How Do Ethics, Compliance, & Diversity Impact Third-Party Risk?

Amanda: Hello everybody. I’m gonna give it a second to let you guys all trickle in. Welcome, welcome, welcome, welcome everyone to our second webinar here at Prevalent of the Year. We have a really exciting one today with an incredible panel and we’re going to focus on ethics, compliance, and diversity. Uh there’s going to be no presentation. It’s going to be a panel only video discussion and we’re going to all chitchat about obviously ethics, compliance, and diversity. And I’d like to just go over a couple of housekeepings for everybody. We are um muting everyone. We can’t see you either, but we also are recording the session. I want you guys to also please do the Q&A in the bottom. We want this to be interactive. Ask as many questions as you possibly can or want for the panel. Um As far as the recording, you’ll get it in your inbox tomorrow. Uh, that’s it from me. I’m going to go over the list of panelists and walk you through who’s going to be joining. Oh, this is Amanda, by the way, for prevalent. I’m the host. Forgot to mention that. So, we have Alba Imodar. She’s the head of third party governance advisory group at BNY Melon. Alba is responsible for strategic planning, organizational restructuring, client relationship management, compliance and risk. She oversees the strategy and execution of crossf functional transition plans for new business opportunities and high-profile complex initiatives for existing clients. Over her career tenure, she has a successful track record as a leader in managing complex client relationships, risk management, and transformation. Welcome, Alpa. Thanks for joining us.

Alba: So much Amanda.

Amanda: Of course. And we also have Tracy Davis. She is a partner in Syarch’s New York office in the firm’s commercial litigation department and global privacy and cyber security team. A highly seasoned litigator, she represents corporate clients in breach of bureaucracy duty, deceptive business practices and complex contract disputes both in and out of court and arbitration and medi mediation. This is a mouthful. Okay. She is also certified information privacy professional. who is experienced in creating legal frameworks and advising emerging market stakeholders, board directors and seuite executives on regulatory compliance and litigation risk mitigation and navigating the everanging landscape of fintech AI and ESG. Welcome Tracy Davis. Thanks so much for joining us.

Tracy: Thank you for having me.

Amanda: Of course. Sorry if I butchered a couple of those words but we know.

Tracy: No worries.

Amanda: And last but not least, of course, the one and only Brenda Ferraro, our VP of thirdparty risk at prevalent. She will be our moderator and asking these fierce ladies important questions for you guys to listen in and pay attention to. So with that said, Brenda, all you.

Brenda: Thank you so much, Amanda. That was great. You did a good job.

Amanda: Thank you.

Brenda: So Tracy and Ala, I am so happy to have you here today. We’re going to be talking about a very hot important topic that seems to be bubbling into everyone’s email inbox and forthright future to talk about where it’s ESG for environmental, social, and governance along with ethics and diversity and compliance. And how does that really relate to third party? You know, we’ve been working so very hard to make sure that we’re collecting information on our third parties, maybe even into the nth party on cyber security or business or financial. But now the scope has totally increased. We are now looking at so much more. So, I have some questions that I’m going to be bouncing off the two of you and we’ll be talking about strategies and and any information. But before we do that, I have a legal disclaimer because we do have a legal resource on the line. So, I’m going to read that real quick before we get started for another housekeeping item. So, and then we’ll come back to the questions. So, as far as our discussion today, our claimer is that the participants are speaking in their personal capacities only. and not on the behalf of their employer or clients. The content of this pres presentation is intended for general information purposes only and should not be construed as legal advice or a legal opinion on any specific facts or circumstances. So now with that regular program, I feel like I should have said that a lot faster. You know how the radio shows are. All right, so the first question that I have I’m going to focus on um towards Tracy, so with the increased focus that we were talking about on diversity and inclusion driven by the markets attention to ESG factors, what is the current state of the legal environment that public and private corporations and their boards now face when it comes to ESG generally and more specifically diversity and inclusion?

