Seis formas en que la protección de datos afecta al riesgo de terceros

Amy Tweet: Muy bien, estamos en directo. Bienvenidos a todos. Estamos muy emocionados de que podáis acompañarnos hoy. Si estáis viendo la retransmisión en directo, gracias por dedicarnos una pequeña parte de vuestro día. Mientras os acomodáis y os ponéis cómodos, voy a hacer una pequeña encuesta rápida porque tenemos mucha curiosidad por saber qué os ha llevado a participar. Así que, mientras esperan, tal vez esto les resulte educativo y quieran aprender un poco más. Estoy emocionada por los expertos que se han unido a nosotros y que presentaré en un momento. Esto podría ser una investigación para un próximo proyecto de gestión de riesgos de terceros. Es posible que no sepan en qué punto se encuentran. En ese caso, este seminario web se titula «Seis formas en que la protección de datos afecta al riesgo de terceros». Así que quizá quieran quedarse o quizá ya sean clientes de Prevalent y quieran mantenerse al día de lo que está pasando. Tómense un momento mientras repaso algunas normas básicas. Me llamo Amy Tweet. Trabajo en desarrollo empresarial aquí en Prevalent. Mi trabajo hoy es asegurarme de que todas las preguntas que tengan para Len o Alistar les sean transmitidas. Pueden utilizar la función de chat que aparece a continuación o la función de preguntas y respuestas. Me aseguraré de que reciban esas preguntas. Y sin más preámbulos, voy a presentar a nuestros expertos que participan en la llamada. Nos acompaña Len Solom. Es exdirectora de privacidad y lleva más de 30 años en el sector de los servicios regulados y la industria del riesgo, además de ser fundadora de Solom Risk Partners. Len, ¿cómo estás hoy?

Len Solom: Estoy muy bien.

Amy Tweet: Bien. Me alegro de que estés aquí. También nos acompaña Alistair Par. Puedes ver su rostro ahí abajo. Es el vicepresidente de productos globales y riesgos de Prevalent, y lo verás y oirás hacia el final del seminario web. Así que, si tienes alguna pregunta sobre Prevalent, también puedes hacerla y te ayudaremos. Les recordamos que queremos que esto sea interactivo, así que utilicen la función de chat y la función de preguntas. También estamos grabando esto, así que si tienen que marcharse o no pueden quedarse hasta el final, se lo enviaremos mañana a primera hora a su bandeja de entrada. Muy bien, vamos a empezar. Te cedo la palabra. De acuerdo. Si tienen alguna otra pregunta, utilicen la función de chat. Adelante.

