6 façons dont la protection des données influe sur les risques liés aux tiers

Amy Tweet: Bon, nous sommes en direct. Bienvenue à tous. Nous sommes ravis que vous puissiez vous joindre à nous aujourd'hui. Si vous nous regardez en direct, merci de passer un peu de votre temps avec nous. Pendant que vous vous installez confortablement, je vais vous poser une petite question, car nous sommes très curieux de savoir ce qui vous a incité à vous joindre à nous. Donc, pendant que vous attendez, cela pourrait être instructif et vous permettre d'en apprendre un peu plus. Je suis ravie d'accueillir nos experts, que je vous présenterai dans un instant. Il pourrait s'agir d'une recherche pour un projet à venir sur la gestion des risques liés aux tiers. Vous ne savez peut-être pas où vous en êtes. Dans ce cas, ce webinaire s'intitule « Six façons dont la protection des données influe sur les risques liés aux tiers ». Vous souhaitez peut-être rester ou vous êtes peut-être déjà un client de Prevalent et vous souhaitez vous tenir au courant de l'actualité. Prenez donc un moment pour écouter quelques règles de base. Je m'appelle Amy Tweet. Je travaille au développement commercial chez Prevalent. Mon rôle aujourd'hui est de m'assurer que toutes vos questions destinées à Len ou Alistar leur parviennent. Vous pouvez utiliser la fonction de chat ci-dessous ou la fonction Q&A. Je m'assurerai de leur transmettre vos questions. Sans plus attendre, je vais vous présenter nos experts qui participent à cette conférence téléphonique. Nous sommes en compagnie de Len Solom. Elle est ancienne responsable de la protection de la vie privée et travaille dans le secteur des services réglementés et de la gestion des risques depuis plus de 30 ans. Elle est également fondatrice de Solom Risk Partners. Len, comment allez-vous aujourd'hui ?

Len Solom: Je vais très bien.

Amy Tweet: Bien. Nous sommes ravis de vous accueillir. Alistair Par se joint également à nous. Vous pouvez voir son visage ci-dessous. Il est vice-président des produits mondiaux et des risques chez Prevalent, et vous pourrez l'entendre et le voir vers la fin du webinaire. Si vous avez des questions concernant Prevalent, vous pouvez également les poser et nous vous aiderons à y répondre. Pour rappel, nous souhaitons que cette session soit interactive, alors n'hésitez pas à utiliser la fonction de chat et la fonction de question. Nous enregistrons également cette session, donc si vous devez partir ou si vous ne pouvez pas rester jusqu'à la fin, nous vous l'enverrons demain matin à votre adresse e-mail. Très bien, nous allons commencer. Je vous passe la parole. D'accord. Si vous avez d'autres questions, veuillez utiliser la fonction de chat. Allez-y.