Tracy: So, uh it’s a good question to jump this conversation off with because of just the sheer breadth of ESG which stands for environmental, social and governance. Um, and it includes a whole array of various factors that looks to target stakeholders within an entity as well as within the market. Um, and why it’s so important to now understand what the landscape looks like is because that landscape is very young and there aren’t many regulations and rules particularly here in the US. Um much like in the uh uh early stages of cyber um currently the stages in privacy um it’s an ad hoc approach that the US has elected to take where um it’s a handsoff as far as specific regulations that govern um ESNG. Well, what drives ES SN ESG what drives it is data. What drives it is metrics. What drives it is goals and targets. And right now where we presently stand there is no uniform um targets. There are no uniform goals. Um and so we’re playing somewhat of a game of catchup whereas um just recently the EU which has historically had a kneedeep um uh framework for measuring uh and utilizing the data when it comes to environmental issues has been you know almost at the forefront of adopting the UN sustainability standards um whereas the US has taken somewhat of a handsoff approach but it cannot be a hands-off approach any longer um and we’re seeing that by regulations of for example the SEC just recently um made uh uh uh made uh proposals on um uh human capital and what needs to be disclosed as far as a listed companies human resources. Um while that’s sounds like not much because really it’s taken um a less prescriptive approach and just said whatever is material to a company’s functioning is the benchmark. Um That’s that’s a head and shoulders from where we were once at one point in time. With respect specifically to diversity in that area, NASDAQ has just recently proposed a rule that says any company listed on its exchange has to have a diverse board. Um you know that the hopefully and it’s likely that that rule is going to be implemented because various states around the US have adopted comparable uh benchm marks. Um it says that by um the first year after implementation, you have to have at least one woman on the board. Um and by year two, you have to have at least two diverse um people, one woman and one diverse. And depending upon the size, the one woman, it may be sufficient to meet that threshold. But um again, it’s with those kinds of standards that we’re looking to get at least some goals that are uniformly established in this space. Um we were before jumping on we talked about uh Black Rockck and Larry Frink just recently uh making it a mandate that any companies that uh Black Rockck does business with has to me meet the uh sustainability metrics that have been voluntarily um proliferated. Um and we’ll talk a little later along on about what that proliferation of a voluntary standard means in a legal context. But just suffice it to say for now that um we’re talking about an environment where it is slowly evolving. Um and we’ll also talk about the risks because where you don’t necessarily have um a a specific set of regulations or laws, it expands the possibility for exposure and risks. Um, we uh in the compliance space, we like set laws. We like regulations. As a litigator, I can tell you the law certainly knows how to make up for those areas where there are no prescriptive standards. But hopefully that answers your question, Brenda.

Brenda: It does. It does. Thank you so much. Very well said. And I like how you put that it’s young and being that it’s going to possibly be a Ian event alpa what what are you doing at BNY Melon or in your expert opinion should be should be looked at in order to address what we’re facing.

Alba: Yeah. So I mean look I’ll agree with what Tracy just said right I mean we don’t have specific regulations and laws u we’re still as we call evolving um some industry more than others but I can talk about financial industry right I think now the board is making the organization accountable from a strategic perspective right so we are now looking at the company culture and saying as we bring in these suppliers or vendors are we making sure that vendors and the chain management are having the diverse either it’s 100% womenowned either it’s small businesses either it’s different ethnicity um either it’s you know looking at modern slavery act so I think now we have specific metrics again each industry we don’t have a standard as of yet as Tracy talked about but in the financial industry I think we are getting more and more evolved in a sense of measuring against some of these criterias, either it’s environmental, either it’s climate, um either CO2 emissions, all of these criterias we’re now evolving and we want to do business based on these data sets where we’re saying we’ll only operate and we have to be 360 on our suppliers, right? It can’t be I’ve had relationship with Xender for 50 years and not really doing our due diligence and making sure that they meet the ESG and the ethic compliance and diversity criteria. Very well said. So I think I’m going to jump. It’s it may feel like it’s a little off-kilter from what we just talked about, but it’s still connected in my mind. So Ala, I’ll pose this question to you first. Where does continuous monitoring fit into ethics and compliance and diversity and ESG everything that we just talked about?

Alba: Sure. Well, you know, I’ll take a second and talk about continuous monitoring first and then we can kind of deep dive into the ethics and compliance diversity. Um, precoid, if you think about how the third party governance was managing or the risk was when we would onboard a client we would do our due diligence based on the risk assessments right so if they were high moderate low based on that criticality we would do an ev you know we will do an assessment either every year every other year every three years right now given the covid everything kind of accelerated that path so what you knew a year ago or two years ago isn’t good enough to do the business because of the company either depending where the concentration their location was um their financial viability their operational risk. So continuous monitoring played a amazing or very critical role in understanding risk which means we wanted to see real time alerts right we had to monitor these vendors not periodically not when we are onboarding but continuously now we take the subset and the question you asked Brenda is how do we do continuous monitoring with ethics compliance and diversity so Now we started really auditing and looking at all the inventory of our vendors really looked at start looking at the criminal conduct right started thinking about you know what are the transactions that we are occurring and are we reviewing those transactions and do they meet the criteria for ethics compliance and diversity so I think it’s now starting to put specific metrics measuring those metrics and then being consistent because I think that’s one of the biggest challenge especially in the financial industry is and there you know make a New York Melon 233 years old legacy systems infrastructure how do we make sure we have consistency so I think those are some of the things we’re looking at continuous monitoring again ideally if I were to look at it future state is you would have proper regulations and laws and metrics that we get measured but right now I think each company is kind of trying to evolve and think what actually is their risk appetite and then coming up with the metrics that affiliate with that industry Tracy I don’t know I mean do you agree with some know that or

Tracy: I I agree 100% with you Alpa. Um it the monitoring piece is what helps to protect against exposure from liability when the um issues come up much much later down the road. Um you’ll find that right now there are uh at least eight lawsuits that are pending against corporations um for their diversity and inclusion. Um inactivity. Okay. And while they have standards and practices and policies and programs um that range from you know uh pay equity to you know anti-discrimination to you know uh how they vet third party vendors. Um having those policies don’t do much unless they are actually implemented and practiced. And it’s the monitoring and what that data prov provides you with that is the guard rail between um exposure to liability if in the event there is a similar kind of claim brought and not being um and we’ll we’ll talk about the levels of liability that exists on the back end but you’re absolutely right Alpa it is through that monitoring um and the expectation of the market the market now has the capacity to do real time data analyses and they’re doing it um through the rating and ranking agencies. We you know there there are corporate profiles out there that are you being utilized not only to assess shareholder value but also to assess risk. So when you’re looking at what kinds of third party vendors you want to engage in um it is worthwhile doing that kind of due diligence that would involve um uh analytics.

