Choosing the Right Third-Party Risk Management Framework

Melissa: and a few intros here. My name is Melissa. I work here as an account manager. And today we have a few special guests, some returning guests. We have compliance expert Thomas Humphre. Welcome back, Thomas. Thomas: Good to be here. Melissa: And we also have Matt Delman. Um he is our product marketing manager. So, hey, Matt. Matt: Hi, Melissa. Melissa: Matt will come in at the end and kind of speak to how Metate uh the platform with Meteor can help mature some of your existing programs, see what else is out there. Um a little bit Housekeeping. This webinar is being recorded, so you’ll get a copy of this shortly after the webinar concludes. Um, you’re all muted, so just use that Q&A box for those questions that you have during the webinar. We can, you know, get through those either during or after the webinar. And then without further ado, I will pass the baton over to Thomas as he explores some key considerations for choosing the right third party risk management framework. So, the floor is yours, Thomas.

Thomas: Thank you very much, Melissa. And yes, good morning, good afternoon, good evening, ladies and gentlemen. Welcome to this webinar. Um those who haven’t met me before, my name is Tom Humphre. I am the content manager at Prevalent. Um and my main focus is building um assessments and frameworks within our within our platform. Um I have uh over coming out to 15 years now from an auditing perspective. My background was in auditing various standards not least around the ISO domains both in the UK um Singapore and and more globally for various organizations. And yes, today we’re exploring looking at different third party risk management frameworks, different information and cyber security frameworks and how we can make informed decisions to make sure we’re using the right assessment. Um, as part of our TPM engagement and the wider TPM journey as well. Um, as Mrs. indicated um we always reserve time for Q&A. So you should find a Q&A box um uh within in the within the necessary tools. So, please go ahead and upload any uh questions that you have and we always reserve time at the end um to answer them. So, without further ado, let’s get started. So, just want to break down from an agenda perspective. So, we’re going to take a look at some common perhaps from the more widely used uh cyber security frameworks um before doing a deeper dive into some of the strengths and limitations of these and other more general frameworks that are used in the TPOM space and particularly talking um a bit more about how these strengths and limitations can can if we use them in the in in the most positive sense we can we can this will help us to improve and make informed decisions in terms of uh how we engage with our third parties and what are the key control areas that we want to be looking for and asking them about.

Thomas: We’ll take a look at evaluating some of the common frameworks um at industry level and generally how we can use our own uh internal sort of risk profiles and risk assessment approaches and again how that impacts some of our decision- making when it comes to what’s the right framework uh that works for us and then finally to go through some steps that align practices with our own organizational goals as far as um understanding and using the right frameworks at the right time uh for the right types of third parties So some key cyber security frameworks. So I think it’s fair to say obviously standards frameworks in information cyber security come in all shapes and sizes and all different complexities. Um there’s certain uh names that we can see on the screen that I think many many um people hopefully will be very familiar with. Um certainly those such as ISO 27,0001 uh NIST CSF or cyber security framework are examples of uh I guess top standards that we consider to be industry agnostic. Um they’re used uh typically by any type of organ organization across any industry and sector. Um particularly a standard such as 27,0001 which still remains one of the most widely used frameworks uh when it comes to managing information security and particularly where we see organizations taking 27,0001 controls um and using them to drive third forward um third party risk and third party risk management. Um there’s a lot and growing uh sector specific um frameworks as well. I’ve given a couple of examples on the screen. HIPPA from a US healthcare perspective uh develop security and privacy based rules for organizations that that manage um PHI public health information or EPI as they sometimes call it. And perhaps one of the more well-known from a security and in priv privacy uh perspective is from New York. uh the NYDFS 23500 framework uh which is used for and we’ll go to um in a bit more depth later on uh this is used uh for financial organizations who operate within uh the New York state and and and the New York um of financial space as it exists today as well. Um outside of those more wide reaching frameworks such as ISO many NIST standards as well um 27,8 53 for NIST SIG um in the US as well.

Thomas: We do find of course that you’ll always have some topic specific frameworks um that are very much geared towards particular technologies or particular use cases. ISO 42,0001 is one such example uh that that ISO IEC have developed for managing uh AI systems. So the design, the development and the application of AI systems and so these typically offer guidance and requirements for defining and implementing um controls for those specific technology systems um uh industries in some cases as well. And let’s not forget the the everinccreasing volume of regulatory based uh requirements as well. So whether it’s uh areas such as P or credential um in the UK who have developed uh frameworks to deal with uh outsourcing arrangements and the wider supply chain and some of the areas that they’re imposing. for financial bodies um that operate within within the UK and and wider and the EU NIS-2 or NIS 2 uh framework um which is for EU organizations um and sets out wider cyber security practices and expectations um again not too dissimilar for um as we see with other frameworks. So there’s a lot of different frameworks coming in all different sizes and complexities um some imposing stricter requires ments and others. Um uh and certainly those around uh the ISO, the NIST frameworks, I say SIGs, CIS and other other key terms or acronyms you may be familiar with um are more wide reaching in terms of endto-end cyber security governance risk and and and compliance based controls as well. So a lot of different frameworks that are out there um which of course um is is quite concern well they’re quite concerning it can certainly be a conundrum if you’re first starting out looking at and determining which security framework is best for us. What framework should we be using when we want to engage with our third parties and to assess our third pay and our wider supply chain as well. So let’s take a quick look at three examples um of of of frameworks briefly and and we’ll go into a bit more detail in terms of how they’re broken down and their use cases as well.