Len Solom: Okay. Excellent. Thank you so much. Well, welcome everybody. We’re going to have uh quite a bit of good um discussion today. There we go. So, as Amy introduced, uh this is a bit of my background. Um I have been in the outsourcers. I have also been on the service provider end. So, I’m really going to weave together today data privacy, data protection and thirdparty risk and there’s a lot of hot topics. So let’s right now get into our discussion. So converging topics as I outlined why are these topics important? Um we all know that you have to follow the data. The data starts the conversation in terms of any dialogue between an outsourcer and a third party. But managing data is much more challenging in today’s environment. Even technology like you know online meetings creates new data challenges right so data protection and third party risk are really converging and as we talk through these these topics today I’ve listed quite a few terms that will be woven into the dialogue and the narrative but what I’m going to focus on is less how you build these things but spotlight some of the challenges and opportunities and things that are shifting. Um we’ve got a lot of divergent topics and uh quite a significant amount of change that’s occurring today that are going to impact almost every element of not only a privacy program but a third party riskmanagement program. So I’ll try and connect the dots where appropriate and hopefully we can learn through this session and through the Q&A uh where some of the other pain points are. So let’s dive in to kind of that road mapap for today’s dialogue. I’m going to highlight kind of six key topics that all are related and we’re going to start with what’s changing in the regulatory landscape, how that impacts contracts, what you then need to do around data protection and safeguards and assessments. Uh but put a little bit of that magnifying glass on data governance because that’s the hottest topic. And we’ll end with kind of where does this road map now affect your thirdparty risk management program where would you maybe need to do some maturity or process enhancements. So this is kind of our road map for today’s dialogue. So let’s dive into the first topic. Uh it might be August and hot and humid where you are but right now it’s raining regulations for data protection and thirdparty risk management. Um our journey really got aggressive when GDPR really accelerated the expectations for sur service providers. And when you think of the regulatory changes that have happened since GDPR became effective only three years ago, um we’re getting the point where 65% of the world’s population is now covered by data protection rags and the US is getting even more aggressive at the state level. Um but it’s not just a regulatory landscape. We are seeing uh focus areas from different regulators, from agencies, um new proposed guidance and we’ll dig into that. Uh, but it’s not just an an industry challenge. Privacy risk is now top of mind for public companies in the United States. I thought it was very interesting that over 60% of companies are citing privacy risk or data protection risk in their SEC reports. And when we first started to think about that, everybody assumes it’s about cyber security and breach. But no, it seems to be more about privacy. ethics, privacy, permissions and data practices, corporate governance, ESG. The topics are broadening um and really bringing privacy, security and compliance together into a better focus on data governance and data protection. So, as we look at this, let me highlight a couple of of key things in terms of developments um in terms of that raining uh regulation. uh for those that do business in the EU, we’re still dealing with shredd and Brexit in terms of the UK and the EU adding a complexity. You’ll see on the right I listed just kind of a visual that talks about how enforcement is accelerating. Uh but now I need a new chart because even though I put this out there towards the end of July, uh the EU regulators issued a fine uh the largest in history of 8 $87 million. Uh and as you look at that, part of the focus is on data practices. So, everyone’s now looking at their frameworks and making changes. Uh Canada’s getting involved with a new update to modernize their privacy framework. Uh many international companies are following suit. E privacy is still happening within the uh EU. Um but there are updated industry frameworks from and ISO that are really putting a spotlight on data governance, data protection, data protection safeguards and really bringing privacy engineering and security engineering together. In fact, for those of you on the call that might work within the financial services sector, the three agencies have come together to propose a new framework and modernize guidance on thirdparty risk management programs. The joint guidance from the three regulators is out for industry comment right now. So, we don’t see these developments slowing down uh because of the new frameworks and regulations and enforcement. It’s it’s going to get even more challenging. Um just to show you a little bit of the checkerboard of what’s happening at the state level, you’ll see that the International Association of Privacy Professionals publishes on a monthly basis um a state privacy uh legislation tracker and you can see the ers of what’s been introduced, what’s in committee, what’s in chambers, and what’s across uh being developed or passed or signed. Why this is important is because when a state like California or now Colorado put out new guidance, uh we’re a global economy. We’re a national economy and a regulation in a particular state starts to impact other states. It’s kind of like the years when we first had breach notification and now we have a checkerboard of 48 states with a law. We’re kind of going down that path from a US state privacy tracking. Um, but we’re starting to see some key themes. Consumer information, disclosures of data to third parties, the sharing of data, and an increased litigation or brand risk. So, it’s less about just protecting the data. It’s really about what does the vendor have the authorized use of the data. What are they allowed to do and what are they not allowed to do. So again, the privacy dialogue I believe is actually evolving as you look at uh the different topics that are that are happening. So let me provide a quick recap of a topic that you might have heard about called Shrems 2. Uh basically uh privacy shield was invalidated about a year ago as a data transfer authorization method for data going from the EU to the United States or to other geographic or non-EU areas. Uh the regulators after this litigation in a court decision um identified gaps in this in the existing standard contractual clauses uh that were in place to address GDPR compliance. Why this is important is that for those organizations that need to manage compliance between outsourcers and vendors or controllers and processors in the EU that standard language was the primary way to address processing in thirdparty risk. So let’s fast forward the after comment period updated new templates. These new templates aren’t just about contract changes. They will impact controls, due diligence, vendor classification, and most thirdparty riskmanagement operational processes. And because we’re talking about a key change that’s uh That’s important. Let’s really think about the business model in today’s environment between an outsourcer and a vendor. Vendor compliance is multi-dimensional. And while the standard contractual clauses apply specifically to address GDPR, they actually represent what’s happening in our ecosystem. When you think of internet of things, the digital environment, cloud hosting, we’re more connected than ever before. And the new requirements that are being um you know put out by the EU tend to be a model that other states and countries tend to follow. We saw that with GDPR. So I don’t think that will u this will not be the only a GDPR type of solution but their agreements really are anticipating that you have to put in place very specific guidelines between all parties in a relationship. So whether it’s the out sourcer to the vendor, the vendor to their vendors, the fourth parties, the subcontractors. Uh it really gets down to the end parties when you start to look at processor to processor relationships. But