数据保护影响第三方风险的 6 种方式

艾米·特威特：好的，直播开始。欢迎各位观众，我们非常高兴大家今天能参与节目。若您正在观看直播，感谢您抽出宝贵时间与我们相伴。在您调整好状态、放松入座之际，我将发起一个快速投票——我们真心好奇是什么促使您加入本次活动。 所以，在等待期间——也许您是出于学习目的，想了解更多知识。我非常期待接下来介绍的专家们。也可能是为即将开展的第三方风险管理项目做前期调研。或者您可能还不清楚具体需求，那么这场名为《数据保护如何影响第三方风险的六种方式》的研讨会正适合您。 或许您想继续参与，也可能是Prevalent的现有客户，希望及时了解行业动态。请稍候片刻，我将说明会议规则。我是Amy Tweet，现任Prevalent业务拓展经理。今日我的职责是确保各位向Len或Alistar提出的所有问题都能得到解答。 您可使用下方聊天功能或问答功能提出问题，我会确保问题传达到位。现在让我们直接进入正题，介绍本次会议的专家嘉宾。我们很荣幸邀请到伦·索洛姆女士。她曾担任首席隐私官，在受监管服务提供商领域及风险行业拥有逾30年经验，同时也是索洛姆风险合伙公司的创始人。伦，今天您好吗？

伦·索洛姆：我过得很好。

艾米·特威特：很好。很高兴您能加入。我们还邀请了艾利斯特·帕尔。您可以在下方看到他的面容。他是普瑞文特公司的全球产品与风险副总裁，您将在网络研讨会尾声听到他的分享。若您对普瑞文特有任何疑问，也欢迎随时提出，我们将为您提供支持。 提醒各位，本次活动强调互动性，请务必使用聊天功能和提问功能。本次研讨会全程录制，若您中途离场或无法全程参与，我们将于明日早晨第一时间将录像发送至您的邮箱。那么现在正式开始，我将主持权交给您。好的。若有其他问题，请随时使用聊天功能提问。请开始吧。

Len Solom: Okay. Excellent. Thank you so much. Well, welcome everybody. We’re going to have uh quite a bit of good um discussion today. There we go. So, as Amy introduced, uh this is a bit of my background. Um I have been in the outsourcers. I have also been on the service provider end. So, I’m really going to weave together today data privacy, data protection and thirdparty risk and there’s a lot of hot topics. So let’s right now get into our discussion. So converging topics as I outlined why are these topics important? Um we all know that you have to follow the data. The data starts the conversation in terms of any dialogue between an outsourcer and a third party. But managing data is much more challenging in today’s environment. Even technology like you know online meetings creates new data challenges right so data protection and third party risk are really converging and as we talk through these these topics today I’ve listed quite a few terms that will be woven into the dialogue and the narrative but what I’m going to focus on is less how you build these things but spotlight some of the challenges and opportunities and things that are shifting. Um we’ve got a lot of divergent topics and uh quite a significant amount of change that’s occurring today that are going to impact almost every element of not only a privacy program but a third party riskmanagement program. So I’ll try and connect the dots where appropriate and hopefully we can learn through this session and through the Q&A uh where some of the other pain points are. So let’s dive in to kind of that road mapap for today’s dialogue. I’m going to highlight kind of six key topics that all are related and we’re going to start with what’s changing in the regulatory landscape, how that impacts contracts, what you then need to do around data protection and safeguards and assessments. Uh but put a little bit of that magnifying glass on data governance because that’s the hottest topic. And we’ll end with kind of where does this road map now affect your thirdparty risk management program where would you maybe need to do some maturity or process enhancements. So this is kind of our road map for today’s dialogue. So let’s dive into the first topic. Uh it might be August and hot and humid where you are but right now it’s raining regulations for data protection and thirdparty risk management. Um our journey really got aggressive when GDPR really accelerated the expectations for sur service providers. And when you think of the regulatory changes that have happened since GDPR became effective only three years ago, um we’re getting the point where 65% of the world’s population is now covered by data protection rags and the US is getting even more aggressive at the state level. Um but it’s not just a regulatory landscape. We are seeing uh focus areas from different regulators, from agencies, um new proposed guidance and we’ll dig into that. Uh, but it’s not just an an industry challenge. Privacy risk is now top of mind for public companies in the United States. I thought it was very interesting that over 60% of companies are citing privacy risk or data protection risk in their SEC reports. And when we first started to think about that, everybody assumes it’s about cyber security and breach. But no, it seems to be more about privacy. ethics, privacy, permissions and data practices, corporate governance, ESG. The topics are broadening um and really bringing privacy, security and compliance together into a better focus on data governance and data protection. So, as we look at this, let me highlight a couple of of key things in terms of developments um in terms of that raining uh regulation. uh for those that do business in the EU, we’re still dealing with shredd and Brexit in terms of the UK and the EU adding a complexity. You’ll see on the right I listed just kind of a visual that talks about how enforcement is accelerating. Uh but now I need a new chart because even though I put this out there towards the end of July, uh the EU regulators issued a fine uh the largest in history of 8 $87 million. Uh and as you look at that, part of the focus is on data practices. So, everyone’s now looking at their frameworks and making changes. Uh Canada’s getting involved with a new update to modernize their privacy framework. Uh many international companies are following suit. E privacy is still happening within the uh EU. Um but there are updated industry frameworks from and ISO that are really putting a spotlight on data governance, data protection, data protection safeguards and really bringing privacy engineering and security engineering together. In fact, for those of you on the call that might work within the financial services sector, the three agencies have come together to propose a new framework and modernize guidance on thirdparty risk management programs. The joint guidance from the three regulators is out for industry comment right now. So, we don’t see these developments