Len Solom: Okay. Excellent. Thank you so much. Well, welcome everybody. We’re going to have uh quite a bit of good um discussion today. There we go. So, as Amy introduced, uh this is a bit of my background. Um I have been in the outsourcers. I have also been on the service provider end. So, I’m really going to weave together today data privacy, data protection and thirdparty risk and there’s a lot of hot topics. So let’s right now get into our discussion. So converging topics as I outlined why are these topics important? Um we all know that you have to follow the data. The data starts the conversation in terms of any dialogue between an outsourcer and a third party. But managing data is much more challenging in today’s environment. Even technology like you know online meetings creates new data challenges right so data protection and third party risk are really converging and as we talk through these these topics today I’ve listed quite a few terms that will be woven into the dialogue and the narrative but what I’m going to focus on is less how you build these things but spotlight some of the challenges and opportunities and things that are shifting. Um we’ve got a lot of divergent topics and uh quite a significant amount of change that’s occurring today that are going to impact almost every element of not only a privacy program but a third party riskmanagement program. So I’ll try and connect the dots where appropriate and hopefully we can learn through this session and through the Q&A uh where some of the other pain points are. So let’s dive in to kind of that road mapap for today’s dialogue. I’m going to highlight kind of six key topics that all are related and we’re going to start with what’s changing in the regulatory landscape, how that impacts contracts, what you then need to do around data protection and safeguards and assessments. Uh but put a little bit of that magnifying glass on data governance because that’s the hottest topic. And we’ll end with kind of where does this road map now affect your thirdparty risk management program where would you maybe need to do some maturity or process enhancements. So this is kind of our road map for today’s dialogue. So let’s dive into the first topic. Uh it might be August and hot and humid where you are but right now it’s raining regulations for data protection and thirdparty risk management. Um our journey really got aggressive when GDPR really accelerated the expectations for sur service providers. And when you think of the regulatory changes that have happened since GDPR became effective only three years ago, um we’re getting the point where 65% of the world’s population is now covered by data protection rags and the US is getting even more aggressive at the state level. Um but it’s not just a regulatory landscape. We are seeing uh focus areas from different regulators, from agencies, um new proposed guidance and we’ll dig into that. Uh, but it’s not just an an industry challenge. Privacy risk is now top of mind for public companies in the United States. I thought it was very interesting that over 60% of companies are citing privacy risk or data protection risk in their SEC reports. And when we first started to think about that, everybody assumes it’s about cyber security and breach. But no, it seems to be more about privacy. ethics, privacy, permissions and data practices, corporate governance, ESG. The topics are broadening um and really bringing privacy, security and compliance together into a better focus on data governance and data protection. So, as we look at this, let me highlight a couple of of key things in terms of developments um in terms of that raining uh regulation. uh for those that do business in the EU, we’re still dealing with shredd and Brexit in terms of the UK and the EU adding a complexity. You’ll see on the right I listed just kind of a visual that talks about how enforcement is accelerating. Uh but now I need a new chart because even though I put this out there towards the end of July, uh the EU regulators issued a fine uh the largest in history of 8 $87 million. Uh and as you look at that, part of the focus is on data practices. So, everyone’s now looking at their frameworks and making changes. Uh Canada’s getting involved with a new update to modernize their privacy framework. Uh many international companies are following suit. E privacy is still happening within the uh EU. Um but there are updated industry frameworks from and ISO that are really putting a spotlight on data governance, data protection, data protection safeguards and really bringing privacy engineering and security engineering together. In fact, for those of you on the call that might work within the financial services sector, the three agencies have come together to propose a new framework and modernize guidance on thirdparty risk management programs. The joint guidance from the three regulators is out for industry comment right now. So, we don’t see these developments slowing down uh because of the new frameworks and regulations and enforcement. It’s it’s going to get even more challenging. Um just to show you a little bit of the checkerboard of what’s happening at the state level, you’ll see that the International Association of Privacy Professionals publishes on a monthly basis um a state privacy uh legislation tracker and you can see the ers of what’s been introduced, what’s in committee, what’s in chambers, and what’s across uh being developed or passed or signed. Why this is important is because when a state like California or now Colorado put out new guidance, uh we’re a global economy. We’re a national economy and a regulation in a particular state starts to impact other states. It’s kind of like the years when we first had breach notification and now we have a checkerboard of 48 states with a law. We’re kind of going down that path from a US state privacy tracking. Um, but we’re starting to see some key themes. Consumer information, disclosures of data to third parties, the sharing of data, and an increased litigation or brand risk. So, it’s less about just protecting the data. It’s really about what does the vendor have the authorized use of the data. What are they allowed to do and what are they not allowed to do. So again, the privacy dialogue I believe is actually evolving as you look at uh the different topics that are that are happening. So let me provide a quick recap of a topic that you might have heard about called Shrems 2. Uh basically uh privacy shield was invalidated about a year ago as a data transfer authorization method for data going from the EU to the United States or to other geographic or non-EU areas. Uh the regulators after this litigation in a court decision um identified gaps in this in the existing standard contractual clauses uh that were in place to address GDPR compliance. Why this is important is that for those organizations that need to manage compliance between outsourcers and vendors or controllers and processors in the EU that standard language was the primary way to address processing in thirdparty risk. So let’s fast forward the after comment period updated new templates. These new templates aren’t just about contract changes. They will impact controls, due diligence, vendor classification, and most thirdparty riskmanagement operational processes. And because we’re talking about a key change that’s uh That’s important. Let’s really think about the business model in today’s environment between an outsourcer and a vendor. Vendor compliance is multi-dimensional. And while the standard contractual clauses apply specifically to address GDPR, they actually represent what’s happening in our ecosystem. When you think of internet of things, the digital environment, cloud hosting, we’re more connected than ever before. And the new requirements that are being um you know put out by the EU tend to be a model that other states and countries tend to follow. We saw that with GDPR. So I don’t think that will u this will not be the only a GDPR type of solution but their agreements really are anticipating that you have to put in place very specific guidelines between all parties in a relationship. So whether it’s the out sourcer to the vendor, the vendor to their vendors, the fourth parties, the subcontractors. Uh it really gets down to the end parties when you start to look at processor to processor relationships. But