Brenda: So speaking of litigation the next question actually is about that I don’t know how you teed me up because I it was great. Um, so with so little regulatory and legal guidance specifically tailored to ESG disclosures, what type of risk mitigation strategies and litigation avoidance tactics can be used by the corporations on the in the audience which want to remain competitive in the ESG space.

Tracy: So it starts with an overall assessment um You have to look at your overall through the 360. Look at the overall structure of the corporation itself from starting from the board through um senior management all the way down to workers as well as third-party vendors um to see exactly where you presently stand with respect to diversity. How what kinds of um uh diverse individuals are occupying those senior roles right now? Now the focus is only on boards, but I can tell you that um uh I attended uh the World Economic Forum last year and um Jamie Diamond, hate to mention a competitor at this point, but was specific in saying that his intention was to look not only top down but uh vertical vertical as well to see who in the supply chain was meeting the standards and commitments and that’s critically important. Um it’s important that you know you do that 360 so that you know your organization you know where your organization stands not only visav its suppliers but visav your competitors. It’s not a one-sizefitsall. So it does require this broad deep analysis to see where you stand with respect to um the industry that you’re in the um the uh the the your competition your size Obviously that will factor into any analysis as to what um efforts are being undertaken as far as diversity and inclusion. Um your employee practices um how you handle claims of discrimination. Um doing that 360 is the first step. The second step is for you then to look at your policies and practices. Um do they need to be modified? How are they being implemented. Who’s responsible for the implementation? Um you will see that um more and more there’s chief sustainability officers. Why? Because that means that the responsibility for accountability is housed in one person. Those factors are critical when it comes to making certain that you uh guard the institution from these claims. Uh the monitoring which we already talked about um you know looking and being knowledgeable about the industry standards where there is no law those industry standards become even more critical. Those are just some of the factors and mechanisms that can be employed to protect document document document um you know documentation data is your friend um as long as you’re keeping that mindful eye on that data and you don’t have any incon consistencies between what you’re what you say you’re doing and what the numbers prove you’re actually doing. So, those are just some areas, but it it’s a full paniply of techniques that can be utilized and must because I don’t think that there is any company or industry that’s not susceptible now um given the prevalence and black rock.

Brenda: So, I like the way that you put the one, two, three together. Alpa, do you have some to add or do Um

Alba: yeah no I do I mean just one I think quick um data set right ESG in 2018 I think was 30 trillion okay and it’s going to get the revenue that we grow from it and it’s going to be 50 trillion over next 20 years so as what Tracy was stating right this is going to be critical for any industry u by ESG is going to be how we monitor how we analyze and how we participate um the other thing what I’ve noticed what Tracy was talking about is our investors our clients and even my employees are asking how is our organization being part of ESC ESG it’s not just good enough to be able to voluntarily or giving right it’s about investing properly so are we in investing in ETFs that are ESG focused um and that’s where I think the mindset is changing towards right because companies when they’re hiring for employees they’re asking how are you giving back what are you doing on ESG space which is very different 10 years ago so I think it’s being able to not just you know do it for your employees but it’s to be able to sustain our society we have to start focusing on ESG and how we manage that process

Brenda: great

Tracy: I just want to add one thing because I think that it’s there’s a mental framework that you can use to sort of think about this topic and it’s important to understand that corporations under the law are viewed as individuals they’re viewed as people. So, you know what’s happening now with ESG? They’re just really elevating them to be responsible members of society. So, it’s really important to just use that as an anchor when you look at some of these factors.

Brenda: Great point made Tracy. Couldn’t agree with you more. I love that what you just said. That’s amazing.

Brenda: It is. All right. So, we’re going to talk about the broader scope of you, you know, you talked about the individual and being accountable. Well, we’ve got this supply chain that just is expanding. We used to just have to look at suppliers that were providing cyber security type handling and hosting and now in some of our organizations and industries we’re branching out. And so with that supply chain expanding past cyber security into nth party assessments where it’s I’ve I’m working with a vendor, that vendor is working with another vendor on the same engagement, that vendor is now working with another one. It’s like a domino effect. What since that has become the the hot topic and we’re really looking at resiliency and stabilization factors and what are those risk components drivers that will give us the clear visibility into those partnerships and that long chain of support or that landscape. How are you Alba handling the increase or contractual nature of both of those when it comes to something so stringently assessed or even have to discover of what was been doing what we’ve been doing in the past versus what we need to be doing now.