slowing down uh because of the new frameworks and regulations and enforcement. It’s it’s going to get even more challenging. Um just to show you a little bit of the checkerboard of what’s happening at the state level, you’ll see that the International Association of Privacy Professionals publishes on a monthly basis um a state privacy uh legislation tracker and you can see the ers of what’s been introduced, what’s in committee, what’s in chambers, and what’s across uh being developed or passed or signed. Why this is important is because when a state like California or now Colorado put out new guidance, uh we’re a global economy. We’re a national economy and a regulation in a particular state starts to impact other states. It’s kind of like the years when we first had breach notification and now we have a checkerboard of 48 states with a law. We’re kind of going down that path from a US state privacy tracking. Um, but we’re starting to see some key themes. Consumer information, disclosures of data to third parties, the sharing of data, and an increased litigation or brand risk. So, it’s less about just protecting the data. It’s really about what does the vendor have the authorized use of the data. What are they allowed to do and what are they not allowed to do. So again, the privacy dialogue I believe is actually evolving as you look at uh the different topics that are that are happening. So let me provide a quick recap of a topic that you might have heard about called Shrems 2. Uh basically uh privacy shield was invalidated about a year ago as a data transfer authorization method for data going from the EU to the United States or to other geographic or non-EU areas. Uh the regulators after this litigation in a court decision um identified gaps in this in the existing standard contractual clauses uh that were in place to address GDPR compliance. Why this is important is that for those organizations that need to manage compliance between outsourcers and vendors or controllers and processors in the EU that standard language was the primary way to address processing in thirdparty risk. So let’s fast forward the after comment period updated new templates. These new templates aren’t just about contract changes. They will impact controls, due diligence, vendor classification, and most thirdparty riskmanagement operational processes. And because we’re talking about a key change that’s uh That’s important. Let’s really think about the business model in today’s environment between an outsourcer and a vendor. Vendor compliance is multi-dimensional. And while the standard contractual clauses apply specifically to address GDPR, they actually represent what’s happening in our ecosystem. When you think of internet of things, the digital environment, cloud hosting, we’re more connected than ever before. And the new requirements that are being um you know put out by the EU tend to be a model that other states and countries tend to follow. We saw that with GDPR. So I don’t think that will u this will not be the only a GDPR type of solution but their agreements really are anticipating that you have to put in place very specific guidelines between all parties in a relationship. So whether it’s the out sourcer to the vendor, the vendor to their vendors, the fourth parties, the subcontractors. Uh it really gets down to the end parties when you start to look at processor to processor relationships. But the themes that came out about the standard contractual clauses in the simplest terms, it’s not just a contract exercise. It’s it’s a warranty of data protection safeguards. It’s a maturity in due diligence. It requires more evidence. some proof of controls or proof of ongoing monitoring and there are some exit clauses that if the vendors can’t comply uh there’s ways to get out of the contract. So it really will put a spotlight on thirdparty riskmanagement governance. And the reason that I highlight this as such an important trend is the timeline. And I know you’ll get a copy of the slide because the text might be a little bit small but when you think of what was released in final language on June 4th um new contracts with new vendors if they need to meet GDPR compliance and use standard contractual clauses, they need to be in place by the end of September. So that’s a short ramp period. And if you’re an existing vendor and you have to think about that, the contract with that data controller for all of those existing vendors will all have to be updated by the end of 2022. So that’s less than 18 months to assess the new language, look at the new data controls, identify the impact to due diligence, update your processes, and execute a repapering of contracts and due diligence and document everything that you did. So, this is absolutely a key thing on data protection and what’s changing in the environment for thirdparty risk. Um, just to provide a highlight on why this is important is that while most contracts really define the processing relationship, this new proposal really crosses the line into data governance and third party risk management programs because within each contract there’s now three annexes and the first all talks about things that as a privacy professional I’m familiar with but a lot of procurement sourcing and risk teams may not understand that they need to docu ment. Now the business model context, the category of data subject, the data classification of the data, descriptions of the processing, the purpose, the retention, all of that context that’s always been in the privacy world now needs to be brought into the vendor contract. In addition, the they’re getting more detailed in describing the data protection safeguards. So what you put now in the