Thomas: So firstly, as I say, one of the most widely used frameworks globally is still the ISO 27,0001’s framework for defining, implementing and managing an information security management system. Um not too dissimilar to other ISO standards. Um these are structured in a way that that gives clear guidance from a governance perspective. So setting leadership on the role and identifying and managing risk with a structured riskmanagement framework um before expanding on sets of controls that companies can use to to select to help manage those risks as well. As I say, it’s internationally recognized. Um, and it really does vary the different types of businesses, size and complexities of of of businesses, whether it’s a software house, a large software firm in in the US for example, or an advertising agency in Japan or a manufacturing plant in the UK. So many organizations adopt uh 27,000 as a recognized best practice. is for good uh security uh and security management as well. And of course within this uh has always remained from the older to the current 2022 version uh very clear controls around managing third party managing suppliers and the supply chain. So when we thinking about contract management when we think about identifying uh controls for your immediate third parties and management through monitoring and and performance and auditing um cap capabilities as well. So quite a wide reaching I say very widely adopted framework. Um and it’s obviously important to note that is a certifiable standard. Um there are many standards and frameworks out there that companies can use that are not certifiable. Um but they are still used as recognized best practices. 27K is one example of a certifiable standard um through uh independent auditing um um some validation verification as well. Um perhaps more recently is NIST CSF. So version two of this framework came out uh at the beginning of this year uh I think end of January, beginning of February 2024. Um not too dissimilar from ISO in that it is an in-depth cyber framework um that provides um a structured um baseline of identifying controls um which they split across what they call their five core functions.

Thomas: So governance, govern which is a new uh a new area uh that they’ve included in the version two and then you identify, protect, detect, respond and recover based controls. So five core functions which are then categorized further into governance and then what we might consider this to be organizational and technical or technological based controls. So everything from managing um people and physical security to logical and physical access um continuity recovery incident response um and and more as well and again in the similar vein to ISO 2701 controls at a governance level uh that focus on third parties and awareness of third party and third party risk as well. There’s quite a broad brush approach but it does allow for applicability across many technology and technology environments and that’s alo quite important to highlight as well. So when these frameworks are released such as ISO and and and N CSF, one thing that makes them so attractive that can also pose some some some potential problems as well is that the language they use, some of the the detail in in many of the controls are designed so that many different organizations can use them. So again going back to um if we have a manufacturing firm versus a software developer versus an advertising agency, of course they’re going to approach cyber security and risk and engagement with their third parties in a very different manner and what they consider to be true risk and and these frameworks um give them that capability to adapt them for their own uh use cases and then finally a very different example in sock 2. So there’s a widely adopted framework for exessing organizations against five key control groups those five that we see at the bottom of the screen. So controls around um security, protecting confidentiality, integrity and availability of information, data and systems. And there are privacy elements as well. Um again it provides a detailed assessment of an organization’s overall operational and system um capability and their effectiveness. Um there’s some slight differences however between say ISO and and sock 2. Um I say both of them offer a level of certification Both of them can be independently assessed by auditing firms.

Thomas: Um but with sock 2 uh there’s a lot of free reign for organizations to scope how much um of the control groups uh they would like to include as part of their sock assessment. So we find some companies only want to focus on security and very much ring fence um based on particular product and service or organizational um capabilities. Others look at all five uh key control groups. And of course this provides has varying levels of uh sort of depth and understanding of how much uh best practice this organization is using. Um but this is again another example where if you look at both ISO NIST CSF and sock 2 um all three of them have very similar controls or types of controls um whether it’s around access control training personnel security data security and integ for example, or continuity. And so despite there being just three of many different frameworks out there, um there is I guess some comfort also knowing that there’s a lot of uh commonality in terms of some of the best practices and and um requirements and control requirements uh that these frameworks uh set out. So going into in a bit more detail Let’s have a look at some of the strengths and limitations of of frameworks such as those that we’ve just discussed um compose and particularly thinking about when we’re going on that journey of making the decision of what’s the right third party framework for us as a business. So where may we come unstuck when selecting the right standard or framework? So there’s obviously a lot of potential pitfalls um that could cause us um some concern. We’ve already talked about the large volume of standards whether it’s sector spec whether it’s top topic specific sector specific or or more agnostic. Um, of course, each uh assessment and framework out there will have their own methods and interpretations of of of how a control is identified or should be implemented. You can certainly see slightly different methods of of risk or how it captures risk assessments.