the themes that came out about the standard contractual clauses in the simplest terms, it’s not just a contract exercise. It’s it’s a warranty of data protection safeguards. It’s a maturity in due diligence. It requires more evidence. some proof of controls or proof of ongoing monitoring and there are some exit clauses that if the vendors can’t comply uh there’s ways to get out of the contract. So it really will put a spotlight on thirdparty riskmanagement governance. And the reason that I highlight this as such an important trend is the timeline. And I know you’ll get a copy of the slide because the text might be a little bit small but when you think of what was released in final language on June 4th um new contracts with new vendors if they need to meet GDPR compliance and use standard contractual clauses, they need to be in place by the end of September. So that’s a short ramp period. And if you’re an existing vendor and you have to think about that, the contract with that data controller for all of those existing vendors will all have to be updated by the end of 2022. So that’s less than 18 months to assess the new language, look at the new data controls, identify the impact to due diligence, update your processes, and execute a repapering of contracts and due diligence and document everything that you did. So, this is absolutely a key thing on data protection and what’s changing in the environment for thirdparty risk. Um, just to provide a highlight on why this is important is that while most contracts really define the processing relationship, this new proposal really crosses the line into data governance and third party risk management programs because within each contract there’s now three annexes and the first all talks about things that as a privacy professional I’m familiar with but a lot of procurement sourcing and risk teams may not understand that they need to docu ment. Now the business model context, the category of data subject, the data classification of the data, descriptions of the processing, the purpose, the retention, all of that context that’s always been in the privacy world now needs to be brought into the vendor contract. In addition, the they’re getting more detailed in describing the data protection safeguards. So what you put now in the contract is what will be inspected in the third party risk management process or assessment process either with the on-site or virtual assessments or ongoing monitoring. But the contracts also require the list of approved subcontractors. So again, higher expectations, greater focus on governance and compliance, and really a a greater emphasis on keeping track of the different activities that are being performed because you have to prove prove that you’re doing what the contracts say and you’re holding things accountable. So, it’s really driving maturity in a lot of these processes. So, let’s dig into those processes and really what’s changing around data protection safeguards. Um, while regulations may put out guidance, uh, frameworks tend to get out at a control level. So, you really have to assess both drivers to understand how data protection safeguards are evolving the themes that I’m seeing whether it’s coming from the regulators from the frameworks or from an external assurance or audit report but it’s really holding people accountable it requires a deeper concrete description of the control environment evidence of controls is critical maintaining due diligence artifacts u I think we’ve learned through having to do assessments now in a virtual environment, the documentation beyond the policy is even more important to show the evidence of the controls that are in place. So, it’s really driving a maturity in a lot of different areas of data protection. Um, and I think we’re going to see that what’s happened for many organizations due to the pandemic and having to go to the remote environment, there will continue to be a significant footprint of remote workers. So the actual environments changed in the last year and many organizations are seeing the need through resilience or through the migration to cloud hosting the the footprint of their vendors is changing who’s critical uh may also have been impacted by the remote work because obviously online collaboration is pretty critical but these platforms probably weren’t in the high-risisk vendor uh category in a lot of third party risk management. programs. Um, so we’re really seeing a shift in the need to look at controls at a broader area and these focus areas are I think are really bringing privacy and security together. Cyber security will always be important whether you’re focused on technical controls, breach, ransomware. Uh, but what we’re seeing through the frameworks and a driving of a migration to data governance is that it’s more riskbased. It’s more methodology focused. So it’s beyond the yes no of a control is in place or not in place. It’s is the control sufficient to address your risk your risk posture. It’s driving a maturity in the process and instead of just technical controls um it also becomes contextual controls. So minimizing the amount of data that’s collected or used. Ensuring that data has a purpose limitation, working on limiting data retention or data portability from one vendor to another. So you’re seeing a lot of data governance topics that all start with understanding business model type of data and the roles between parties. And each of these controls impacts the third party risk management process. process because you might need to gather additional information. You might need to conduct additional discovery um and you may need to focus on data protection impact assessments in a different way as you look at changes in the environment be it change management or thirdparty risk or the SDLC process because you’re not just looking at the technical security control you’re looking at the use of the data the authorization of the data and what are the expectations of the individual or the data owner. So the safeguards conversation is really broadening into ethics and permissions and not just the technical uh bits and bites of the control environment. So when you look at that evolution uh data governance um and how does that impact thirdparty risk uh it’s a critical element because it becomes one of those foundational building blocks in thirdparty risk management. As I outline the context of authorized use of data, one of the challenges with data governance in thirdparty risk is probably the most common theme I hear from clients is how to maintain vendor and data inventory. It’s a continual battle to you always know who your highest risk vendors are and you have a good idea of the lowest risk, but it’s all of those vendors in between that create the the operational challenges. And when you start to look at disclosures, well, that’s not just to the third party. It’s understanding the ecosystem and the fourth parties and nth parties and all of the people that participate in the delivery of a technology product or service. So, as technology emerges, Whether it’s artificial intelligence, IoT, 5G, the cloud, you’re bringing in more third parties, more technology integrations, more network connectivity between parties and different paths for the data to follow. So managing that environment becomes not only a people resource issue, but it’s technology and its process op processes and optimization. But it’s really taking a look at not just the padlock of securing the data but understanding the path of the data within the organization and outside the organizational boundaries. Those are some of the key areas that we’re seeing really evolve in terms of data governance. So how do you look at data governance in thirdparty risk? So there’s terms that that are discussed whether it’s called data maps, data flows, devices, there’s a data governance explosion happening. So, you really have to really take a look at data and really kind of profile with at a vendor, not just who the vendor is, but what’s the product, service or system that they are delivering. So, from an outsourcer perspective, it’s not enough to know that company ABC is in my vendor portfolio. I really need to know what that company does for my organization. Do they interact with my end customers? Do they have higher sensitive data? Are they critical to my operations? And then what data is used within