contract is what will be inspected in the third party risk management process or assessment process either with the on-site or virtual assessments or ongoing monitoring. But the contracts also require the list of approved subcontractors. So again, higher expectations, greater focus on governance and compliance, and really a a greater emphasis on keeping track of the different activities that are being performed because you have to prove prove that you’re doing what the contracts say and you’re holding things accountable. So, it’s really driving maturity in a lot of these processes. So, let’s dig into those processes and really what’s changing around data protection safeguards. Um, while regulations may put out guidance, uh, frameworks tend to get out at a control level. So, you really have to assess both drivers to understand how data protection safeguards are evolving the themes that I’m seeing whether it’s coming from the regulators from the frameworks or from an external assurance or audit report but it’s really holding people accountable it requires a deeper concrete description of the control environment evidence of controls is critical maintaining due diligence artifacts u I think we’ve learned through having to do assessments now in a virtual environment, the documentation beyond the policy is even more important to show the evidence of the controls that are in place. So, it’s really driving a maturity in a lot of different areas of data protection. Um, and I think we’re going to see that what’s happened for many organizations due to the pandemic and having to go to the remote environment, there will continue to be a significant footprint of remote workers. So the actual environments changed in the last year and many organizations are seeing the need through resilience or through the migration to cloud hosting the the footprint of their vendors is changing who’s critical uh may also have been impacted by the remote work because obviously online collaboration is pretty critical but these platforms probably weren’t in the high-risisk vendor uh category in a lot of third party risk management. programs. Um, so we’re really seeing a shift in the need to look at controls at a broader area and these focus areas are I think are really bringing privacy and security together. Cyber security will always be important whether you’re focused on technical controls, breach, ransomware. Uh, but what we’re seeing through the frameworks and a driving of a migration to data governance is that it’s more riskbased. It’s more methodology focused. So it’s beyond the yes no of a control is in place or not in place. It’s is the control sufficient to address your risk your risk posture. It’s driving a maturity in the process and instead of just technical controls um it also becomes contextual controls. So minimizing the amount of data that’s collected or used. Ensuring that data has a purpose limitation, working on limiting data retention or data portability from one vendor to another. So you’re seeing a lot of data governance topics that all start with understanding business model type of data and the roles between parties. And each of these controls impacts the third party risk management process. process because you might need to gather additional information. You might need to conduct additional discovery um and you may need to focus on data protection impact assessments in a different way as you look at changes in the environment be it change management or thirdparty risk or the SDLC process because you’re not just looking at the technical security control you’re looking at the use of the data the authorization of the data and what are the expectations of the individual or the data owner. So the safeguards conversation is really broadening into ethics and permissions and not just the technical uh bits and bites of the control environment. So when you look at that evolution uh data governance um and how does that impact thirdparty risk uh it’s a critical element because it becomes one of those foundational building blocks in thirdparty risk management. As I outline the context of authorized use of data, one of the challenges with data governance in thirdparty risk is probably the most common theme I hear from clients is how to maintain vendor and data inventory. It’s a continual battle to you always know who your highest risk vendors are and you have a good idea of the lowest risk, but it’s all of those vendors in between that create the the operational challenges. And when you start to look at disclosures, well, that’s not just to the third party. It’s understanding the ecosystem and the fourth parties and nth parties and all of the people that participate in the delivery of a technology product or service. So, as technology emerges, Whether it’s artificial intelligence, IoT, 5G, the cloud, you’re bringing in more third parties, more technology integrations, more network connectivity between parties and different paths for the data to follow. So managing that environment becomes not only a people resource issue, but it’s technology and its process op processes and optimization. But it’s really taking a look at not just the padlock of securing the data but understanding the path of the data within the organization and outside the organizational boundaries. Those are some of the key areas that we’re seeing really evolve in terms of data governance. So how do you look at data governance in thirdparty risk? So there’s terms that that are discussed whether it’s called data maps, data flows, devices, there’s a data governance explosion happening. So, you really have to really take a look at data and really kind of profile with at a vendor, not just who the vendor is, but