Thomas: So, thinking of ISO for example, 27,01 has a very clearly structured approach for how you uh identify manage own respond um and and deal with information security risk um and they have their own um set of risk frameworks such as ISO 31000 whereas NIST NIST has its own framework called NIST RMF or the risk management framework and even thinking of topic specific frameworks so NIST AI risk management framework or ISO 4201 again they’ll have slight tweaks that to that that are um important to consider um if you’re trying to choose a framework and aligning it to your current approach as well in terms of how you manage and identify and call out risk. And of course the ter the terminology is always going to be a potential um uh area to really look out for particularly where there are subtle differences between how one organization calls um uh different subject matters um and there’s slight tweaks in terms of the terms used See what does this mean or what could this mean? Well, of course, if if we go quite gung-ho and we perhaps select a framework without doing the necessary due diligence and really getting to grips with what’s this framework trying to achieve, it can lead to some unfamiliarity in some of the domain areas. Um, there are some frameworks out there such as NIST 853 that are widely adopted and are in many ways celebrated for the the depth and complexity that it goes down. When you consider there’s over 900 controls in 853 versus the 93 to 95 security controls that are captured in 27,01. You can really see how much depth um uh that a standard such list 853 can go down. But of course, what this can that can result in is some unfamiliarity both internally as a business, but certainly externally when you’re going out to a vendors and asking them key questions based on these frameworks. And of course, if you go down that route of a very indepth assessment and you may be looking at not 20 30 40 questions maybe two 300 questions maybe it’s too uh too much information and failed to capture the right depth in those control requirements are important to you as a business.

Thomas: So learning how to understand what these uh these frameworks are under are getting at what their their requirements are but how you can tailor them to um uh uh you know what you’re trying to look out for when engaging with your third parties. And of course, this could lead to insufficient coverage where there are critical risk areas that you’re keen to explore. But perhaps due to unfamili unfamiliarity in the domain or the complexity of what the surveys are asking or the assessments are asking um could lead to potentially misinterpretation from a vendor perspective. So what should we be asking when it comes to understanding how we’re frame work can meet our demands. So I guess the first question is well does the framework allow for assessment across all our tiers? More often than not now so many organizations have um obviously multiple third parties but third parties in the extremes whether they’re very large global operations or um mom and pop shops as they’re called in the United States um small and medium enterprises very small organizations maybe five people um operating um on the work from home model that’s very different from say a large data center um provider as well. So we want to make sure that the framework that we do have is going to allow us to tailor those assessments based on the different tier and the way we’ve profiled and tiered our individual third parties. Um is it going to give us a capability to say for those tier one or critical vendors or third parties we may need to give you the full endto-end requirement. Um but also if we’re looking at a single assessment or using multiple frameworks um can we do so that allows us to give the right volume and complexity of questions based on the right tier. Of course will the framework fit with a scalable TPRM? Now of course the TPRM isn’t a one one time only thing. It is a regular process um that should be be looked at um on a on a weekly in some cases certainly monthly. Um so by annual and annual basis as well.

Thomas: And of course what this means is obviously over time when we look at new and emerging technologies expansions within our own business and operations and it may mean that we need to expand what these frameworks are looking at and and the type of third parties are engaged with. Um particularly if it comes down to looking at new uh uh requirements, new regulations for example based on um uh where the businesses is is going. Um and of course Following on from that, is the framework up to date? Um is it is it designed in in such in such a way that when there’s new and emerging trends, threats, new technologies, is the assessment set up to be able to handle that or uh do we need to look at other areas? Um if for example, we’re going down the route of looking at artificial intelligence, looking at quantum computing, looking at other operational technology and if the framework we’ve been using does not fulfill those needs. Where else can we look? Can we map anything into our existing framework or do we need to look at expanding to to adjust and adapt to these new trends or threats or any other areas that we see um as risks? So, what else can we think about that can help us make an informed decision about about what the best framework or standard is to help us evaluate our third parties. Let’s take a step back and look at what are the typical drivers of TPRM as it stands today. So certainly and not least regulators um legislation and we’re seeing more and more industries and sectors where this is becoming a priority. So I mentioned P in the UK um earlier um financial in the financial sector whether it’s in the US, Canada, UK, Europe is one such example where there’s been a steady increase in expectation of how organizations respond to and managing and manage uh suppliers and supply chain and outsourced uh practices. So whether it comes to types of reporting back to regulators of course as as your own customers um uh get more uh savvy and and wary of of some of the more threats and and issues posed throughout the wider supply chain. And we only have to look over the last two to three years the volume of ransomware incidents and other incidents that have affected um small parts or large scale um supply chains.