Alba: Yeah. Look, I think the whole landscape like you said has changed and I will say a lot of it has accelerated because of co right and we have actually been impacted either it’s something basic as a toilet paper right how you know what the supply chain and the impact it had to everybody so I think look as an organization now it’s not good enough just to know your third party but like you said the endth party because there’s a significant impact because like you said it’s a domino a ripple effect. So one of the things we’ve started looking at is you know to really just changing our policies, our contracts, right? Where now in the past we never have asked who are your fourth parties or your fifth parties but now one step further where are those fourth parties and fifth parties based out of right because the location does make a difference then we going one step further within those parties uh what’s the diversity mix right because now we are being accountable I will say AMIA um has as you know because of the regulations they’re now asking us tell us what your end party is showcase out of those how many are based out of cloud right so I think I will say AMIA is a little bit advanced compared to us but being a global organization I think what we’re doing is rather than waiting for the regulators we are globally changing this process so I think is look we’re doing extra due diligence um we’re changing our contractual process we’re also changing the way how we do due diligence in general right so it’s not just good enough to saying, “Hey, I know my vendor and long as they can provide an ex service, it’s good enough.” It’s are the vendors following the code of conduct that you agree with, right? And are they then trickling down to their fourth and fifth and sixth parties and are they doing that same due diligence? Because in the past, I can honestly say saying, “Well, listen, I only know my third parties. I don’t know what they do with fourth, so I’m out of that mix and I’m not accountable.” Now, the accountability lies in with these nth party. So, look, I think we’re being very stringent. We are now being again doing extra due diligence. understanding the risk that it can pose based on where we do our performance of that service and then understand it because I will tell you when the covid hit when we had to send out a surveys we had no idea where the concentration risk was lying because this is the first time it affected all countries and regions it wasn’t New York centric like 911 it wasn’t centric on a hurricane that happened either in Philippines or in US or somewhere else it affected us all so I think has accelerated the path and now we are being more and more accountable for the parties that we actually provide services to us.

Brenda: That’s really well said and and Tracy the one thing that I think about that you might be able to apply a little bit from a legal perspective is what I used to hear when I was doing assessments in the back in the day they would say well we’re not liable for those vendors that you know they do their own assessments they so how how do we address that?

Tracy: So it’s a it’s a really good question Brenda because um you know uh Alpa’s focus on contracts that’s really where the protection lies. If you don’t have a really strong uh contract management um and look at those standard provisions that usually you often just gloss over. Um it is where uh you find either protection or exposure to liability. So you know what do you do? Um not only do you take a look at you know indemnification clauses But you look at the strength of your third party vendors, your INT vendors, because you know, when it comes to a a lawsuit, they’re just looking for whoever has the deepest pocket. So, you’ll get swept up. Um, indemnification provisions, uh, knowing your doing that due diligence. Um, I, you know, right now the ESG has not bubbled up, but I can tell you that the FTC looked to hold a purchaser of a third-party vendor liable for their failure to have met the privacy statements that that purchaser had adopted. And um you know where you’re those third-party vendors are relying on artificial intelligence which has a whole host of other risks embedded in and of themselves. They’re not going to they are going to look to the supply the to the purchaser to determine whether or not that purchaser has done the due diligence that’s required that has done the constant monitoring and assessment of that tool to see whether or not that tool is volative of of the endusers rights and entitlements. So it it means just as Alpa said that the due diligence is critically important knowing who they are and what they’re doing and whether or not they meet your own code of e ethics. All of those are what crit are critically important in this type in this environment. More laws will come, believe me. Um it’s just that until then, there’s still exposure. There’s still risk of liability. And what has to happen is going back to the very basics.

Brenda: That’s one of our marketing phrases that they love is go back to the basics.

Tracy: Yeah. It’s the truth.

Brenda: So, so speaking of the increase of the vendor population into the nth tier. Um, and with the increase of that, there comes the increase of AI in the human resource space. So, as well as a multitude of other places that you were talking about, what’s the current state of the law in the US and what are the legal risks and risk mitigation strategies that the companies on the line could impose or or start to use?