that relationship? And then let’s follow the data. Where is it located? Where is the data backed up? So it’s it’s become a broader conversation in terms of location management because it’s not just about physical addresses. in physical buildings, right? We now have remote workers. That means we have remote vendors and how you’re connecting can be through multiple devices. So that mapping exercise really becomes a critical pillar within your third party risk management program to understand how often and how frequently you have to update your vendor and data inventories and be able to connect the dots between the vendor, the data, and then your due diligence process based on what contractual obligations or regs apply to that relationship. So, as we look at these changes, we kind of started with the reigning regulations and then what’s happening, spotlighted a few highlights, and then we’ve talked a little bit about data governance. But let’s think about things from a a third party resp. management program in and of itself. And we, if I look at the last 18 months, um, I really started to look at kind of three big drivers that are starting to trigger the the need to modernize third party risk management programs. And obviously the first column is the pandemic factor because we as an industry, as a global world, we had to evolve. We had to quickly figure out remote workers. That means We might have had to shortcut some security controls or build new bridges or new paths. Now we need to go back and correct those areas. We had to start to bring the concept of zero trust. We had to start to do our assessments for thirdparty risk virtually. So that changed the skill set of the assessor. It might have actually changed how we document the workpapers or document what works been performed. And if you’re a service provider and you have to and you go through an annual attestation or audit report. Well, now you’re doing that virtually with your audit firms. So, resilience, cloud, remote technology, all of those things that are critical to enable business operations also impacted how vendors deliver their services. So, looking at thirdparty risk through the pandemic lens, not only do you have to look at how the existing vendor relationship works within your contract or your due diligence, standard, but you have to understand how did they adapt? What changes did they implement now due to the pandemic and remote work because those factors might require additional due diligence on your side? But I think the conversation is also evolving a bit into nonIT risks because of what’s been the focus on so many different areas. Um it’s not just about data security and cyber security. you look at thirdparty relationships uh environmental social governance ESG are top of mind um in the boardroom uh but also in the shareholder or the consumer the buyer there’s a greater focus on geopolitical human rights diversity the supply chain and that’s not just a United States factor I’m seeing these nonIT risks and guidance driving maturity of across the board. And I really think when you start to look at the nonIT risks, it almost requires a different level of viewpoint into your vendor risk rating system, the way you classify vendors. Um, it’s it’s less just about the company. It becomes a broader conversation and that may actually require different types of assessments. So instead of one large vendor assessment, I’m seeing Party risk management programs obviously need to do a deep dive on the onboarding, but then they might be doing very topic specific assessments for a particular vendor. They might have to dig deep into resilience uh and remote access and securing data. Or depending on the nature of the product, if they’re helping you with marketing, sales, or advertising, you might need to do a deeper dive on consumer protection and fraud authentication. and privacy. Um, or if they’re in the supply chain, you might have to focus on a a broader environmental factor. Um, so these topic specific assessments are layered into your overall program. So, organizations need to modernize and understand their staffing levels. How do they rightsize assessments and manage multiple assessments? Um, in one of my prior roles, um, at a service provider for certain clients, I I would have to undergo at least seven to 10 assessments on an annual basis because they were tailored at the product or service. So, not only are thirdparty risk management programs evolving in terms of the requirements, but it also starts to impact workflow and really having to take that that riskmanagement approach as to what’s sufficient. And I think the the the drivers that I’m highlighting here are actually very similar to the FAQs in the questions that the three primary regulators in the financial services sector have put out for comment as they’re looking at the original OC guidance that was for national banks in terms of thirdparty risk management. How do they bring that type of guidance across the board to community banks, regional and other areas within financial services? You know, even last week, FINRA just announced in the financial services sector uh they’re seeing audit issues on lack of maturity in thirdparty risk management programs and and that’s a concern. So I think we’re starting to see the drive for modernization come from a lot of different areas and that really is going to require some investment in making some changes to your third party risk management program. Um it might be a project to address regulator changes if you have to address GDPR and standard contractual clauses, you’re going to start with what you have today and where you need to be by the end of 22. Uh, but you also might be adopting a framework, whether it’s NIST or ISO, to help mature your information security and your cyber footprint and bring privacy into that conversation. But anytime you’re looking at changes to your program, um, it really starts from that outside in perspective. What are the external drivers? Then the internal what’s changing within your organization sometimes it could be M&A activity it could be new products and services consolidation efficiency but all of those things now require that review. Do we need to change the definition of vendor criticality in today’s landscape? Do you have a commonly understood definition within your organization of who is critical and as thirdparty risk management programs broaden in scope to include ESG and these others you’ll really see that it becomes an integral part of an organization’s enterprise riskmanagement program. So while the project teams may understand what they need to do to operationalize changes to thirdparty risk management programs actually doing that changes the story also though in terms of how you gain you know management approval of all of these changes or if it has to go up to the board or executive reporting. I think the other key thing that I think that is really evolving obviously thirdparty assessments have evolved from on-site to kind of a virtual environment. Uh the old kick the tires type of approach uh of a site visit is not going to come back because people have realized the cost. of the travel and the level of of value that they get. There will certainly be high-risk suppliers or vendors that need that deep dive or physical inspection. Um, but I think people will be starting to use a combination of different techniques. But I think the key factor that I think you know puts a wrinkle into existing thirdparty risk management programs is really the contract and due diligence synchronization. So I use the example of standard contractual clauses. The legal team and the privacy people are all over this. But now that work product has to be implemented by the third party risk management teams and they don’t have a clue what all these privacy terms mean. So we all of a sudden have to build a bridge even within one company to figure out how do I sync up what I have to put out into a legal contract that impacts how I audit the vendor and now my audit of the vendor can be viewed by the regulator and they’re actually saying you need to have very good workp papers to document what you’ve done. You’ve got to build a really strong dialogue and collaboration between very different and divergent teams and a lot of that may start with education or doing a gap analysis or figuring out how do we sync up due