Thomas: But there’s a lot more visibility from our own customers and even the wider industry and saying how we adapting, how are we approaching um uh when we provide third parties with systems that may include sensitive information or sensitive data. And then of course as always those new and emerging threats and vulnerabilities. So again if we’re thinking about um some of the more notable threats that have occurred over the past two to three years it’s been some of these threats that have helped drive um the push from industry bodies or regulators to say we need more evidence. We need more accountability in how not only third parties but the wider supply chain is being managed. Um and evidence that if there is uh single points of failure for example or if there are significant areas that may disrupt the wider supply chain how does the company deal with that whether it’s from a continuity and recovery perspective of course knowledge is quite important as well you think we have quite a large breadth of of frameworks but certainly where we have internal use of standards internal knowledge and skill base for particular um uh assessment frameworks that’s obviously going to make um skew our our decision but also make it a bit easier um when when understanding which framework works best for us. Obviously if an organization is um already certified say 27,01 they already use sock 2 they already audited themselves for example maybe they use NIST 853 to drive their own um uh cyber security best practice. Um but then of course if we already have that knowledge and and and sort of skill and understanding um internally in the business. Being able to apply those skills and understanding the best way to use those standards, the key controls that we need and transferring them on to our third parties or asking third parties questions around those standards certainly makes it a lot easier. Um particularly as a starter for just looking at um creating a third party risk framework um and and approach and of course taking a look at the wider third party landscape. as well. So again we mentioned multiple third party types.

Thomas: Um you may have consultants, we may have call centers, we may have uh system developers or software or hardware developers, we may have manufacturers of individual components. Um typically we’ll find companies have a lot of different types of third party coming in. And of course this can help um uh shape and understand what depth and complexity of assessment do we need to be looking at. Do we need to be focusing on frameworks that have a good strength in system and software development and operational technology particular if you’re dealing with a lot of manufacturing companies and capabilities. So thinking about that product and service provision can certainly help make it a bit clear in terms of the type of assessment that we’re looking at and of course the criticality of those assessments of of those third parties to the business um and and particular as we can see with the the wider third party landscape as it grows as well. Um, so taking the example of NYDFS, if as part of business operation, we’re in the financial sector, we expand our operation and we branch out into New York and New York State for example, or we start to use uh vendors who operate in that area. Well, then NYDFS becomes very critical to what we’re looking at and what type of controls um and control assessments that we need to give um to our third parties as well. So let’s move on to look at common frameworks for industry and wider risk profiles. And I want to pay particular attention to how uh particularly regulatory or industry specific requirements um can be used um either with an existing framework that we may be working with or they may need to be expanded um to adapt to some of these new requirements. So, I’ve mentioned NYDFS. It’s it’s been going for many many years now, and every so often the uh NYDFS themselves, they do update the framework, not too dissimilar to to to other uh uh uh assessment bodies. Um but the focus is still on cyber security requirements that protect customer data and information technology systems. Um there’s a lot of controls in there that are not too um uh are similar to to the likes of the ISOs and NISTs of the world.

Thomas: So there’s a lot of focus around uh security policy, managing data security and information privacy as well uh access control, logical access to authorization, authentications and so again um despite it being a very particular use case for those organizations, financial bodies operating um uh with within New York, there still is a lot of as say commonality with with other existing best practice frameworks out there as far as information and cyber security is concerned. Um obviously one of the things that’s notable about uh uh industry frameworks and particularly regulation and legislation um unlike areas such as 27,0001 or NIST CSF or 853 is that violations or failure to implement uh either completely or aspects of a framework can result in penalties and fines. which is something the NY uh DFS and NY superintendent have imposed over the last 3 to four years. And so there needs to be even more attention for organizations to think about if they’re utilizing um a regulation for the first time is what do we need to know particularly if we’re engaging with a third party and we need to know how they’re using uh this particular regulation is are they doing their enough their due diligence when it comes to reporting capability resp responding to incidents for example certainly on third party risk. This is an area that uh NYDFS um does capture quite clearly um and they highlight the identification and risk assessment of third party service providers and minimum security practices required to be met by such third party service providers. Again not too dissimilar to the likes of ISO and NIST and C and and SIG and and many others. So getting organizations to think about have we thought about the risks um based on the type of third parties we’re engaged with. Um what are the minimum requirements that we need to be considering um particularly with regards to um some contractual agreements with our third parties as well determining best assessment frameworks to demonstrate regulatory and industry compliance as well.