Tracy: So, it’s about it there. Let me just start off with the land. landscape. Um unlike uh ESG in the US there really is no guard rails. I mean you know you look to data privacy policies and provisions you um whether it’s on a state level or an industry specific level. You look to cyber cyber regulations that many states now have adopted as well as you know uh uh regula federal as well as state regulatory agencies. have adopted um and you look to see whether or not there’s compliance on those fronts. So how is the data being stored? How is the data being used? But you know even there with how that data is being used there is a huge ex risk of exposure on um just the efficacy of the AI software that’s being used. So um for example um study after study and it’s widely known that um there uh is a high risk of biased outcomes um and of artificial intelligence particularly where you’re doing risk assessments um or you’re having um you know predictive analytics and making um u automated decisions in that space. It’s it’s it’s almost like a it’s a it’s a trifecta for a a a good class action lawsuit because if if it can be established that the um the uh the software does in fact have biases and has biased outcomes and that you know it’s making critical decisions about lending for the enduser a consumer um that’s where the exposure lies there and that consumer is denied or deprived of an economic benefit or an opportunity. That’s the class classic deceptive practices classaction lawsuit. And it doesn’t matter that you know the purchaser of that software, the user of AI is unfamiliar with the application or its mechanics or um how the data was populated. They are going to be held responsible for utilizing that service. So what can be done you know There are now all sorts of um uh there’s all sorts of technology out there that does allow for the testing of that um of that uh algorithm. There’s a whole host of uh standards for that require transparency for how that system operates. Testing, you know, testing is critically important in this space. Um h is it being routine ly tested for um disparit outcomes. Is it being monitored for what kinds of data is populating it? You know, um garbage in garbage out sort of principle. And if you don’t take precautionary measures to see well, how is that data being populated? Who’s populating it? How is it being tested? You’re all of those it goes it goes right back to due diligence. And so if you f fail to take those proactive steps and you just blindly utilize AI, you’re on the hook. You’re exposed.

Brenda: Yep, I agree. What do you think, Alpa?

Alba: No, I mean, look, I agree with Tracy. Uh, look, AI is making significant inroads, right? And especially in lots of different sections, either it’s in human resource side, um, either it’s on the supply chain management side. Um, but one of the things like you said, the critical is really understanding the data and the algorithms, right? Because if you don’t do those accurately, there will be a significant impact from a legal perspective, reputational perspective, uh and then operation. Uh one of the things that we we are using AI and most companies are right but again we’re using that for significant amount of volume of data but still having human touch actually looking at that and analyzing it right so you have the second pair of eyes really understanding to make sure that what we’ve actually programmed and the algorithms and the rules that are set up that are working efficiently. Um I also think you know we’re using them a lot on the HR space where in the past we forgot to notify the applicant significant issue right from a legal perspective Tracy that you would get all these people coming in saying I wasn’t notified that there was an AI approach um and I was selected um once the AI has been used from the video perspective on the interview did you get the right consent from the applicant and then more important even after the applicant is did you destroy that once that process was done and a lot of times the f you know industry is like well we have the data we didn’t destroy it or we couldn’t evidence the destroy um aspect and how many days is that 30 days 60 days so I think you know look this is a great space um I think like I said it’ll transform technology but we have to be extremely cautious like Tracy is saying right because if we don’t use this information accurately there could be significant impact to the organization and industry so again as great as these technologies are let’s be very mindful how we use them make sure you understand the data the algorithms and the process Um, and it can’t be fully automated, right? You still need to have people analyze that information and give people enough, as I called, enough information and notification so people are aware what kind of data they’re using.

Brenda: Yeah. If you take it back to like the the back to basics on third party risk, you have sometimes platforms that can put configurations in and put some tags on and and make adjustments and send out assessments for relevance, but you still have to have that human in touch to make sure that you’re applying the right ethics and you’re not making decisions based on just responses coming back or continuous monitoring threat analysis that says, “Oh, this particular vendor is going to be risky because they’ve got all of this stuff that’s happening in the wild.” You pretty much have to say from an ethical perspective, we’re here to help you secure your security space. We know that this is out there. How can we fix it with you?

Alba: Said it’s connecting the dots, too, right? Because in isolation, that event could be triggered something but if you think about holistically enterprise relationship with that render it might not be right so I think it’s also like you said how do you analyze that information you take one snapshot and thinking it’s a huge issue or it could be vice chisa it might not be and you have to come in with the human lens saying this is our bread and butter of core businesses and this could significantly put us in jeopardy so I think it’s being able to have that so I you know agree with you Brenda

Tracy: I want to just add one other thing um that is critically important. Um, and it just ties into Alpa’s uh recognition that providing notification is critical. That notification needs to be in plain English. Okay? Um, it’s not going to afford you the protection that you’re looking for if it’s incomprehensible. Um, we’ve already been through this before with consumer financing and, you know, the disclosure requirements there. We’ve already been through statutes that have already been on the books for quite some time that talks about the need for these notifications to be for notifications to consumers generally to be in plain English.

Brenda: Agreed. And and with that being said, so there there’s some situations that we’ve had to deal with with regards to co work from home being one of them. How does ethics, diversity, and compliance or ESG or what kind of techniques have we had to look out for based on that shift in the risk vector. Um, so for work from home, what what would you have Alba to say about what we could be doing a little bit better or even for the first time