what’s the product, service or system that they are delivering. So, from an outsourcer perspective, it’s not enough to know that company ABC is in my vendor portfolio. I really need to know what that company does for my organization. Do they interact with my end customers? Do they have higher sensitive data? Are they critical to my operations? And then what data is used within that relationship? And then let’s follow the data. Where is it located? Where is the data backed up? So it’s it’s become a broader conversation in terms of location management because it’s not just about physical addresses. in physical buildings, right? We now have remote workers. That means we have remote vendors and how you’re connecting can be through multiple devices. So that mapping exercise really becomes a critical pillar within your third party risk management program to understand how often and how frequently you have to update your vendor and data inventories and be able to connect the dots between the vendor, the data, and then your due diligence process based on what contractual obligations or regs apply to that relationship. So, as we look at these changes, we kind of started with the reigning regulations and then what’s happening, spotlighted a few highlights, and then we’ve talked a little bit about data governance. But let’s think about things from a a third party resp. management program in and of itself. And we, if I look at the last 18 months, um, I really started to look at kind of three big drivers that are starting to trigger the the need to modernize third party risk management programs. And obviously the first column is the pandemic factor because we as an industry, as a global world, we had to evolve. We had to quickly figure out remote workers. That means We might have had to shortcut some security controls or build new bridges or new paths. Now we need to go back and correct those areas. We had to start to bring the concept of zero trust. We had to start to do our assessments for thirdparty risk virtually. So that changed the skill set of the assessor. It might have actually changed how we document the workpapers or document what works been performed. And if you’re a service provider and you have to and you go through an annual attestation or audit report. Well, now you’re doing that virtually with your audit firms. So, resilience, cloud, remote technology, all of those things that are critical to enable business operations also impacted how vendors deliver their services. So, looking at thirdparty risk through the pandemic lens, not only do you have to look at how the existing vendor relationship works within your contract or your due diligence, standard, but you have to understand how did they adapt? What changes did they implement now due to the pandemic and remote work because those factors might require additional due diligence on your side? But I think the conversation is also evolving a bit into nonIT risks because of what’s been the focus on so many different areas. Um it’s not just about data security and cyber security. you look at thirdparty relationships uh environmental social governance ESG are top of mind um in the boardroom uh but also in the shareholder or the consumer the buyer there’s a greater focus on geopolitical human rights diversity the supply chain and that’s not just a United States factor I’m seeing these nonIT risks and guidance driving maturity of across the board. And I really think when you start to look at the nonIT risks, it almost requires a different level of viewpoint into your vendor risk rating system, the way you classify vendors. Um, it’s it’s less just about the company. It becomes a broader conversation and that may actually require different types of assessments. So instead of one large vendor assessment, I’m seeing Party risk management programs obviously need to do a deep dive on the onboarding, but then they might be doing very topic specific assessments for a particular vendor. They might have to dig deep into resilience uh and remote access and securing data. Or depending on the nature of the product, if they’re helping you with marketing, sales, or advertising, you might need to do a deeper dive on consumer protection and fraud authentication. and privacy. Um, or if they’re in the supply chain, you might have to focus on a a broader environmental factor. Um, so these topic specific assessments are layered into your overall program. So, organizations need to modernize and understand their staffing levels. How do they rightsize assessments and manage multiple assessments? Um, in one of my prior roles, um, at a service provider for certain clients, I I would have to undergo at least seven to 10 assessments on an annual basis because they were tailored at the product or service. So, not only are thirdparty risk management programs evolving in terms of the requirements, but it also starts to impact workflow and really having to take that that riskmanagement approach as to what’s sufficient. And I think the the the drivers that I’m highlighting here are actually very similar to the FAQs in the questions that the three primary regulators in the financial services sector have put out for comment as they’re looking at the original OC guidance that was for national banks in terms of thirdparty risk management. How do they bring that type of guidance across the board to community banks, regional and other areas within financial services? You know, even last week, FINRA just announced in the financial services sector uh they’re seeing audit issues on lack of maturity in thirdparty risk management programs and and that’s a concern. So I think we’re starting to see the drive for modernization come from a lot of