Thomas: And so one of the areas we also need to consider particularly when we are seeing um say greater increase in whether whether industry-led or or regulator um uh requirements and guidelines um for for information and cyber security and and supply chain management as well is where they call out particularly control requirements but there is a strong correlation to what we may be doing already. So we got an example on the on the page here. So OSI who are based in Canada and again not too dissimilar for NYDFS they uh is a regulator um who are focused on the financial uh services and financial industry within Canada and in 2023 they developed a guideline called B13 focusing on technology and cyber risk management and we’ve given a couple of examples of here where as part of those requirements they they call for businesses to establish standards and procedures to manage technology assets and that they should also maintain a current and comprehensive asset management ment system or an inventory that catalogs technology assets throughout their life cycle. So the need to have good asset management programs, asset management systems, um asset inventories. So obviously if we again if we’re if we’re being asked to adopt an industry or regulatory or legislative um practice for information cyber security, if we’re already using a framework such as ISO or NIST CSF, even SOCK 2, um SIG um and others. Well, all of these cover the same expectations and requirements. They all have have have requirements that a company should develop an asset inventory that covers hardware and software and data assets as well and any other form of information asset and they should monitor them throughout the assets life cycle whether it’s on boarding the asset through to disposal of the asset. So, of course, if we already have an established framework in place such as 27,01 that we’re now going out to vendors and and and asking them um pertinent questions about. Do we need to now scrap it because there’s this new B13 guideline or regulation that’s coming to force? Well, actually no.

Thomas: Because we know there is a lot of close relationship already between many of the controls that in this instance B13 are asking about and standards such as 27,0001 will also capture through standards mapping. Um if we can map the controls that B13 require into our 27,000 framework or CSS framework that can enable us to help demonstrate um whether it’s to our customers or other key stakeholders that actually we’re still meeting the requirements are still asking the same person uh of requirements for our vendors related to in this case asset management and asset inventory um manage management as well. However, of course, there does come uh times when the type of uh controls being required are very specific to that guideline or regulation or industry standard as well. So again thinking about OSI they also have a second uh guideline called B10 which they’re thinking about third party risk management and one of the uh asks that they they they require companies to do is that they should assess concentration risk both prior to entering into a contracting agreement and in an ongoing basis with its third parties. So we’ve already mentioned that whether it’s the ISO on NIST or SIGs of the world, they all have expectations around supply chain management, supply chain risk management, third party risk management and they all have uh requirements to establish and identify risks that are appropriate to the third parties or or that will be concerning um and that the company needs to enforce uh uh uh controls and policies to to mitigate those those risks. But it doesn’t go down to the level of saying concentration risk should be a key risk that the company should be assessing. So thinking about 27,000 or just CSF. So this is this is an example of where some of these guidelines may go above and beyond what your existing uh risk management framework or or or supplier assessment uh covers. Similarly, if you look at NYDFS, there are controls that are specific to uh the way companies report um in uh incidents and cyber security events, not too dissimilarly to GDPR where there are data privacy um breaches and companies are expected to report to their um appropriate um uh privacy risk authorities as well.

Thomas: And then within the NIDFS, we also see examples of control wider control groups that ask for particular in this case particular types of authentication. There’s a whole section that deals with multi back to authentication and again if you look back at the likes of ISO and NIST there are many controls out there that talk about incident response and incident response management and that also touch on um authenticating users whether it’s internal users contractors external users of your networks and information systems but they don’t always go down to the same level of specifically asking you should also have multiffactor authentication but more widely reaching again going back back to ISO saying that authentication and appropriate authentication techniques need to be implemented. So if we’re thinking we have a very clearly structured framework out there that we’re assessing our our third parties on, how do we adopt and implement these additional controls that are unique to these industry regulatory or legislative uh requirements? In some cases, it may be we need to add additional questions to make sure we’ve got 100% coverage. It may be If we already have and are asking third parties around how they deal with cyber security events and incident response um and continuity events that we also tease out through through notes, through document uploads, um through other means specifically how they would report those events to the appropriate authorities such as the NYDFS superintendent or if they’re managing and identifying uh third party risk, do they consider and do they do they consider and plan for concentration risk where there are single source suppliers for example and so there’s different techniques we can do before we get to the stage of saying we need to create a brand new framework. Of course it may be in some cases if it is very unique that we do need to add additional questions to make sure we have complete coverage. But this is obviously where the importance of having um the ability to to to to gap assess and map these standards together can make a lot easier.