diligence and thirdparty risk assessments with contract expectations. and how you manage the gaps is even more critical. So I think all of these factors are really driving um organizations to really start to take a look holistically at their processes. And I think connecting the dots across different processes is an area that is sometimes very under um undervalued or under reppresented in terms of the the need for clarity of roles and responsibilities between within and across teams. So let’s think of some examples today when you have all of these changes that are happening in the internal and external environment right technology transformation migration to the cloud new regulations you know fines and enforcement and obviously we always have the threats and vulnerabilities in terms of the bad actors all of these things teams are coming at a third party riskmanagement team, but they’re also coming across the newswire of the CEO and the boards of directors. So, organizations need to really be able to tell their story. Here’s what’s changing. Here’s what we’re doing about those changes. Here’s what’s important. And here’s what I need from the organization. So, if you need to modernize your program, it’s about that business It’s about explaining here’s the role that these teams play today. Here’s what the new expectations are. Whether that’s by the reggg, by a framework, by a customer driving language in the contract. All of these things can now change what you need to do on your policies for thirdparty risk, your due diligence standards, your assessment process. And so there’s almost that layered education not only to keep everyone on the same page with the changes but also make sure that folks understand uh that the with the heightened expectations there’s now a a a better level of what I call uh change management maturity we know in thirdparty risk we always think about change management purely from the IT coder you know the developers point of view and IT operations uh but now you have the pandemic and you have security DevOps. But now when you look at privacy and data protection, it’s a whole different conversation to be managing regulatory change around devices, privacy permissions, settings on a smartphone, use of a web application. So what I’m seeing emerge around data protection is really broadened conversations around change management and process integration, but It’s really bringing these teams together and bringing these processes together because that’s what’s critical to be able to demonstrate here’s how I am managing expectations not only to manage and mitigate risk but also ensure that my risk management process is in alignment with really the expectations coming from the market clients regulators or investors even. And I think what we’re going to see as we look at, you know, the challenge with connecting the compliance dots is that it’s it it’s not just a volume issue with staff. It could be skill sets of staff. People have to adapt to a new way of doing work or some of the changes that we’re seeing around data governance or even things like the standard contractual clauses may require organizations to assess how many vendors do I have? Do I need to do some consolidation of vendors? So, I think we’re going to see some evolution of even KPIs and metrics in terms of managing the third party risk management program. Um, scorecards I could see uh becoming, you know, even more important in terms of process maturity in terms of not just the status of the vendor, red, yellow, green number of findings, red, yellow, and green. Um, but it starts to look at the risks across vendors, not just within a particular vendor relationship, because you’re managing different touch points, and you’re managing different types of risk that different organizations and different stakeholders are going to say that are important. So, I always like to, you know, think about, we talked about a lot of topics, but when we look at some of that, the guidance that’s coming out, you know, there’s some simple steps to do to kind of get your arms around these environmental changes, uh, the six-step process, uh, putting guidance into action. U, what I liked about these messages, even though they originated in the EU guidance, I think they apply across the board to any organization that’s really trying to modernize or update their third party risk management program. First up, update your data maps and inventory. Know where the data is located. How what what the purpose is, what they’re authorized for. Verify and understand any transfers or disclosures between third parties, whether that’s financially by contract, a trade, or any type of benefit, any data transfer or access between parties. I think it’s also critical to conduct due diligence not just of the third party but understand is this transfer or disclosure to a third party allowed by law by contract is is there are restrictions are there hoops I have to jump through to enable that disclosure so there’s more maturity happening in the regulations getting more complex that changes your processes on your side for how you even trigger the d diligence activity and I think you’ll start to see the evolution of due diligence beyond just the technical controls and really get into organizational and contractual measures. Um I think another key area for modernizing programs is really focusing on that uh fourth and party relationships because at the end of the day uh everyone has multiple third party relationships. No one is very few organizations are hosting their own data in the cloud or hosting their own applications. They’re all using technology service providers to enable their footprint. And all of those providers have their own vendors. So it’s not just critical to understand who they are, but really understand what the contract says in terms of who owns which controls. I’ve done quite a few gap analysises and assessments and I I will hear from a client, well, you know, they had a stock report, so I didn’t think I had to do anything else. Well, if you read the report, it says, “These are all the controls that the vendor owns, and these are the controls that you own.” At the end of the day, you can’t outsource accountability. So, it’s really important that your third party risk management teams not only understand their process, um, but the standards and the requirements and kind of how you maintain your evidence across your entire program because how the program in and of itself um comes under a greater you know inspection and oversight. So as we look at this I know in one hour we’re covering a ton of information um and I think it’s always important to be aware of privacy fatigue and you could use the word privacy fatigue or you could put in that replace that with cyber security fatigue. Regulations are emerging faster It’s happening all at once. You’ve got to build a road map. Find some quick wins. Do the quick hits. Make it manageable. Break the work up into manageable parts so it’s not feeling so overwhelming. It requires prioritization. Uh but I think data protection and third party risk the number one thing is that it should be a strategic conversation and not an operational tactic. Ensure that the board board the seauite understands the linkage to revenue so that the third party risk management program is not just looked at as an administrative burden or it’s table stakes you know it actually can drive and enable the business to succeed because you need the vendors to run and and help you grow your business so really make sure that the board and the seauite understand their role in ensuring that the thirdparty risk management programs have the business case and the investment and the resources they need to manage the risk because the regulators don’t give you new budget when they change the rules. So each organization has to adopt their program or have that conversation to say this is what’s changed, these are our gaps and we can either fix the gap or accept the risk. So you’ve really got to have that conversation um and really then look at your processes to say what can we do better to really drive process efficiency um you know into those recommendations. And with that, I’m going to turn it over to uh to the prevalent team to cover a few topics and then we’ll jump into the Q&A which I can see some things that uh Amy’s probably monitoring in the chat.