different areas and that really is going to require some investment in making some changes to your third party risk management program. Um it might be a project to address regulator changes if you have to address GDPR and standard contractual clauses, you’re going to start with what you have today and where you need to be by the end of 22. Uh, but you also might be adopting a framework, whether it’s NIST or ISO, to help mature your information security and your cyber footprint and bring privacy into that conversation. But anytime you’re looking at changes to your program, um, it really starts from that outside in perspective. What are the external drivers? Then the internal what’s changing within your organization sometimes it could be M&A activity it could be new products and services consolidation efficiency but all of those things now require that review. Do we need to change the definition of vendor criticality in today’s landscape? Do you have a commonly understood definition within your organization of who is critical and as thirdparty risk management programs broaden in scope to include ESG and these others you’ll really see that it becomes an integral part of an organization’s enterprise riskmanagement program. So while the project teams may understand what they need to do to operationalize changes to thirdparty risk management programs actually doing that changes the story also though in terms of how you gain you know management approval of all of these changes or if it has to go up to the board or executive reporting. I think the other key thing that I think that is really evolving obviously thirdparty assessments have evolved from on-site to kind of a virtual environment. Uh the old kick the tires type of approach uh of a site visit is not going to come back because people have realized the cost. of the travel and the level of of value that they get. There will certainly be high-risk suppliers or vendors that need that deep dive or physical inspection. Um, but I think people will be starting to use a combination of different techniques. But I think the key factor that I think you know puts a wrinkle into existing thirdparty risk management programs is really the contract and due diligence synchronization. So I use the example of standard contractual clauses. The legal team and the privacy people are all over this. But now that work product has to be implemented by the third party risk management teams and they don’t have a clue what all these privacy terms mean. So we all of a sudden have to build a bridge even within one company to figure out how do I sync up what I have to put out into a legal contract that impacts how I audit the vendor and now my audit of the vendor can be viewed by the regulator and they’re actually saying you need to have very good workp papers to document what you’ve done. You’ve got to build a really strong dialogue and collaboration between very different and divergent teams and a lot of that may start with education or doing a gap analysis or figuring out how do we sync up due diligence and thirdparty risk assessments with contract expectations. and how you manage the gaps is even more critical. So I think all of these factors are really driving um organizations to really start to take a look holistically at their processes. And I think connecting the dots across different processes is an area that is sometimes very under um undervalued or under reppresented in terms of the the need for clarity of roles and responsibilities between within and across teams. So let’s think of some examples today when you have all of these changes that are happening in the internal and external environment right technology transformation migration to the cloud new regulations you know fines and enforcement and obviously we always have the threats and vulnerabilities in terms of the bad actors all of these things teams are coming at a third party riskmanagement team, but they’re also coming across the newswire of the CEO and the boards of directors. So, organizations need to really be able to tell their story. Here’s what’s changing. Here’s what we’re doing about those changes. Here’s what’s important. And here’s what I need from the organization. So, if you need to modernize your program, it’s about that business It’s about explaining here’s the role that these teams play today. Here’s what the new expectations are. Whether that’s by the reggg, by a framework, by a customer driving language in the contract. All of these things can now change what you need to do on your policies for thirdparty risk, your due diligence standards, your assessment process. And so there’s almost that layered education not only to keep everyone on the same page with the changes but also make sure that folks understand uh that the with the heightened expectations there’s now a a a better level of what I call uh change management maturity we know in thirdparty risk we always think about change management purely from the IT coder you know the developers point of view and IT operations uh but now you have the pandemic and you have security DevOps. But now when you look at privacy and data protection, it’s a whole different conversation to be managing regulatory change around devices, privacy permissions, settings on a smartphone, use of a web application. So what I’m seeing emerge around data protection is really broadened conversations around change management and process integration, but It’s really bringing these teams together and bringing these processes together because that’s what’s critical to be able to demonstrate here’s how I am managing expectations not only to manage and mitigate risk but also ensure that my risk management process is in alignment