Thomas: And that’s something we often find um is the case for many businesses where they start off with a single um framework such as an ISO or a NIST or a SIG um but then they add on further mappings to make sure that they’ve got complete coverage across particular regulations or or other key um requirements coming from stakeholders. So as well reviewing on multip one or multiple frameworks, we need to be mindful obviously how they compare to areas of risk and vulnerabilities that are important to us and that we’ve identified as critical and certain where there are notable expansions changes or or new threats as well. So obviously we mentioned new and expanding technologies um AI um has been growing for for many years now and it’s getting to the stage where we’re seeing more and more companies want to ask third parties about their use of AI technology whether it’s open-source AI platforms or they’re developing some level of AI capability as part of their product and service. And so, of course, going look going back to those standard frameworks, we need to start considering how is this impacting what we’re doing now. Have we developed how are we using a framework that already captures this capability around new and emerging technologies or or or consideration for these technologies. Certainly, as we mentioned from legal and regulatory perspective, um there’s more more and more uh oversight in terms of how companies are managing their third parties, managing the supply chain and supply chain capability. So that oversight through risk and third party profiling is important and really getting to grips with um how are we managing our third parties, how are we profiling and identifying them and what are the minimum requirements that these laws such as the OCB10 or P SS221 are asking about and again how is that imp impacting the framework that we’re using.

Thomas: Um obviously there’s identification of critical controls through contracts and agreements and it’s all very well asking for I guess some standard set of controls around say instant management business continuity and recovery reporting um access control but also need to be attention pay attention to where we’ve identified risks and vulnerabilities that are critical to us as an organization when it comes to asking questions around those. areas. How are we reviewing those? How are we monitoring them? How are we managing the remediation process if those crit critical controls do um come through as risks when a third party uh completes that assessment? And of course, there’s this this further expectation from legal and regulatory around ongoing review, whether it’s on-site or virtual audits, demonstration that um the success of our third party um program is um um is is there and can be demonstrated. So having said all that and we’ve explored the different types of frameworks and and where there’s some frameworks that are are driven more through regulation or industry and obviously the more questions we ask around what do we want out of the assessment, what do we want out of our framework, is it scalable, um can it adapt to new and emerging threats and technologies. Um does it offer everything that we need um in terms of the key control areas um or the depth and complexity based on our third parties? How can we bring all this together in terms of our wider TPRM program and and wider life cycle? Well, certainly if we have got to the stage where where we’ve been able to identify which frameworks are best suited to our business based on our own industry knowledge based on other other key criteria. Um when we look at the full um process um there are are key questions that we that that we can use that can enhance um and draw on critical control areas. So thinking about the assessment identification um and it’s important to note this is obviously audio this is a a repetitive process as well that we’re always asking the assessment that we’re sending out to our tier one and our tier two and tier three vendors. Is a criteria always fit for purpose? Are we asking the right questions?

Thomas: Are we covering the right areas based on what our third parties do? And certainly leaning into that is the concept of how we profile and tier our third parties. So getting to that stage where we’ve established what type of third parties we have, how critical they are to the business. Are they single source supply? Are they delivering critical um or sensitive components or or or or services that context again can we shape our assessment based on that that that the quality of that profiling and that tiering. Obviously response management is important. So once we’ve identified what framework we using um or if you’re using a blended framework we’re taking best practices from multiple frameworks. How are we engaging that third party? It’s going to make it obviously easier if we have a very clear structured approach of what framework, what assessment we’re using, the frequency of assessment so we can then communicate that to the third party to make sure they’re as as engaged as possible um throughout the whole process. And of course where we’ve identified the framework, we’ve hopefully then got a stage where we can identify what are the critical controls to us. Are there mandatory control requirements we expect? Is there a minimum expectation over the type of encryption for example that we’d expect these third parties to deal with? Uh how they establish uh contractual agreements with their suppliers or our fourth parties or fifth parties. So obviously once we’ve identified that framework and we know those critical control areas or mandatory controls when it comes to managing at a risk level when risks do present themselves and when risks do come back as a result of completing that framework it can make that process and that part of the TPM so much easier in knowing what to prioritize. And then finally from a reporting uh capability again if we’re using a consistent framework across all of our third parties maybe different volumes and sizes of the framework, but still the same framework.

Thomas: When it comes to reporting backup um across the business and up to senior management, being able to demonstrate and and and explain levels of compliance to that particular framework or standard um can certainly make it easier particular when we start to see trend and trend analysis based on the type of risks coming out um from our respective third parties. So what do these standards, regulations and guidelines actually say with regards to third parties in the supply chain? So obviously each standard as we know regulation and guid have its own agenda in the way it structures clauses. There are a lot of commonalities um when when we’re looking at third party and we’re seeing it not just um again whether it’s ISO and NIST and SIGs of the world but even some of these legislations. So we mentioned stay around OVI and P and many in the financial sector. We’re seeing it in the healthcare sector as well that when it comes to requirements for asking third parties about the wider supply chain, there’s a lot of expectation of how companies identify and know who their suppliers are. So that initial start of the acquisition process for the supply chain as well as identifying supply chain risk and and having a process to capture that risk as well. So formal supply chain risk management um approaches, contracts and terms of agreement um are very common as well. We see across all of these frameworks. So how third-party contracts or supply chain contracts are identified and controls that are captured within those contracts and even at the control level we’re finding there’s a lot of consistency. So controls for responding to incidents for example or business continuity events um are are are examples of of of minimum controls we see when we look at the broad spectrum of of of frameworks and some form of managing and monitoring suppliers again is something that we’re seeing time and time again, not least when it comes to uh some of these regulatory uh frameworks as well that are being developed.