the themes that came out about the standard contractual clauses in the simplest terms, it’s not just a contract exercise. It’s it’s a warranty of data protection safeguards. It’s a maturity in due diligence. It requires more evidence. some proof of controls or proof of ongoing monitoring and there are some exit clauses that if the vendors can’t comply uh there’s ways to get out of the contract. So it really will put a spotlight on thirdparty riskmanagement governance. And the reason that I highlight this as such an important trend is the timeline. And I know you’ll get a copy of the slide because the text might be a little bit small but when you think of what was released in final language on June 4th um new contracts with new vendors if they need to meet GDPR compliance and use standard contractual clauses, they need to be in place by the end of September. So that’s a short ramp period. And if you’re an existing vendor and you have to think about that, the contract with that data controller for all of those existing vendors will all have to be updated by the end of 2022. So that’s less than 18 months to assess the new language, look at the new data controls, identify the impact to due diligence, update your processes, and execute a repapering of contracts and due diligence and document everything that you did. So, this is absolutely a key thing on data protection and what’s changing in the environment for thirdparty risk. Um, just to provide a highlight on why this is important is that while most contracts really define the processing relationship, this new proposal really crosses the line into data governance and third party risk management programs because within each contract there’s now three annexes and the first all talks about things that as a privacy professional I’m familiar with but a lot of procurement sourcing and risk teams may not understand that they need to docu ment. Now the business model context, the category of data subject, the data classification of the data, descriptions of the processing, the purpose, the retention, all of that context that’s always been in the privacy world now needs to be brought into the vendor contract. In addition, the they’re getting more detailed in describing the data protection safeguards. So what you put now in the contract is what will be inspected in the third party risk management process or assessment process either with the on-site or virtual assessments or ongoing monitoring. But the contracts also require the list of approved subcontractors. So again, higher expectations, greater focus on governance and compliance, and really a a greater emphasis on keeping track of the different activities that are being performed because you have to prove prove that you’re doing what the contracts say and you’re holding things accountable. So, it’s really driving maturity in a lot of these processes. So, let’s dig into those processes and really what’s changing around data protection safeguards. Um, while regulations may put out guidance, uh, frameworks tend to get out at a control level. So, you really have to assess both drivers to understand how data protection safeguards are evolving the themes that I’m seeing whether it’s coming from the regulators from the frameworks or from an external assurance or audit report but it’s really holding people accountable it requires a deeper concrete description of the control environment evidence of controls is critical maintaining due diligence artifacts u I think we’ve learned through having to do assessments now in a virtual environment, the documentation beyond the policy is even more important to show the evidence of the controls that are in place. So, it’s really driving a maturity in a lot of different areas of data protection. Um, and I think we’re going to see that what’s happened for many organizations due to the pandemic and having to go to the remote environment, there will continue to be a significant footprint of remote workers. So the actual environments changed in the last year and many organizations are seeing the need through resilience or through the migration to cloud hosting the the footprint of their vendors is changing who’s critical uh may also have been impacted by the remote work because obviously online collaboration is pretty critical but these platforms probably weren’t in the high-risisk vendor uh category in a lot of third party risk management. programs. Um, so we’re really seeing a shift in the need to look at controls at a broader area and these focus areas are I think are really bringing privacy and security together. Cyber security will always be important whether you’re focused on technical controls, breach, ransomware. Uh, but what we’re seeing through the frameworks and a driving of a migration to data governance is that it’s more riskbased. It’s more methodology focused. So it’s beyond the yes no of a control is in place or not in place. It’s is the control sufficient to address your risk your risk posture. It’s driving a maturity in the process and instead of just technical controls um it also becomes contextual controls. So minimizing the amount of data that’s collected or used. Ensuring that data has a purpose limitation, working on limiting data retention or data portability from one vendor to another. So you’re seeing a lot of data governance topics that all start with understanding business model type of data and the roles between parties. And each of these controls impacts the third party risk management process. process because you might need to gather additional information. You might need to conduct additional discovery um and you may need to focus on data protection impact assessments in a different way as you look at changes in the environment be it change management or thirdparty risk or the SDLC process because you’re not just looking at the technical security control you’re looking at the use of the data the authorization of the data and what are the expectations of the individual or the data owner. So the safeguards conversation is really broadening into ethics and permissions and not just the technical uh bits and bites of the control environment. So when you look at that evolution uh data governance um and how does that impact thirdparty risk uh it’s a critical element because it becomes one of those foundational building blocks in thirdparty risk management. As I outline the context of authorized use of data, one of the challenges with data governance in thirdparty risk is probably the most common theme I hear from clients is how to maintain vendor and data inventory. It’s a continual battle to you always know who your highest risk vendors are and you have a good idea of the lowest risk, but it’s all of those vendors in between that create the the operational challenges. And when you start to look at disclosures, well, that’s not just to the third party. It’s understanding the ecosystem and the fourth parties and nth parties and all of the people that participate in the delivery of a technology product or service. So, as technology emerges, Whether it’s artificial intelligence, IoT, 5G, the cloud, you’re bringing in more third parties, more technology integrations, more network connectivity between parties and different paths for the data to follow. So managing that environment becomes not only a people resource issue, but it’s technology and its process op processes and optimization. But it’s really taking a look at not just the padlock of securing the data but understanding the path of the data within the organization and outside the organizational boundaries. Those are some of the key areas that we’re seeing really evolve in terms of data governance. So how do you look at data governance in thirdparty risk? So there’s terms that that are discussed whether it’s called data maps, data flows, devices, there’s a data governance explosion happening. So, you really have to really take a look at data and really kind of profile with at a vendor, not just who the vendor is, but what’s the product, service or system that they are delivering. So, from an outsourcer perspective, it’s not enough to know that company ABC is in my vendor portfolio. I really need to know what that company does for my organization. Do they interact with my end customers? Do they have higher sensitive data? Are they critical to my operations? And then what data is used within