to a level an appetite level that’s good for the business. Scott: So do both but the inherent risk is a little bit different of a calculation than residual.

Ashley: Thanks Scott. Ashley: Uh two more for you and then we got to wrap up here. Ashley: Someone asked how do you handle the volume of responses to those thirdparty risk assessment questionnaires?

Scott: Um how does our how does our solution do that the volume?

Ashley: correct?

Scott: Um so a couple of different ways. Scott: Uh because the system is automated uh the vendor goes in and completes their risk assessment. Scott: All of the answers are then prepopulated into a central risk register which then you as the user can then go in and compare and look for um answers that don’t match up with your you know risk thresholds and preset expectations and then you can kind of laser in on on just those areas to affect some sort of remediation. Scott: So process is very automated. Scott: Uh second approach is AI uh we help you uh by applying uh AI principles, machine learning, analytics uh to um consume information, pre-populate assessments and then help you draw some initial conclusions from the data that you find um uh by ensuring human governance over the process. Scott: We don’t just you know put something out. Scott: We make sure you’re you kind of approve what what comes out of that. Scott: And third is managed services. Scott: We help you manage um uh you know the volume of assessments by uh having you outsource that to us if you choose to do so.

Ashley: Thanks Scott. Ashley: And one last question. Ashley: to wrap up. Ashley: Speaking of AI, uh what are the parameters to review an AI third party vendor?

Scott: Um the parameters to review an AI thirdparty vendor. Scott: Um I think three-fold. Scott: Number one is data security and privacy is the the AI function that’s used by that thirdparty vendor supplier. Scott: Is it a closed system? Scott: Is it a managed LLM? Scott: Or is it an open LLM? Scott: And what data is being used to to to train it? Scott: Uh that’s the second one, you know, you don’t want to have data uh, you know, data access from outside APIs and whatnot into that into that data pool. Scott: If you’re putting um company uh information, potentially sensitive information into that, that’s got got to have good security process. Scott: Uh, number two is uh uh hallucination and um bias and make sure that those systems are trained using real data, not fake data and applicable data to your set of uh business processes. Scott: So what comes out of the other end is accurate. Scott: So a secure system uh accurate processing and then third that that system is continually evaluated and updated and that there is human governance as I mentioned before over what those inputs are what those outputs are you know so you aren’t just simply turning your life over to Skynet.

Ashley: Excellent. Ashley: Well thank you so much Scott Bob and everyone for all of your questions uh that you have some great information to take in today and I hope to see you all either in your inbox or at a future prevalent webinar. Ashley: Cheers everyone and have a great rest of your week. Ashley: Take care.

Bob: Thanks everyone.

Scott: Bye.

Bob: bye.