with really the expectations coming from the market clients regulators or investors even. And I think what we’re going to see as we look at, you know, the challenge with connecting the compliance dots is that it’s it it’s not just a volume issue with staff. It could be skill sets of staff. People have to adapt to a new way of doing work or some of the changes that we’re seeing around data governance or even things like the standard contractual clauses may require organizations to assess how many vendors do I have? Do I need to do some consolidation of vendors? So, I think we’re going to see some evolution of even KPIs and metrics in terms of managing the third party risk management program. Um, scorecards I could see uh becoming, you know, even more important in terms of process maturity in terms of not just the status of the vendor, red, yellow, green number of findings, red, yellow, and green. Um, but it starts to look at the risks across vendors, not just within a particular vendor relationship, because you’re managing different touch points, and you’re managing different types of risk that different organizations and different stakeholders are going to say that are important. So, I always like to, you know, think about, we talked about a lot of topics, but when we look at some of that, the guidance that’s coming out, you know, there’s some simple steps to do to kind of get your arms around these environmental changes, uh, the six-step process, uh, putting guidance into action. U, what I liked about these messages, even though they originated in the EU guidance, I think they apply across the board to any organization that’s really trying to modernize or update their third party risk management program. First up, update your data maps and inventory. Know where the data is located. How what what the purpose is, what they’re authorized for. Verify and understand any transfers or disclosures between third parties, whether that’s financially by contract, a trade, or any type of benefit, any data transfer or access between parties. I think it’s also critical to conduct due diligence not just of the third party but understand is this transfer or disclosure to a third party allowed by law by contract is is there are restrictions are there hoops I have to jump through to enable that disclosure so there’s more maturity happening in the regulations getting more complex that changes your processes on your side for how you even trigger the d diligence activity and I think you’ll start to see the evolution of due diligence beyond just the technical controls and really get into organizational and contractual measures. Um I think another key area for modernizing programs is really focusing on that uh fourth and party relationships because at the end of the day uh everyone has multiple third party relationships. No one is very few organizations are hosting their own data in the cloud or hosting their own applications. They’re all using technology service providers to enable their footprint. And all of those providers have their own vendors. So it’s not just critical to understand who they are, but really understand what the contract says in terms of who owns which controls. I’ve done quite a few gap analysises and assessments and I I will hear from a client, well, you know, they had a stock report, so I didn’t think I had to do anything else. Well, if you read the report, it says, “These are all the controls that the vendor owns, and these are the controls that you own.” At the end of the day, you can’t outsource accountability. So, it’s really important that your third party risk management teams not only understand their process, um, but the standards and the requirements and kind of how you maintain your evidence across your entire program because how the program in and of itself um comes under a greater you know inspection and oversight. So as we look at this I know in one hour we’re covering a ton of information um and I think it’s always important to be aware of privacy fatigue and you could use the word privacy fatigue or you could put in that replace that with cyber security fatigue. Regulations are emerging faster It’s happening all at once. You’ve got to build a road map. Find some quick wins. Do the quick hits. Make it manageable. Break the work up into manageable parts so it’s not feeling so overwhelming. It requires prioritization. Uh but I think data protection and third party risk the number one thing is that it should be a strategic conversation and not an operational tactic. Ensure that the board board the seauite understands the linkage to revenue so that the third party risk management program is not just looked at as an administrative burden or it’s table stakes you know it actually can drive and enable the business to succeed because you need the vendors to run and and help you grow your business so really make sure that the board and the seauite understand their role in ensuring that the thirdparty risk management programs have the business case and the investment and the resources they need to manage the risk because the regulators don’t give you new budget when they change the rules. So each organization has to adopt their program or have that conversation to say this is what’s changed, these are our gaps and we can either fix the gap or accept the risk. So you’ve really got to have that conversation um and really then look at your processes to say what can we do better to really drive process efficiency um you know into those recommendations. And with that, I’m going to turn it over to uh to the prevalent team to cover a few topics and then we’ll jump into the Q&A which I can see some things that uh Amy’s probably monitoring in the chat.