Thomas: Um whether that’s uh specifically around auditing and auditing capability, whether it’s on-site or remote or whether it’s other forms of performance monitoring and reporting between the supplier and yourself or between your third party and their their third party, your fourth party and the wider supply chain. So there’s a lot of as say commonality um when it comes to uh uh how many of these frameworks capture um and require uh supply chain risk management and good good best practices as well. So good practices and success criteria that we can use within our TP RM to help drive the wider third party program and particularly with regards to frameworks. But it starts with obviously setting up clear steering or working groups and working group committees um within the business. Obviously as we know with third party risk management, the more people we can involve within the organization um the more buyin we can get and and and the greater the success criteria will be when it comes to handling and dealing with suppliers, dealing with um uh uh risks that come out with the process and the rider TPM program. Um obviously as we know with some companies this could be the same group of people for those very small businesses in much the large organizations it could be looking at different business unit heads and uh who may be required to engage with the third party.

Thomas: So whether it’s procurement and acquisition through to operations through to IT um and many other parts of the business um where third parties do have a an interaction obviously scoping out what’s required um within how your TPM program is being run um um doing that at the earlier stage obviously will go a long way to help uh when you identify that framework and you know uh how it’s going to be run the frequency of it’s being run um as well as the KPIs and KIS as well so what objectives you know what success criteria are we looking at when we’re delivering that that that framework to our third parties and we’re getting back risks and particularly looking at longterm long-term um trend analysis and whether through KPIs and KISS um and other performance measures we can see a decrease in the volume of say critical risks um as part of obviously the TPRM program uh the actual policy itself and having a wider policy and risk management program in terms of how we’re dealing with our third parties is a critical first step and again one where steering committees, working committees, board members need to come together and say this is our formal approach, strategic approach of how we’re managing our third parties. Um, and then of course business educational internal marketing is equally important here as well. Once you’ve established uh the framework that we’re going to be using that we’re sending out and the frequency of sending out this framework um to organizations, we need to make sure we educate those who are going to be involved who may be on the receiving end of risks. um and and and risk requirements as well. And what do they need to do? How is it being managed? Is a a platform or tool they’re going to be using with which to record uh risk actions and risk tasks as well. And of course, because it’s a cyclical approach that all that continual program of continual improvement, how do we improve what we’re doing now? And again, particularly with a view to where we’re expanding our frameworks and choosing that type of framework and and and the ending that framework to adjust to new and emerging technologies um risks and threats as well. I’d like to turn that over now to Matt. Matt: Thank you, Thomas.

Matt: That was always a uh always good if you could stop sharing. Thank you. We will talk through how um Muterek uh third the mutate thirdparty risk management program that solution can help you with your thirdparty risk management. So you know the first thing to understand really is that traditional TPRM a lot of it is spreadsheet based. We see about 50% of companies are using spreadsheets in some capacity and they rely solely on these to manage their third party risk auditing and controls. This is assessments, alignment with frameworks and so forth. Only about a third of vendors are being actively managed and this is across the entire vendor landscape. And ultimately what this results in is that only 29% of companies track risks across the entire third party vendor or supplier life cycle from uh intake and onboarding all the way through offboarding and termination. And this is really a problem because without visibility throughout the entire vendor risk life cycle, you risk, how many times can I say risk in the same sentence? Um, leaving something out. Unfortunately, now ultimately we find that the goals of a TPRM program is getting the data that your team needs to make better riskbased decision, increasing efficiency, and breaking down down silos. Uh, third party risk to get managed through a couple of different stakeholders in the organization. You could have procurement, you could have IT security, you could have the financial team. Really third party risk management, a proper solution endeavors to break down those silos and really helps you evolve and scale your TPRM program over time. Now, the way that we do this here with the mutate prevalent thirdparty risk platform is really a descriptive approach throughout the entire vendor life cycle. You know, starting off with sourcing and selection with automation, intelligence, and RFX processes, streamlining, providing vendor risk assessments. You know, someone asked about um other frameworks with operational, financial, that sort of thing. Really, those are a lot of those are assessment driven and don’t have the force of law behind them necessarily, but we support multiple different assessments.