Alba: with regards I mean we all had to adapt very quickly due to co right everybody had to be working from home right it didn’t matter if you were a trader um or you were an analyst so I think one is you know quickly adapting and do you have the right infrastructure to be able to do that um I think the second thing was just pure supply and demand. So I will tell you some of our locations we just didn’t have enough laptops at the beginning of co right and we were literally I mean shipping desktops to different places just to be able for people to work from home but once we got the say the you know hardware I think it’s being able to monitor the software and the people behind it right um and you know it’s very very challenging and one of the things that I find you know is we’ve now invested a lot more on some of these vendors that are looking at our IP address is that they’re actually looking at, you know, your um daytoday access. Um are you touching sensitive data and do we have the right protocols or additional security measurements, not just the RCSA token, but should APA really look at the data of all the trade settlements that occur today given the fact she’s actually in third party governance, right? Well, because Ala used to be in the business, she had that access, but now she’s in third party governance. So, I think it’s really re-evaluating from ground zero looking at each of your individual employees. looking at their accesses and what they’re actually utilizing. So I think that’s back to the basics as we talked about. Second thing I think we learned about is you know a lot of people use their personal laptops are these viruses software updates have they kept that on track because organizations now are putting themselves more at risk when people are using their personal laptops and let’s say they didn’t buy the anti virus um software or the anti-malware. So I think we need to be extra cautious in how we operate that. So I think one of the things we’re doing is we’re saying you cannot use your personal laptops. Everybody has to be in a company device. Um I think now the additional monitoring has kicked in, right? So we’re now just not monitoring your VPN access but all the softwares. In the past um we you know when you’re in the offices, it was very hard for people um to take the data and share it. Now because you’re in your household, people have a little bit of reluctancy. It’s very easy for somebody to take that information over the phone and talk to them. They can take a picture from their iPhones and be able to share it. So how do we make sure that the data that we’re presenting that we have additional screen filters so when you are trying to take pictures it will not allow you to take that information. So look as an organization we had to adapt very quickly in order to make sure that we protect the data we have and the risk affiliated with it. Are we there 100%. No we’re not. But the fact is we are all learning this very quickly. So as I call you know drinking from the fire hose. Um but we are trying to utilize ize the much as possible. What are some of the technologies that we can use in order to prevent the risk that could potentially impact us as an organization?

Brenda: How about you Tracy from a legal

Tracy: So, I’ll go back to the basics.

Brenda: Yeah,

Tracy: back to the basics again. Um, you know, send out reminders of what good protocol, good govern uh information govern practices are. Um, also do training have top-down training. I I know that within my organization we’re all h we all have mandatory training that has to happen by a date certain um recognizing that um you know there are some third parties who have protocols on exchanging information visav personal uh devices. Um knowing what those protocols calls are um you know where when we work with financial institutions they don’t even want um data sent by us utilizing our personal devices. So um being mindful as an attorney obviously we handle confidential information. Um being mindful of who’s present when you’re utilizing and accessing that information. Um make sure that that data that to the extent that it is printed out is is kept um uh with some sense of security um destruction of it when it’s no longer needed. Um so so we we recommend just going right back to the basics, but um it’s encouraging to hear that assessments are being done. You know, we are in a different environment. So that does call for looking doing another 360 to see exactly where things stand organizational wise.

Alba: And like you said, the training is so critical, right? Because now we have more opportunity for hackers, right? So even the basing fishing emails, right? Um you have a package order, you open the email and then they get your IP addresses. So being able to train the employees differently based on the current environment because everybody’s working from home. How do we make sure that you have secure and how do we train them? So I think like you said Tracy, training is key critical and you have to change that training, right? It what you had a couple of years ago, you can’t just reinstitute that. You need to change those processes saying you know what are some of the different ways people can attack uh your mainframe systems or even like you said the softwares

Tracy: and and let me just say it we’re under extraordinary circumstances right now um and that will be factored in but if for example you problem comes to the attention of an organization and it’s left unressed for an extended period of time that that’s when liability and exposure because it’s through knowledge and in action that culpability and liability are often assessed.

Brenda: So, we have time probably for one more question and I have two. So, I’m going to combine them together because I want to give the the panel the opportunity to answer questions from the audience. So, I’m going to address it to Tracy first. Um, what specific role do the boards play in the risk mitigation strategies and then what claims can be asserted against those corporate boards?