that relationship? And then let’s follow the data. Where is it located? Where is the data backed up? So it’s it’s become a broader conversation in terms of location management because it’s not just about physical addresses. in physical buildings, right? We now have remote workers. That means we have remote vendors and how you’re connecting can be through multiple devices. So that mapping exercise really becomes a critical pillar within your third party risk management program to understand how often and how frequently you have to update your vendor and data inventories and be able to connect the dots between the vendor, the data, and then your due diligence process based on what contractual obligations or regs apply to that relationship. So, as we look at these changes, we kind of started with the reigning regulations and then what’s happening, spotlighted a few highlights, and then we’ve talked a little bit about data governance. But let’s think about things from a a third party resp. management program in and of itself. And we, if I look at the last 18 months, um, I really started to look at kind of three big drivers that are starting to trigger the the need to modernize third party risk management programs. And obviously the first column is the pandemic factor because we as an industry, as a global world, we had to evolve. We had to quickly figure out remote workers. That means We might have had to shortcut some security controls or build new bridges or new paths. Now we need to go back and correct those areas. We had to start to bring the concept of zero trust. We had to start to do our assessments for thirdparty risk virtually. So that changed the skill set of the assessor. It might have actually changed how we document the workpapers or document what works been performed. And if you’re a service provider and you have to and you go through an annual attestation or audit report. Well, now you’re doing that virtually with your audit firms. So, resilience, cloud, remote technology, all of those things that are critical to enable business operations also impacted how vendors deliver their services. So, looking at thirdparty risk through the pandemic lens, not only do you have to look at how the existing vendor relationship works within your contract or your due diligence, standard, but you have to understand how did they adapt? What changes did they implement now due to the pandemic and remote work because those factors might require additional due diligence on your side? But I think the conversation is also evolving a bit into nonIT risks because of what’s been the focus on so many different areas. Um it’s not just about data security and cyber security. you look at thirdparty relationships uh environmental social governance ESG are top of mind um in the boardroom uh but also in the shareholder or the consumer the buyer there’s a greater focus on geopolitical human rights diversity the supply chain and that’s not just a United States factor I’m seeing these nonIT risks and guidance driving maturity of across the board. And I really think when you start to look at the nonIT risks, it almost requires a different level of viewpoint into your vendor risk rating system, the way you classify vendors. Um, it’s it’s less just about the company. It becomes a broader conversation and that may actually require different types of assessments. So instead of one large vendor assessment, I’m seeing Party risk management programs obviously need to do a deep dive on the onboarding, but then they might be doing very topic specific assessments for a particular vendor. They might have to dig deep into resilience uh and remote access and securing data. Or depending on the nature of the product, if they’re helping you with marketing, sales, or advertising, you might need to do a deeper dive on consumer protection and fraud authentication. and privacy. Um, or if they’re in the supply chain, you might have to focus on a a broader environmental factor. Um, so these topic specific assessments are layered into your overall program. So, organizations need to modernize and understand their staffing levels. How do they rightsize assessments and manage multiple assessments? Um, in one of my prior roles, um, at a service provider for certain clients, I I would have to undergo at least seven to 10 assessments on an annual basis because they were tailored at the product or service. So, not only are thirdparty risk management programs evolving in terms of the requirements, but it also starts to impact workflow and really having to take that that riskmanagement approach as to what’s sufficient. And I think the the the drivers that I’m highlighting here are actually very similar to the FAQs in the questions that the three primary regulators in the financial services sector have put out for comment as they’re looking at the original OC guidance that was for national banks in terms of thirdparty risk management. How do they bring that type of guidance across the board to community banks, regional and other areas within financial services? You know, even last week, FINRA just announced in the financial services sector uh they’re seeing audit issues on lack of maturity in thirdparty risk management programs and and that’s a concern. So I think we’re starting to see the drive for modernization come from a lot of different areas and that really is going to require some investment in making some changes to your third party risk management program. Um it might be a project to address regulator changes if you have to address GDPR and standard contractual clauses, you’re going to start with what you have today and where you need to be by the end of 22. Uh, but you also might be adopting a framework, whether it’s NIST or ISO, to help mature your information security and your cyber footprint and bring privacy into that conversation. But anytime you’re looking at changes to your program, um, it really starts from that outside in perspective. What are the external drivers? Then the internal what’s changing within your organization sometimes it could be M&A activity it could be new products and services consolidation efficiency but all of those things now require that review. Do we need to change the definition of vendor criticality in today’s landscape? Do you have a commonly understood definition within your organization of who is critical and as thirdparty risk management programs broaden in scope to include ESG and these others you’ll really see that it becomes an integral part of an organization’s enterprise riskmanagement program. So while the project teams may understand what they need to do to operationalize changes to thirdparty risk management programs actually doing that changes the story also though in terms of how you gain you know management approval of all of these changes or if it has to go up to the board or executive reporting. I think the other key thing that I think that is really evolving obviously thirdparty assessments have evolved from on-site to kind of a virtual environment. Uh the old kick the tires type of approach uh of a site visit is not going to come back because people have realized the cost. of the travel and the level of of value that they get. There will certainly be high-risk suppliers or vendors that need that deep dive or physical inspection. Um, but I think people will be starting to use a combination of different techniques. But I think the key factor that I think you know puts a wrinkle into existing thirdparty risk management programs is really the contract and due diligence synchronization. So I use the example of standard contractual clauses. The legal team and the privacy people are all over this. But now that work product has to be implemented by the third party risk management teams and they don’t have a clue what all these privacy terms mean. So we all of a sudden have to build a bridge even within one company to figure out how do I sync up what I have to put out into a legal contract that impacts how I audit the vendor and now my audit of the vendor can be viewed by the regulator and they’re actually saying you need to have very good workp papers to document what you’ve done. You’ve got to build a really strong dialogue and collaboration between very different and divergent teams and a lot of that may start with education or doing a gap analysis or figuring out how do we sync up due