Matt: I believe at last count We had 750 different questionnaire templates in the platform in some capacity and we allow uh continuous validation through continuous monitoring data ingested into the platform helping you do all sorts of things like measure supplier effectiveness by analyzing KPIs KIS and we also manage the offboarding and termination process if you terminate a contract with a vendor. So these are the risk domains. that third party risk management here at Meteorch actually covers. We have six major categories. There’s cyber security including things like dark including things like monitoring for the dark web, monitoring for abuse of infrastructure, vulnerabilities and misconfigurations, ESG like health and safety, modern slavery. There’s a number of regulations in the UK and EU and Canada about modern slavery and forced labor and we do include that data in the platform. There’s also business and operational risks, reputational risk, financial and compliance risk. So the way that we do this is really with a combination of people, data and platform. We have thirdparty risk management s managed services. Our risk operations center, our rock is one of the best teams in the world. They are all certified thirdparty risk management professionals. They will take over the day-to-day work of managing your third party risk program, you know, going out getting assessments, chasing vendors who haven’t filled them out. We will do um assessment, remediation, management, the entire thing, fully outsourced. We also have about 500,000 constantly updated vendor profiles with on demand access to thirdparty risk intelligence across multiple different risk areas. And our platform really assists you with centralizing all of this work into one place that can be accessible across the business. Now, This is one component of what is really the industry’s leading enterprise risk management platform. You know, with ESG management, business continuity planning, cyber security policy management, and ethics hotline and compliance training, and really kind of the full boat of GRC, enterprise risk management. I also like to invite all of our customers to Interact Dallas, the big customer conference.

Matt: um here like happening in at the Gaylord Austin in April really it gives you a lot of opportunities to learn and train about GRC um and really kind of have a lot of really um great conversations. So that is it. That’s my section. Now let’s turn it over for questions and Melissa will triage them.

Melissa: Gotcha. Thank you. Matt, uh, yeah, like you said, throw in a question in the Q&A. I’m going to launch our last poll. I’m curious, you know, are you looking to augment or establish your current TPRM processes? Maybe you’re still in those spreadsheets. Um, ready to get out. I know 2025, new year, new me. Maybe you want to set up a a platform here. Um, you know, we do follow up, so please answer it honestly. And I think we have a couple questions in a few minutes. So, Thomas, um, Is there one that sticks out to you more than the other? I can read them if you’d like.

Thomas: He’s muted. You’re muted. Oh, sorry. Apologize. I didn’t say I still muted. Okay. Um, yes, let’s take a look. So, uh, focusing on cyber security frameworks, but that also financial health, operational resiliency, contract, SLA, compliance. This should also be reviewed and monitoring for TPRM. What frameworks might include all areas? So, yeah, this is an interesting this is an interesting ACU question because we do find although we have focused on cyber today, um there’s so many other areas that are important to a TPR program. Um there are not I’d say too many frameworks dedicated to everything. thing. Um there are some that are trying to adopt a much wider approach to not just information and cyber security but do include areas such as compliance as well as privacy um as well as um other perhaps traditional GRC based capability as well. Um and and some of the resilience pieces as well. Uh SIG is a good example of that where uh say they do have cyber security and information security but they have dedicated sections just focusing on the wide supply chain. Um legal compliance um includes areas such as fraud um and anti-bribery for example and even the newer topics around artificial intelligence. Um so you do have a few frameworks that are set up to to capture as much as possible. Um it’s also worth noting that although we’ve touched on particulars here around ISO 27K and NIST CSF, we do find some companies um develop um take one develop an expanded um framework that captures as many different components as possible um and that’s something that we’re seeing um of increasing quite a lot as well. So there are there are a few out there I mean SIG is a good example I guess perhaps the best example I can give um uh where there is um uh a lot of expectation capability. Um the second question how to deal with your own organization adopting a certain security standard yet your contractual part they’re adopting and others again that’s something we see time again um sock is a good example the number of organizations who will go out to their vendors with a particular framework such as SIG um and then they get a a sock returned in the end um often with a is this good enough um one of the best ways to deal that is through uh data and standards mapping the more we can do to say how much does sock for example align with our our sync criteria or ISO criteria means that we can very quickly plug the gap and if there are significant gaps, say the sock doesn’t have the full coverage um uh that that we’re asking for based on our say SIG core framework, we now know the delta that we can go back to that vendor on and say there are additional questions and topic areas um that we still need you to answer and to to go down. But that is something that we do see quite a lot um where there is um uh sort of different documentations and frameworks received from the vendor that doesn’t fully match up with the framework that yourself and the organization may be implementing.

Melissa: Perfect. Thank you, Thomas. Um, and thanks for all your insights today, both you and Matt. Uh, thank you all for your questions. That was lovely and it puts us right at the top of the hour. I’m sure I will see a handful of you in your inboxes, maybe at one of our future webinars. And that’s it. I hope you guys have a great rest of your day and your evening and we’ll see you soon. Take care. Thomas: Thank you. Matt: Thank you all. Thanks.