Tracy: So, um The corporate board and its structure are critical to our entire conversation because that’s where the buck stops. Um they are the ultimate um body that is held accountable for the acts of a corporation. I said that a corporation is really a fictitious person. So who’s responsible for that fiction? It’s the board of directors. All of it is resides in them. There are they are going to be responsible for having the knowledge, the expertise, the um undivided loyalty uh that’s built into their uh paniply of fiduciary duties that they owe to the entity itself as well as to the shareholders that um you know th the exercise of those duties are going to dictate exactly well how what approach what kind of mission is the corporation going to take I mean there’s you know with ESG and these what are called noneconomic factors there’s a a whole debate going on whether or not it’s in congruent with the corporate mission to be profitdriven to even adopt some of these factors well you know do you with a publicly listed company you’re almost forced to do an analysis to see exactly how the bottom line is driven by diversity and inclusion for instance. So um you know why is it critical because it is the board that has to make certain that management has devised and developed a an overarching strategy that where that strategy has been adopted that there are policies and procedures to implement the strategy to see to it that you know uh those responsible or held account those man in management that are responsible are held accountable. Um so what’s the incentive because if the board members individually fail to meet these duties these fiduciary obligations of being knowledgeable of being loyal of uh overseeing what management is doing. If they fail in any way they can be sued for breach of their fiduci ary obligations. It sounds scary because it is scary. Um when I say they can be sued, I mean personally liable where you know their own personal assets are at stake. Now there are mitigation mitigating factors. Um you know they talk about the if you’ve ever heard the business judgment rule that’s a rule that says if you take a a reasonable care to meet these fiduciary obligations then we’re even if you mess up and the decision turns out to be wrong, the court’s not going to hold you liable because you were acting in the best interest of the corporation. However, um, you know, it’s always a gray area, you know, did you act with, you know, undivided loyalty to the corporation? Did you ask the right questions? Did you do enough due diligence? Did you um make certain that you hired and retained that uh the right manager? ment was the board composed of enough of the expertise that’s needed to make informed decisions and um you know so so it’s critically important that the board not only assess the organization but it assesss itself to make certain that it has the wherewithal to meet those fiduciary obligations. DNO coverage is out there obviously it provides some um protection uh but not all there’s exclusions there as well. So why do I say it’s important that uh the board’s role in involvement because they are ultimately going to be held responsible. There’s some day-to-day decisions that the board of directors never need even be involved in because they’re not responsible for the day-to-day. But I can tell you where it comes to ESG where it comes to when it comes to cyber security data privacy these are are so critically important that um you know they are now looking at having chief sustainability officers and making certain that they get periodic reporting on these factors and where the company stands in meeting those benchmarks.

Brenda: Helpa back to you.

Alba: Yeah. No, look, I couldn’t agree with uh Tracy more, right? I think one of the things what I’m seeing is now there’s much more board positions for ethics committee, right? Um which was in there. I think it’s having more CISOs come in because like you said now board owns that accountability and do they have the right talent or the people who can evaluate some of the cyber security risk or operational or compliance risk. So I think the board composition is changing because like you said they’re accountable and they’re saying is wait a minute I need somebody who can really understand um you know the ethics the cyber element of it environmental risk and that they can guide us to make sure that the company is following those processes. So I think Like you said, you’ll see more and more board opportunities for all of risk and third party and especially on ethics um and diversity because they’re going to be accountable.

Brenda: Great. And I see Amanda has popped on because it’s time for Q&A, but before she does, sometimes I don’t get the opportunity to say thank you to both of you for your wealth of knowledge. It has been a pleasure and an honor and I can’t wait to see what questions we have. So, over to you, Amanda.

Amanda: Thank you. Thank you both so much. This was incredible. Um we do have a poll question prior to the Q&A. I’m just going to throw it up for everybody to um you know participate in if possible and it’s going to say are you looking to aug a augment or establish a third party risk program in 2021? Um you heard here first the criticality of even continuous monitoring your vendors. So we even think about that when we’re asking that kind of question as well. So I’ll leave it up for a little while. Um the first question I had was from the beginning of the session. So it might sound a little um like she’s talking to you guys from the beginning, but this was with from Dorothy Rodriguez. So Dorothy, if you’re listening and if you want me to ask a different way, please chime in. Um but she said, “10 years ago, I worked in thirdparty risk management for a manufacturing company where these were our primary concerns. However, all of the manufacturing was done offshore. Is this discussing what is required for vendors in the US now or moving to also new encompass service industries as well? I don’t know if anyone can get an idea of what she’s asking that the you know manufacturing might be a little bit ahead of the game is I assume is that what they’re you know going towards it might be right because look each industry um if you think about healthcare industry versus financial industry versus automobile industry we all have a very different trajectory and the impact right so manufacturing could have I mean again I don’t you know I don’t have the question clarification what they’re going towards but look it is changing the journey and we see that now more than ever. So um I think look it depends on the industry but end of the day we are all accountable as it doesn’t matter industry agnostic um you need to understand what business you’re operating what location and do you feel comfortable with the ethics compliance and diversity of how they run that business that’s how I would answer it based on the question that was portrayed

Amanda: well hopefully that helped Dorothy

Tracy: go ahead I I would just add to Alpa’s remarks that um look to your industry. I mean that’s the guide. So I I may not have been able to mention it during uh uh you know our talk but those industry standards will be infused in the lawsuit. So you know don’t think that it’s just voluntary. It’s an aside. I can do it if I want to. You know where there is no law and the court is looking to see whether or not you’ve somehow or another um you know uh created a risky situation for the defendant such that it caused the defendant harm, they’re going to look at the industry standard. So, you know, while we may not be able to say here and now with definitessiveness uh whether or not manufacturers being impacted by, you know, ESG and uh diversity look Look at your competitors, look at the industry standards, go to your, you know, industry associations and they will all have a position on this, you know, in some form or another. And if it doesn’t break down under ESG, look for discrimination, look for diversity. Those key words are critical under the ESG umbrella when we’re talking about this topic.