diligence and thirdparty risk assessments with contract expectations. and how you manage the gaps is even more critical. So I think all of these factors are really driving um organizations to really start to take a look holistically at their processes. And I think connecting the dots across different processes is an area that is sometimes very under um undervalued or under reppresented in terms of the the need for clarity of roles and responsibilities between within and across teams. So let’s think of some examples today when you have all of these changes that are happening in the internal and external environment right technology transformation migration to the cloud new regulations you know fines and enforcement and obviously we always have the threats and vulnerabilities in terms of the bad actors all of these things teams are coming at a third party riskmanagement team, but they’re also coming across the newswire of the CEO and the boards of directors. So, organizations need to really be able to tell their story. Here’s what’s changing. Here’s what we’re doing about those changes. Here’s what’s important. And here’s what I need from the organization. So, if you need to modernize your program, it’s about that business It’s about explaining here’s the role that these teams play today. Here’s what the new expectations are. Whether that’s by the reggg, by a framework, by a customer driving language in the contract. All of these things can now change what you need to do on your policies for thirdparty risk, your due diligence standards, your assessment process. And so there’s almost that layered education not only to keep everyone on the same page with the changes but also make sure that folks understand uh that the with the heightened expectations there’s now a a a better level of what I call uh change management maturity we know in thirdparty risk we always think about change management purely from the IT coder you know the developers point of view and IT operations uh but now you have the pandemic and you have security DevOps. But now when you look at privacy and data protection, it’s a whole different conversation to be managing regulatory change around devices, privacy permissions, settings on a smartphone, use of a web application. So what I’m seeing emerge around data protection is really broadened conversations around change management and process integration, but It’s really bringing these teams together and bringing these processes together because that’s what’s critical to be able to demonstrate here’s how I am managing expectations not only to manage and mitigate risk but also ensure that my risk management process is in alignment with really the expectations coming from the market clients regulators or investors even. And I think what we’re going to see as we look at, you know, the challenge with connecting the compliance dots is that it’s it it’s not just a volume issue with staff. It could be skill sets of staff. People have to adapt to a new way of doing work or some of the changes that we’re seeing around data governance or even things like the standard contractual clauses may require organizations to assess how many vendors do I have? Do I need to do some consolidation of vendors? So, I think we’re going to see some evolution of even KPIs and metrics in terms of managing the third party risk management program. Um, scorecards I could see uh becoming, you know, even more important in terms of process maturity in terms of not just the status of the vendor, red, yellow, green number of findings, red, yellow, and green. Um, but it starts to look at the risks across vendors, not just within a particular vendor relationship, because you’re managing different touch points, and you’re managing different types of risk that different organizations and different stakeholders are going to say that are important. So, I always like to, you know, think about, we talked about a lot of topics, but when we look at some of that, the guidance that’s coming out, you know, there’s some simple steps to do to kind of get your arms around these environmental changes, uh, the six-step process, uh, putting guidance into action. U, what I liked about these messages, even though they originated in the EU guidance, I think they apply across the board to any organization that’s really trying to modernize or update their third party risk management program. First up, update your data maps and inventory. Know where the data is located. How what what the purpose is, what they’re authorized for. Verify and understand any transfers or disclosures between third parties, whether that’s financially by contract, a trade, or any type of benefit, any data transfer or access between parties. I think it’s also critical to conduct due diligence not just of the third party but understand is this transfer or disclosure to a third party allowed by law by contract is is there are restrictions are there hoops I have to jump through to enable that disclosure so there’s more maturity happening in the regulations getting more complex that changes your processes on your side for how you even trigger the d diligence activity and I think you’ll start to see the evolution of due diligence beyond just the technical controls and really get into organizational and contractual measures. Um I think another key area for modernizing programs is really focusing on that uh fourth and party relationships because at the end of the day uh everyone has multiple third party relationships. No one is very few organizations are hosting their own data in the cloud or hosting their own applications. They’re all using technology service providers to enable their footprint. And all of those providers have their own vendors. So it’s not just critical to understand who they are, but really understand what the contract says in terms of who owns which controls. I’ve done quite a few gap analysises and assessments and I I will hear from a client, well, you know, they had a stock report, so I didn’t think I had to do anything else. Well, if you read the report, it says, “These are all the controls that the vendor owns, and these are the controls that you own.” At the end of the day, you can’t outsource accountability. So, it’s really important that your third party risk management teams not only understand their process, um, but the standards and the requirements and kind of how you maintain your evidence across your entire program because how the program in and of itself um comes under a greater you know inspection and oversight. So as we look at this I know in one hour we’re covering a ton of information um and I think it’s always important to be aware of privacy fatigue and you could use the word privacy fatigue or you could put in that replace that with cyber security fatigue. Regulations are emerging faster It’s happening all at once. You’ve got to build a road map. Find some quick wins. Do the quick hits. Make it manageable. Break the work up into manageable parts so it’s not feeling so overwhelming. It requires prioritization. Uh but I think data protection and third party risk the number one thing is that it should be a strategic conversation and not an operational tactic. Ensure that the board board the seauite understands the linkage to revenue so that the third party risk management program is not just looked at as an administrative burden or it’s table stakes you know it actually can drive and enable the business to succeed because you need the vendors to run and and help you grow your business so really make sure that the board and the seauite understand their role in ensuring that the thirdparty risk management programs have the business case and the investment and the resources they need to manage the risk because the regulators don’t give you new budget when they change the rules. So each organization has to adopt their program or have that conversation to say this is what’s changed, these are our gaps and we can either fix the gap or accept the risk. So you’ve really got to have that conversation um and really then look at your processes to say what can we do better to really drive process efficiency um you know into those recommendations. And with that, I’m going to turn it over to uh to the prevalent team to cover a few topics and then we’ll jump into the Q&A which I can see some things that uh Amy’s probably monitoring in the chat.