Alistair Par: Thank you very much. Really insightful and it’s it’s interesting because we we very much agree with what we’re seeing. So the whole privacy privacy angle of course is symbiotic to the broader third party program and we appreciate and totally agree with you when it comes to right sizing and making sure that that program is proportionate whether it’s riskcentric from an infosc standpoint whether it’s looking at uh contract due diligence clauses or privacy as well. So it completely resonates with what we’re hearing and seeing as well. So what really what we’re looking at in front of us is is something that we tend to focus on as part of the analysis and interpretation of the program because invariably we find and I’m sure you do the same that Most people have some some semblance of a program whatever it may be. It might be a couple of spreadsheets sitting on someone’s laptop somewhere or they might be involving the seauite and they might be getting steering committees involved etc. But it’s that taking that moment to passively review what you’re actually doing and considering uh before applying changes and proportionate changes to to right size demonstrate return on investment. And some of the key things we’ve seen on that is is some of the insights you see in front of you now. So the maturity assessment up front this applies to the entire pro program uh from a privacy standpoint and beyond which is understanding well really what are we trying to achieve where are we where do we stand against our peers is that actually good or not and are we investing the right amount in order to achieve these obligations whether that’s regulatory in nature or based on a framework or just internal risk appetite so we often see people using a CMM model carne capability maturity model to grade themselves and compare themselves to the peers and then that beats the the metrics the KPIs KIS as to what the steering committee the sea level really want to try and focus on and then that drives that uh that scoping and that perception up front and completely agree with you and you can’t outsource accountability is at this point where we help to define well what does accountable look like you know what can we bring in house and and effectively managing governance and u you know it sounds sounds very much similar to what you’re seeing in your expertise in the field. and when we start looking at the sort of the rest of the circle per say in it’s about that comprehensive profiling I know We agree you start looking at the end of parties and understanding the data points and elements that that we can build this sort of holistic profile of them on whether that’s data processing activities uh whether it’s their security controls and governance uh it’s it’s multifaceted. So we we look at it from a comprehensive profiling lens which is you know how can we amalgamate all these data sets and end parties into something that’s actually coherent that we can action against and then benchmark everybody uh against one another. So these being the third parties themselves. Uh then of course we can compare that to to the regulative obligations and frameworks that we need to consider. Uh and then factor in well what can we actually do about it and how engaged is the business. So the human effect of remediation planning. Now it’s it’s interesting hearing you talk and correlate to seuite so much because it’s a challenge we always see which is that human factors and how can we get the business involved and multiple people to participate. Uh and that’s always an ongoing challenge that that we also try and pay attention to and and advise on. So it’s it really resonates. So on to the next slide, if I may. We talked about that holistic profile and and again I think you’ve you’ve really hammered home and touched very well on some of these points, but some of the things we like to see working quite well is building up this vendor profile and that’s multiple f factors and facets and you understanding the data processing, understanding the context around what they do and why they do it is is really really foundational. You know, context is really key and to address privacy, all of these other symbiotic factors, understanding what articles there there may be relating to them in in the world, broadly speaking, are they expanding territories, are they processing data in other areas, have they had any data breaches that we need to be mindful of that they haven’t reported back to us? Uh, and then of course, even things like financial stability feed into that, being aware of any changes, M&A, that may impact them in the next 12 months. That that perception on how your data is being managed and how you’re adhering to any regulations is is going to be very much dependent on pretty much everything that you see in front of you. We do find it quite challenging for people to spend the time to be able to aggregate these data points as best they can and react particularly when you’re dealing with it at scale. So on the final slide before I pass back to you and go to general Q&A just something that we’re we wanted to share because again I think it resonates quite well with what you’ve been talking about is some of the processes that we see and we consider which is the life cycle of third party management. You know, I’ve obviously spoken and you’ve spoken about that comprehensive profile, but beyond that, it’s the broader life cycle and and I think you rightly touched on the contract and due diligence clause reconciliation piece up front is is generally pretty on point for a lot of organizations that doesn’t necessarily carry over to the rest of the workflow. Things start to to dwindle until contract renewals and so on. So, we like to spend a bit of time focusing on post selection, how can we apply that through life cycle. So tracking the regul the regulations the obligations associated to that making sure that the seauite uh the legal councils etc feed into us to let us know really what do we need to deal with you whether that’s the data protection officers of the business uh or whoever’s owning that. It all feeds into how we interact and govern and take accountability of uh of the third party program and and the risks that they present to us. So we like to see through that life cycle that degree of ownership. You we like some maturity and expanding that maturity past procurement and contracting into the life cycle and tracking those contractual clauses through the outset. So what we often tend to do is build workflows around that where we see customers or visionaries really in the space starting to collect the data look at it cohesively uh drive remediation on targeted focus points and then really try and drive their programs iteratively and improve and optimize them over time. So establishing that best practice internally and driving it through steering committees etc is is really something that we we’re seeing as well. So, I’m glad to see that nothing seems to contradict really what um hopefully you’ve been seeing.