Alba: Like what Tracy said, even the regulators, right? Because like you said, the regulators are also going to say within your indust peers they’re doing X are you aligned or are you complying with something similar so it’s not like

Alba: I think it’s one step further than what Tracy said it’s it’s you know look at your industry peers look at what the some of the consortiums but the regulators are also going to come to you by seeing the best practices within that industry and then making sure that you kind of partner or you’re aligned with that overall best practices

Tracy: let me just add one thing and I and I don’t want to take up the time for other questions but

Tracy: if you’re regulated by the FTC. If you’re regulated by a local state agency, get on their mailing list. They are pumping out information every single day, okay? About guidelines, their thoughts, remarks from different presentations. Get on the mailing list.

Amanda: That’s a smart move. Agreed. Uh, next question is, how to identify or get notified with the environmental changes pertaining to third party vendors to support continuous monitoring.

Alba: So look, there are a lot of services that are out there. Um you know there’s um security scorecard, there’s supply wisdom, there’s I mean bunch of them out there and I think it’s based on your risk and criteria. It’s also as an organization right how you monitor these right a lot of this information is available um through you know social media Googles but you need to be very careful right because some of this information um might not be accurate right you might have outliers or falsified information and You do not want to take a decision without again proper due diligence and understanding. So one thing I strongly recommend is especially if it’s your critical vendors really be in touch point with them on a monthly bi-weekly whatever the you know cadence that you want to set through because the people who will know their businesses are the people who actually do this day in and day out right so if you have a proactive approach where you’re constantly in touch with these vendors and understanding their portfolio their risk appetite and what they’re doing in that space. I think that’s one way of continuous monitoring because you feel fairly comfortable with those vendors and how they operate. So I think that’s one example I would provide and then actually like I said there’s a bunch of vendors out there that you could utilize that you know charge you for continuous monitoring services.

Amanda: Prevalence one of them.

Alba: Yep.

Amanda: Prevalence one of them. There you go.

Brenda: Shameless plug. Shameless

Alba: pluginial creditwise look into it.

Brenda: Well earned well

Tracy: earned. Tracy, anything to add for from you for this question? Uh, no. I I echo what what Alpa said about it. Um, it really is about building trusted relationships. I mean, you will hear this word um bantered about so much more now than ever. And and part of that is because we’re all trying to, I guess, uh, wrangle in the benefits and utilize the resources that technology has to offer. And to monetize the plethora of data that’s available, you just you have to be in a trusted relationship with your with the parties that you do business with.

Brenda: Yeah, I agree.

Amanda: Um I have one other question that I think is broad enough that will probably fulfill the rest of our time here, but um I want to ask you both to get into your crystal ball for a second and see how you see the role of ethics, compliance, and diversity in third party risk changing later this year or beyond.

Alba: I said Tracy, do you want to go first or

Tracy: Yeah, I’ll go first. I think we’re going to see um I think we’re going to see a coalescence around standards and and and goals and metrics. I don’t think that this is a complicated analysis. I think that it’s just new And it’s a different lens through which we’re all going to be expected to do business and the market is going through um you know growing pains. So I think we’re going to see co a coalescence of standards. I think we’re going to see increased regulation um particularly in the climate environment. Um I’m hopeful that we see more in the diversity uh arena arena. I think it it can’t help but happen because of the business case now that I think is widely accepted of um the uh added profitability resulting from increased diversity. So I think that we’re going going to just see a more u standardized approach in this area

Alba: and I think you’re going to see like you said the regulations are going to be more stringent um the laws but I think the organizations are going to be very selective who they operate businesses with and if you do not meet that criteria um from ethics diversity compliance I think you know you’re not going to be in the game for very long right it you know you’re going to be antiquated or dinosaur a fact on it so I think most organizations will have to embed this uh it is the right thing to do for our society and especially like you said you know it’s going to be a lot on climate environmental but I think it’s going to be more focused even on the poverty and human rights right u because of the labor laws and the impact of human trafficking you’ll see bunch of that impact and like you said earthquakes, heat wave, water, which we know that’s going to be a precious commodity. So you will see a lot more coming in and I think people are going to be much more accountable, but they can’t blame the organizations or hide behind, you know, their supply chain management or other pl other processes, right? It’s not going to be just the bottom line, it’s the bottom line plus how are you helping the society overall.

Tracy: And let me just add this with um the data available out there account ability is just so well within reach that um you know the there’s no way out. You know, you can’t just uh greenwash or whitewash a situation. You have to put the your money where your mouth is.

Amanda: Yep. Times are absolutely changing and you’ll need to do that. I agree. Well, thank you all so so much. That’s all the time we have for today. We’re right at the top of the hour. I do this wrong every time. Um, but Tracy,

Brenda: thank you Brenda. Thank you for who gave me an opportunity to uh be with the amazing panel. Tracy, it was fabulous. So, thank you so much and wishing you all to be safe.

Amanda: Yes, we already got feedback of how great this was and people are asking for the recording. So, as a reminder everyone, it is recorded. You’ll get it in your inbox tomorrow. So, thank you all again for joining and we’ll see you next time.

Brenda: Bye.

Tracy: Bye.

Amanda: Bye.