Alistair Par: Thank you very much. Really insightful and it’s it’s interesting because we we very much agree with what we’re seeing. So the whole privacy privacy angle of course is symbiotic to the broader third party program and we appreciate and totally agree with you when it comes to right sizing and making sure that that program is proportionate whether it’s riskcentric from an infosc standpoint whether it’s looking at uh contract due diligence clauses or privacy as well. So it completely resonates with what we’re hearing and seeing as well. So what really what we’re looking at in front of us is is something that we tend to focus on as part of the analysis and interpretation of the program because invariably we find and I’m sure you do the same that Most people have some some semblance of a program whatever it may be. It might be a couple of spreadsheets sitting on someone’s laptop somewhere or they might be involving the seauite and they might be getting steering committees involved etc. But it’s that taking that moment to passively review what you’re actually doing and considering uh before applying changes and proportionate changes to to right size demonstrate return on investment. And some of the key things we’ve seen on that is is some of the insights you see in front of you now. So the maturity assessment up front this applies to the entire pro program uh from a privacy standpoint and beyond which is understanding well really what are we trying to achieve where are we where do we stand against our peers is that actually good or not and are we investing the right amount in order to achieve these obligations whether that’s regulatory in nature or based on a framework or just internal risk appetite so we often see people using a CMM model carne capability maturity model to grade themselves and compare themselves to the peers and then that beats the the metrics the KPIs KIS as to what the steering committee the sea level really want to try and focus on and then that drives that uh that scoping and that perception up front and completely agree with you and you can’t outsource accountability is at this point where we help to define well what does accountable look like you know what can we bring in house and and effectively managing governance and u you know it sounds sounds very much similar to what you’re seeing in your expertise in the field. and when we start looking at the sort of the rest of the circle per say in it’s about that comprehensive profiling I know We agree you start looking at the end of parties and understanding the data points and elements that that we can build this sort of holistic profile of them on whether that’s data processing activities uh whether it’s their security controls and governance uh it’s it’s multifaceted. So we we look at it from a comprehensive profiling lens which is you know how can we amalgamate all these data sets and end parties into something that’s actually coherent that we can action against and then benchmark everybody uh against one another. So these being the third parties themselves. Uh then of course we can compare that to to the regulative obligations and frameworks that we need to consider. Uh and then factor in well what can we actually do about it and how engaged is the business. So the human effect of remediation planning. Now it’s it’s interesting hearing you talk and correlate to seuite so much because it’s a challenge we always see which is that human factors and how can we get the business involved and multiple people to participate. Uh and that’s always an ongoing challenge that that we also try and pay attention to and and advise on. So it’s it really resonates. So on to the next slide, if I may. We talked about that holistic profile and and again I think you’ve you’ve really hammered home and touched very well on some of these points, but some of the things we like to see working quite well is building up this vendor profile and that’s multiple f factors and facets and you understanding the data processing, understanding the context around what they do and why they do it is is really really foundational. You know, context is really key and to address privacy, all of these other symbiotic factors, understanding what articles there there may be relating to them in in the world, broadly speaking, are they expanding territories, are they processing data in other areas, have they had any data breaches that we need to be mindful of that they haven’t reported back to us? Uh, and then of course, even things like financial stability feed into that, being aware of any changes, M&A, that may impact them in the next 12 months. That that perception on how your data is being managed and how you’re adhering to any regulations is is going to be very much dependent on pretty much everything that you see in front of you. We do find it quite challenging for people to spend the time to be able to aggregate these data points as best they can and react particularly when you’re dealing with it at scale. So on the final slide before I pass back to you and go to general Q&A just something that we’re we wanted to share because again I think it resonates quite well with what you’ve been talking about is some of the processes that we see and we consider which is the life cycle of third party management. You know, I’ve obviously spoken and you’ve spoken about that comprehensive profile, but beyond that, it’s the broader life cycle and and I think you rightly touched on the contract and due diligence clause reconciliation piece up front is is generally pretty on point for a lot of organizations that doesn’t necessarily carry over to the rest of the workflow. Things start to to dwindle until contract renewals and so on. So, we like to spend a bit of time focusing on post selection, how can we apply that through life cycle. So tracking the regul the regulations the obligations associated to that making sure that the seauite uh the legal councils etc feed into us to let us know really what do we need to deal with you whether that’s the data protection officers of the business uh or whoever’s owning that. It all feeds into how we interact and govern and take accountability of uh of the third party program and and the risks that they present to us. So we like to see through that life cycle that degree of ownership. You we like some maturity and expanding that maturity past procurement and contracting into the life cycle and tracking those contractual clauses through the outset. So what we often tend to do is build workflows around that where we see customers or visionaries really in the space starting to collect the data look at it cohesively uh drive remediation on targeted focus points and then really try and drive their programs iteratively and improve and optimize them over time. So establishing that best practice internally and driving it through steering committees etc is is really something that we we’re seeing as well. So, I’m glad to see that nothing seems to contradict really what um hopefully you’ve been seeing.