Alistair Par: Thank you very much. Really insightful and it’s it’s interesting because we we very much agree with what we’re seeing. So the whole privacy privacy angle of course is symbiotic to the broader third party program and we appreciate and totally agree with you when it comes to right sizing and making sure that that program is proportionate whether it’s riskcentric from an infosc standpoint whether it’s looking at uh contract due diligence clauses or privacy as well. So it completely resonates with what we’re hearing and seeing as well. So what really what we’re looking at in front of us is is something that we tend to focus on as part of the analysis and interpretation of the program because invariably we find and I’m sure you do the same that Most people have some some semblance of a program whatever it may be. It might be a couple of spreadsheets sitting on someone’s laptop somewhere or they might be involving the seauite and they might be getting steering committees involved etc. But it’s that taking that moment to passively review what you’re actually doing and considering uh before applying changes and proportionate changes to to right size demonstrate return on investment. And some of the key things we’ve seen on that is is some of the insights you see in front of you now. So the maturity assessment up front this applies to the entire pro program uh from a privacy standpoint and beyond which is understanding well really what are we trying to achieve where are we where do we stand against our peers is that actually good or not and are we investing the right amount in order to achieve these obligations whether that’s regulatory in nature or based on a framework or just internal risk appetite so we often see people using a CMM model carne capability maturity model to grade themselves and compare themselves to the peers and then that beats the the metrics the KPIs KIS as to what the steering committee the sea level really want to try and focus on and then that drives that uh that scoping and that perception up front and completely agree with you and you can’t outsource accountability is at this point where we help to define well what does accountable look like you know what can we bring in house and and effectively managing governance and u you know it sounds sounds very much similar to what you’re seeing in your expertise in the field. and when we start looking at the sort of the rest of the circle per say in it’s about that comprehensive profiling I know We agree you start looking at the end of parties and understanding the data points and elements that that we can build this sort of holistic profile of them on whether that’s data processing activities uh whether it’s their security controls and governance uh it’s it’s multifaceted. So we we look at it from a comprehensive profiling lens which is you know how can we amalgamate all these data sets and end parties into something that’s actually coherent that we can action against and then benchmark everybody uh against one another. So these being the third parties themselves. Uh then of course we can compare that to to the regulative obligations and frameworks that we need to consider. Uh and then factor in well what can we actually do about it and how engaged is the business. So the human effect of remediation planning. Now it’s it’s interesting hearing you talk and correlate to seuite so much because it’s a challenge we always see which is that human factors and how can we get the business involved and multiple people to participate. Uh and that’s always an ongoing challenge that that we also try and pay attention to and and advise on. So it’s it really resonates. So on to the next slide, if I may. We talked about that holistic profile and and again I think you’ve you’ve really hammered home and touched very well on some of these points, but some of the things we like to see working quite well is building up this vendor profile and that’s multiple f factors and facets and you understanding the data processing, understanding the context around what they do and why they do it is is really really foundational. You know, context is really key and to address privacy, all of these other symbiotic factors, understanding what articles there there may be relating to them in in the world, broadly speaking, are they expanding territories, are they processing data in other areas, have they had any data breaches that we need to be mindful of that they haven’t reported back to us? Uh, and then of course, even things like financial stability feed into that, being aware of any changes, M&A, that may impact them in the next 12 months. That that perception on how your data is being managed and how you’re adhering to any regulations is is going to be very much dependent on pretty much everything that you see in front of you. We do find it quite challenging for people to spend the time to be able to aggregate these data points as best they can and react particularly when you’re dealing with it at scale. So on the final slide before I pass back to you and go to general Q&A just something that we’re we wanted to share because again I think it resonates quite well with what you’ve been talking about is some of the processes that we see and we consider which is the life cycle of third party management. You know, I’ve obviously spoken and you’ve spoken about that comprehensive profile, but beyond that, it’s the broader life cycle and and I think you rightly touched on the contract and due diligence clause reconciliation piece up front is is generally pretty on point for a lot of organizations that doesn’t necessarily carry over to the rest of the workflow. Things start to to dwindle until contract renewals and so on. So, we like to spend a bit of time focusing on post selection, how can we apply that through life cycle. So tracking the regul the regulations the obligations associated to that making sure that the seauite uh the legal councils etc feed into us to let us know really what do we need to deal with you whether that’s the data protection officers of the business uh or whoever’s owning that. It all feeds into how we interact and govern and take accountability of uh of the third party program and and the risks that they present to us. So we like to see through that life cycle that degree of ownership. You we like some maturity and expanding that maturity past procurement and contracting into the life cycle and tracking those contractual clauses through the outset. So what we often tend to do is build workflows around that where we see customers or visionaries really in the space starting to collect the data look at it cohesively uh drive remediation on targeted focus points and then really try and drive their programs iteratively and improve and optimize them over time. So establishing that best practice internally and driving it through steering committees etc is is really something that we we’re seeing as well. So, I’m glad to see that nothing seems to contradict really what um hopefully you’ve been seeing.