Len Solom: Por supuesto. Quiero decir, es un ciclo de vida y creo que, ya sabes, es un concepto común, pero los ciclos de vida son más cortos y, eh, incluso más complejos hoy en día.

Alistair Par: Estoy totalmente de acuerdo con eso. Estupendo. Entonces, podemos pasar a la sección de preguntas y respuestas.

Amy Tweet: Sí, les daré un momento para que beban un sorbo de agua y respiren. Muchas gracias por la información. Sí. Eh, me han surgido un par de preguntas. Eh, voy a lanzar nuestra última pregunta de la encuesta desde el lado predominante aquí. Eh, antes de que se vayan hoy, ¿están pensando en ampliar o establecer un programa de riesgos de terceros en 2021 o tal vez incluso están pensando en el próximo año, ya que nos acercamos al final del año? Eh, nos encantaría recibir una respuesta. Sí, no, no estoy seguro. Estamos aquí para ayudar, como ha mencionado Alistister. Um, así que, ya saben, háganoslo saber. Y estas últimas dos preguntas, creo que pueden responderlas Len o Alistar. La primera es: ¿podrían recomendar otros KPI o KRIS para ayudar a realizar un mejor seguimiento del riesgo de los datos?

Alistair Par: Claro. Me encantaría empezar. Y, por supuesto, Wayne, sí, gracias. Sí, desde luego, por nuestra parte, los KPI y KIS que necesitamos ver. Por supuesto, los riesgos relacionados con los datos son un subconjunto del riesgo más amplio en su conjunto y veríamos resultados similares, es decir, cómo podemos asegurarnos de que, cuando analizamos nuestro proceso de evaluación y clasificación, estamos añadiendo contexto a los criterios de riesgo. Reconozco que el contexto es bastante difícil de calificar cuando se trata de KPI y KIS, pero si al menos podemos distribuir los de nivel uno, los críticos, los que entran en el ámbito de la regulación, los proveedores con obligaciones reglamentarias y los riesgos clave de los datos, al menos podemos centrarnos en ellos y empezar a concentrar nuestros esfuerzos y priorizarlos en ese subconjunto, ese porcentaje. Así que, desde el punto de vista de los KPI y los KIS, yo diría que hay que segmentar los riesgos de datos que tienen obligaciones reglamentarias o obligaciones marco y luego examinar los progresos realizados en relación con ellos.

Len Solom: ¿Y tú qué opinas? Sí, solo para añadir un par de cosas más en las que pensar, cuando analizas la relación con un proveedor concreto y estableces tu calificación de riesgo o lo que estás midiendo, ya sabes, alto riesgo, nivel uno, nivel dos, nivel tres. Cuéntanos el resto de la historia. ¿Cuál es el riesgo del proveedor en cuanto a la resiliencia? Puede que sea un proveedor de alto riesgo porque es fundamental para la resiliencia, pero es un proveedor de bajo riesgo para la protección del consumidor porque realmente no interactúa con tus clientes finales. Por lo tanto, añade algo de contexto a tu calificación de riesgo y a tu clasificación de proveedores. Y cuando se analizan las métricas, muchas organizaciones pueden pasar por alto el poder del seguimiento de las quejas. Una queja es diferente a un problema o una solución, pero las quejas tienen que ver con el contexto. Por lo tanto, si hay quejas o cosas que están sucediendo, normalmente es un síntoma de que algo más está pasando. Por lo tanto, tenga un buen proceso de escalamiento para esas áreas no clave, porque así podrá enterarse de lo que está pasando aún más rápido.

Amy Tweet: Genial. Gran pregunta. Tenemos una más del público y nos quedan unos minutos. Así que si se les ocurre algo más que quieran preguntarle a Len o a Alistar, por favor, tómense un momento para escribir su pregunta. La última es muy buena. Entonces, si no tienen una relación directa con una cuarta parte, ¿cómo pueden manejar y remediar mejor cualquier problema que vean con ellos?

Len Solom: Excelente pregunta. Yo empezaría diciendo que el problema con los cuartos es la falta de control, ¿no? No tienes una relación directa, ni financiera ni contractual. Pero lo que tienes que hacer es responsabilizar a tu tercero. Así que, en lugar de limitarte a inspeccionar a tu proveedor, tienes que inspeccionar y auditar su programa de gestión de riesgos de terceros. Y es bueno que audites su programa, que les exijas que proporcionen pruebas de los controles. Y si estás en el lado del proveedor de servicios, no te limites a rechazar al cliente. Averigüe cómo adaptar su documentación de manera que proporcione a su base de clientes suficiente documentación para que se sientan seguros de que está haciendo un buen trabajo en la gestión de los riesgos de los cuartos y los finales. Porque si usted es un proveedor de servicios, si hace un buen trabajo en eso, puede generar valor para el cliente. Um Así que realmente se trata de impulsar la madurez en ello, pero inspeccionar el programa de terceros.

Alistair Par: Estoy totalmente de acuerdo contigo, Len. Así que, tal y como decimos, todo comienza con ese ejercicio de adquisición inicial cuando se asume la obligación contractual. Por lo tanto, es fundamental establecer cuáles son sus obligaciones con los terceros y con las partes que gestionan. Y, lamentablemente, creo que es una buena pregunta. Creo que también has mencionado que la mayoría de las organizaciones no tienen la madurez y el acuerdo iniciales para poder gobernar a sus terceros y asegurarse de que los gestionan de forma eficaz. Es una especie de petición reactiva para asegurarse de que se ocupan de ello. Por lo tanto, estamos viendo que cada vez más organizaciones maduran en el establecimiento de algunas cláusulas contractuales por adelantado para asegurarse de que están gestionando a los cuartos, pero, de nuevo, no se va a poder externalizar completamente la responsabilidad en ese aspecto. No va a funcionar. Se espera que se trabaje con ellos para identificar y hacer un seguimiento de esos problemas.