Len Solom: Absolument. Je veux dire, c'est un cycle de vie et je pense que, vous savez, c'est un concept courant, mais les cycles de vie sont plus courts et encore plus complexes aujourd'hui.

Alistair Par: Je suis tout à fait d'accord. Super. Bon, on peut passer à la section questions-réponses.

Amy Tweet: Oui, je vais vous laisser un moment pour boire un verre d'eau et reprendre votre souffle. Merci beaucoup pour ces informations. Oui. Hum, j'ai quelques questions à vous poser. Hum, je vais vous poser notre dernière question du sondage, qui concerne le côté prévalent ici. Hum, avant de partir aujourd'hui, envisagez-vous d'augmenter ou de mettre en place un programme de gestion des risques liés aux tiers en 2021, ou peut-être même d'envisager l'année prochaine, alors que nous approchons de la fin de l'année ? Hum, nous aimerions avoir une réponse. Oui, non, je ne sais pas. Comme l'a mentionné Alistister, nous sommes là pour vous aider. Faites-nous savoir. Et ces deux dernières questions, je pense qu'elles peuvent être posées à Len ou à Alistar. La première est la suivante : pourriez-vous recommander des KPI ou des KRIS supplémentaires pour aider à mieux suivre les risques liés aux données ?

Alistair Par: Bien sûr. Je suis ravi de commencer. Et bien sûr, Wayne, merci. Donc oui, de notre côté, les KPI et KIS que nous devons examiner. Les risques liés aux données font bien sûr partie intégrante des risques plus généraux dans leur ensemble, et nous obtiendrions des résultats similaires, à savoir comment nous assurer que, lorsque nous examinons notre processus de cadrage et de triage, nous ajoutons du contexte aux critères de risque. Je comprends que le contexte soit assez difficile à qualifier lorsqu'il s'agit d'indicateurs clés de performance et d'indicateurs clés de sécurité, mais si nous pouvons au moins répartir les niveaux 1, les éléments critiques, le champ d'application de la réglementation, les fournisseurs soumis à des obligations réglementaires et les principaux risques liés aux données, nous pouvons au moins nous concentrer sur ceux-ci, puis commencer à concentrer nos efforts et à hiérarchiser les efforts sur ce sous-ensemble, ce pourcentage. Du point de vue des KPI et des KIS, je dirais donc qu'il faut segmenter les risques liés aux données qui font l'objet d'obligations réglementaires ou d'obligations cadres, puis examiner les progrès réalisés par rapport à ceux-ci.

Len Solom: Et vous, qu'en pensez-vous ? Oui, j'aimerais juste ajouter quelques éléments à prendre en considération. Lorsque vous examinez la relation avec un fournisseur particulier et que vous établissez votre cote de risque ou ce que vous évaluez, vous savez, risque élevé, niveau 1, niveau 2, niveau 3. Racontez la suite de l'histoire. Quel est le risque lié à la résilience du fournisseur ? Il peut s'agir d'un fournisseur à haut risque parce qu'il est essentiel à la résilience, mais d'un fournisseur à faible risque pour la protection des consommateurs, car il n'interagit pas vraiment avec vos clients finaux. Ajoutez donc un peu de contexte à votre évaluation des risques et à votre classification des fournisseurs. Et lorsque vous examinez les indicateurs, beaucoup d'organisations peuvent négliger l'importance du suivi des plaintes. Une plainte est différente d'un problème ou d'une correction, mais les plaintes concernent le contexte. Ainsi, s'il y a des plaintes ou des incidents, c'est généralement le symptôme d'un autre problème. Disposez donc d'un bon processus d'escalade pour ces domaines non informatiques clés, car vous pouvez ainsi être informé plus rapidement de ce qui se passe.

Amy Tweet: Super. Excellente question. Nous avons encore une question du public et il nous reste quelques minutes. Si vous avez d'autres questions à poser à Len ou Alistar, prenez un moment pour les écrire. La dernière question est vraiment intéressante. Si vous n'avez pas de relation directe avec une quatrième partie, comment pouvez-vous mieux gérer et résoudre les problèmes que vous constatez avec elle ?

Len Solom: Excellente question. Je commencerais par dire que le défi avec les quatrièmes parties réside dans le manque de contrôle, n'est-ce pas ? Vous n'avez pas de relation directe, ni financière ni contractuelle. Mais ce que vous devez faire, c'est tenir votre tiers responsable. Ainsi, au lieu de simplement inspecter votre fournisseur, vous devez inspecter et auditer son programme de gestion des risques liés aux tiers. Il est bon pour vous d'auditer leur programme et de leur demander de fournir la preuve des contrôles effectués. Et si vous êtes du côté du prestataire de services, ne vous contentez pas de renvoyer la balle au client. Trouvez comment adapter votre documentation de manière à fournir à votre clientèle suffisamment d'informations pour qu'elle ait confiance en votre capacité à gérer efficacement les risques liés aux quatrièmes parties et aux parties finales. Car si vous êtes un prestataire de services, si vous faites du bon travail dans ce domaine, cela peut créer de la valeur pour le client. Il s'agit donc vraiment de favoriser la maturité dans ce domaine, mais aussi d'inspecter le programme du tiers.

Alistair Par: Je suis tout à fait d'accord avec vous, Len. Cela correspond tout à fait à ce que nous disons, à savoir qu'il faut commencer par cet exercice de mise en place des achats dès le départ, lorsque vous vous engagez dans cette obligation contractuelle. Il est donc essentiel de déterminer quelles sont leurs obligations envers les tiers et les parties qu'ils gèrent. Et malheureusement, je pense que c'est une bonne question. Je pense que vous avez également abordé ce point, à savoir que la plupart des organisations n'ont pas la maturité et l'accord nécessaires pour pouvoir contrôler leurs tiers et s'assurer qu'ils gèrent efficacement leurs activités. Il s'agit en quelque sorte d'une demande réactive visant à s'assurer qu'ils s'en occupent. Nous constatons donc que de plus en plus d'organisations gagnent en maturité en établissant dès le départ certaines clauses contractuelles afin de s'assurer qu'elles gèrent les quatrièmes parties, mais là encore, vous ne pourrez pas externaliser complètement la responsabilité dans ce domaine. Cela ne fonctionnera pas. On s'attend à ce que vous travailliez avec eux pour identifier et suivre ces problèmes.

Len Solom: Eh bien, je pense qu'il est également important de ne pas se fier uniquement à la certification d'un rapport d'audit. Vous savez, j'ai travaillé assez longtemps dans le domaine des risques tiers. À l'époque, il y avait la certification SAS 70, et je me suis dit « mais maintenant, vous avez différents niveaux de rapports d'audit externe, mais vous devez aller plus loin et examiner la situation, en particulier dans l'environnement cloud ou dans un autre environnement, pour savoir quels contrôles sont assurés par le fournisseur, quels contrôles sont assurés par le client et ce qui est presque...disposez de différents niveaux de rapports d'audit externes, mais vous devez les examiner attentivement, en particulier dans l'environnement cloud ou dans d'autres environnements, afin de savoir quels contrôles sont assurés par le fournisseur, quels contrôles sont assurés par le client et quelle est la configuration. Vous devez également exiger la preuve qu'ils examinent réellement les rapports et effectuent une analyse basée sur les risques de ce qu'ils ont appris et vu dans le rapport. Donc, ce n'est pas seulement une exigence contractuelle, c'est ce que vous faites avec le rapport une fois que vous l'avez reçu.

Alistair Par: Et j'ajoute qu'il faut toujours vérifier la portée, au cas où celle-ci se trouverait dans un placard à balais quelque part.

Len Solom: Absolument. Parce que cela se situe au niveau du produit ou du service. Et je pense que c'est là aussi que la gouvernance des données entre en jeu, car les emplacements physiques perdent parfois de leur importance dans l'environnement numérique actuel. Vous savez, dans certains secteurs, l'emplacement physique des sites de production est très important, mais il faut vraiment effectuer cette analyse dans le profil du fournisseur pour savoir si vous obtenez l'assurance que vous recherchez ou si vous devez compléter cette assurance sur un sujet particulier qui est essentiel pour votre organisation ou votre clientèle.

Amy Tweet: Très bien, merci. C'est une excellente question. Passons à une autre question qui vient d'arriver. Je pense que cela a beaucoup à voir avec la période COVID. Beaucoup de fournisseurs n'autorisent pas les visites physiques. Est-ce que cela devrait poser problème ou quelles autres procédures pourraient suffire ?

Len Solom: C'est une excellente question, et c'est presque comme si nous avions parfois besoin de webinaires uniquement pour informer les prestataires de services. Je pense que la clé est de reconnaître que certains fournisseurs ne seront pas en mesure de vous accueillir sur place, mais qu'ils doivent alors avoir une conversation collaborative avec leur clientèle pour leur dire : « D'accord, mais voici ce que nous pouvons vous offrir à la place. » Voici des preuves supplémentaires. Voici des documents supplémentaires. Voici des preuves supplémentaires des contrôles ou comment vous pouvez utiliser la technologie virtuelle ou web de différentes manières. Il ne devrait pas s'agir d'un oui ou d'un non. Il s'agit simplement d'exercer la même fonction différemment. Alors, comment faire ? Tout commence par cette conversation et par une certaine flexibilité de part et d'autre. Il s'agit simplement de reconnaître les défis auxquels les organisations sont confrontées.

Alistair Par: Tout à fait d'accord. Et nous constatons que la validation virtuelle a été un véritable moteur au cours des 18 derniers mois, comme on pouvait s'y attendre. Hum... Et la clé, selon nous, c'est d'être concis et concentré, car le temps est limité, les gens se lassant vite de Zoom comme de tout autre outil. Nous avons donc généralement obtenu de bons résultats en leur donnant les critères généraux des preuves que vous souhaitez valider. Vous testez la pertinence de certains contrôles qui sont essentiels pour vous, mais vous ne leur donnez pas nécessairement les aspects de ce contrôle que vous souhaitez examiner. Ainsi, ils ne peuvent pas nécessairement acquérir le système dès le départ, mais ils ont le temps de préparer les documents pertinents. Cet exercice de validation concentré, ce test de pertinence, qui consiste à vérifier certains contrôles, offre au moins une garantie, ce qui semble être un thème récurrent au cours des 18 derniers mois pour nous.

Len Solom: Exactement, et l'année dernière, nous avons organisé une série de webinaires sur l'évaluation virtuelle. Nous avons même constaté des changements entre la première fois où cet événement a été organisé, au début du deuxième trimestre, et la fin de l'année, car les gens ont dû composer avec une équipe d'audit interne virtuelle. Ils ont dû composer avec une équipe d'audit externe virtuelle, des fournisseurs virtuels et des évaluations de risques virtuelles par des tiers. Donc, euh, beaucoup de processus ont changé au cours des 18 derniers mois et je pense que cela va continuer à évoluer.

Amy Tweet: J'adore cette expression, « validation virtuelle ». C'est génial. C'est vraiment une excellente question. Hum, nous sommes arrivés à la fin de l'heure. Hum, je veux m'assurer que tout le monde puisse profiter du reste de sa journée et si vous avez d'autres questions, vous pouvez contacter Lana Solom. Je pense que LinkedIn est un bon moyen de vous contacter.

Len Solom: Oui, ça me va. Et j'ai aussi listé mon euh...

Amy Tweet: vous voilà. Je vous vois. J'ai dû déplacer la question du sondage. Hum, mais en termes de prévalence, si vous avez des questions à nous poser, vous pouvez nous envoyer un e-mail à info prevalent.net. Suivez-nous sur LinkedIn ou Twitter. Encore une fois, nous vous remercions sincèrement d'avoir passé ces 60 dernières minutes avec nous, et j'espère que vous avez appris quelques bonnes pratiques sur la manière de gérer les risques liés à la protection des données dans votre écosystème tiers. Merci à tous, merci Alistister. Merci Lene. Je vous souhaite une excellente fin de journée à tous.

Len Solom: Excellent.

Amy Tweet: Au revoir tout le monde.

Len Solom: Au revoir. Merci.