Len Solom: Bueno, y creo que también es importante no basarse únicamente en la certificación de un informe de auditoría. Es que, ya sabes, he trabajado en riesgos de terceros durante bastante tiempo y, en los viejos tiempos, tenías la certificación SAS 70 y yo pensaba «¿qué?», pero ahorahay diferentes niveles de informes de auditoría externa, pero hay que analizarlos detenidamente, especialmente en el entorno de la nube o en otros entornos, para saber qué control tiene el proveedor, qué control tiene el cliente y cuál es la configuración, y hay que exigir pruebas de que realmente están revisando los informes y realizando un análisis basado en el riesgo de lo que han aprendido y visto en el informe. Por lo tanto, no solo se exige por contrato el Sock 2, sino que hay que preguntarse qué se hace con el Sock 2 una vez que se recibe.

Alistair Par: Y yo lo secundo diciendo que siempre hay que comprobar también el alcance, por si acaso su alcance resulta ser su armario de las escobas en algún lugar.

Len Solom: Por supuesto. Porque se trata del nivel de producto o servicio. Y creo que ahí es también donde entra en juego la gobernanza de datos, ya que las ubicaciones físicas a veces pierden importancia en el entorno digital actual. Bueno, ya sabes, en ciertos sectores la ubicación física de la fabricación es muy importante, pero lo que realmente hay que hacer es analizar el perfil del proveedor para saber si estás obteniendo la garantía que buscas o si necesitas complementar la garantía en un tema concreto que sea crítico para tu organización o tu base de clientes.

Amy Tweet: Muy bien, gracias. Es una pregunta estupenda. Vamos a pasar a otra que acaba de llegar. Creo que tiene mucho que ver con la época del COVID. Muchos proveedores no permiten visitas físicas. ¿Debería ser esto un problema o qué procedimientos alternativos serían suficientes?

Len Solom: Es una gran pregunta y es casi como si a veces necesitáramos seminarios web solo para la verificación por parte del proveedor de servicios. Creo que la clave es reconocer que ciertos proveedores no estarán equipados para que usted vaya a sus instalaciones, pero entonces el proveedor debe mantener una conversación colaborativa con su base de clientes para decir: «De acuerdo, pero esto es lo que podemos ofrecer en su lugar». Aquí hay pruebas adicionales. Aquí hay documentación adicional. Aquí hay pruebas adicionales de los controles o de cómo se puede utilizar la tecnología virtual o web de diferentes maneras. No debería ser un sí o un no. Simplemente tenemos que realizar la misma función de forma diferente. Entonces, ¿cómo lo hacemos? Y realmente empieza con esa conversación y con la flexibilidad de ambas partes. Solo hay que reconocer los retos a los que se enfrentan las organizaciones.

Alistair Par: Totalmente de acuerdo. Y estamos viendo que la validación virtual ha sido un verdadero motor en los últimos 18 meses, como era de esperar. Y la clave que hemos observado es ser conciso y concentrado, ya que solo se dispone de un tiempo limitado porque la gente se cansa de Zoom tanto como de cualquier otra cosa. Por lo tanto, en general, hemos tenido éxito al proporcionarles los criterios generales de las pruebas que se desean validar. Se comprueban ciertos controles que son críticos para usted, pero no se les dan necesariamente los aspectos de ese control que usted querría ver. Así, no pueden conocer el sistema por adelantado, pero tienen tiempo para preparar los materiales pertinentes. De este modo, ese ejercicio de validación concentrado, esa prueba de comprobación de ciertos controles, al menos da seguridad, lo que parece ser una constante en los últimos 18 meses para nosotros.

Len Solom: Correcto, y el año pasado tuvimos la serie de seminarios web sobre evaluación virtual e incluso vimos cambios desde la primera vez que se celebró ese evento, a principios del segundo trimestre, hasta cómo había cambiado la perspectiva de la gente sobre las evaluaciones virtuales y la validación virtual a finales de año, porque tienen que lidiar con un equipo de auditoría interna virtual. Tienen que lidiar con un equipo de auditoría externa virtual, proveedores virtuales y evaluaciones de riesgos de terceros virtuales. Así que, bueno, muchos procesos han cambiado en los últimos 18 meses y creo que eso va a seguir evolucionando.

Amy Tweet: Me encanta ese término, «validación virtual». Es genial. Es una pregunta realmente estupenda. Bueno, ya estamos llegando al final de la hora. Quiero asegurarme de que todos puedan disfrutar del resto del día y, si tienen alguna última pregunta, pueden ponerse en contacto con Lana Solom. Creo que LinkedIn es una buena opción para contactar con ella.

Len Solom: Sí, está bien. Y también he incluido mi...

Amy Tweet: Ahí estás. Te veo. Tuve que quitar la pregunta de la encuesta. Pero en cuanto a Prevalent, si tienes alguna pregunta para nosotros, puedes enviarnos un correo electrónico a info prevalent.net. Síguenos en LinkedIn o Twitter. Una vez más, te agradecemos mucho que hayas pasado estos últimos 60 minutos con nosotros, y espero que hayas aprendido algunas prácticas recomendadas sobre cómo abordar el riesgo de protección de datos en tu ecosistema de terceros. Gracias a todos, gracias Alistister. Gracias Lene. Espero que tengan un buen día y que todos tengan un buen día.

Len Solom: Excelente.

Amy Tweet: Adiós a todos.

Len Solom: Adiós. Gracias.