伦·索洛姆：绝对如此。我的意思是，这确实是一个生命周期，而且我认为，你知道，这是个普遍概念，但如今生命周期变得更短暂，甚至更加复杂。

阿利斯泰尔·帕尔：完全赞同。太棒了。那么，我们现在可以进入问答环节了。

艾米·特威特：好的，我先让大家喘口气，喝口水。非常感谢各位提供的信息。嗯。 嗯，现在有几个问题冒出来了。我将抛出我们最后一个投票问题，来自主流方这边。在你们今天离开之前，请问你们是否计划在2021年扩充或建立第三方风险管理计划？或者随着年底临近，是否考虑将计划延至明年？我们非常期待你们的回答——是、否、不确定。 正如Alistister所言，我们随时提供支持。请随时告知需求。最后这两个问题可由Len或Alistar回答：首先，能否推荐更多关键绩效指标（KPI）或关键风险指标（KRIS）来更有效地追踪数据风险？

阿利斯泰尔·帕尔：好的。 我很乐意先发言。当然，韦恩也请尽管说，谢谢。是的，我们这边确实需要关注关键绩效指标（KPIs）和关键信息指标（KIS）。数据风险作为更广泛风险体系的子集，其产出逻辑与整体一致——我们需要确保在范围界定和风险分级过程中，为风险评估标准注入情境化背景。 我理解在KPI和KIS框架下定义背景确实困难，但至少可将一级风险（关键风险、监管义务范围内的供应商风险及核心数据风险）进行分类。这样我们就能聚焦这些重点领域，将资源优先投入该子集的风险管控。 因此从KPI/KIS角度出发，我强烈建议将数据风险按监管义务/框架义务进行分段，再对照这些维度评估进展。

伦·索洛姆：那你呢？嗯，补充几点需要考虑的事项：当你评估特定供应商关系并建立风险评级体系时——比如划分高风险、一级、二级、三级供应商——请完整阐述背后的逻辑。 供应商在韧性方面的风险如何？他们可能是高风险供应商，因为对业务韧性至关重要；但同时又是低风险供应商，因为在消费者保护方面几乎不与终端客户接触。因此，请为风险评级和供应商分类增添背景信息。在考察指标时，许多组织可能忽视了投诉追踪的价值。 投诉与问题或修复不同，投诉关乎背景。当投诉或事件发生时，通常是其他问题的征兆。因此需建立完善的非关键领域升级流程，这样才能更快地发现潜在问题。

艾米·特威特：太棒了。好问题。观众席还有最后一个提问，我们还有几分钟时间。所以如果大家还有想问伦或阿利斯塔的问题，请花点时间写下来。最后这个问题特别好：如果与第四方没有直接合作关系，该如何更好地处理并解决发现的问题？

伦·索洛姆：问得好。我先从第四方的挑战说起——问题在于缺乏控制权，对吧？ 无论是财务层面还是合同层面，你都无法与其建立直接关系。但关键在于要让第三方承担责任。因此，你不能仅止于审查供应商，还需对其第三方风险管理计划进行全面核查。要求他们提供管控措施的证明文件，这对于你而言是必要的。若你身处服务提供商立场，切勿简单地将责任推给客户。 要思考如何定制文档体系，为客户群提供充分依据，使其确信你已有效管控第四方与终端方风险。因为作为服务商，若能做好这点，反而能创造客户价值。所以核心在于推动体系成熟度，但务必审查第三方计划。

阿利斯泰尔·帕尔：伦，我完全同意你的观点。这确实呼应了我们之前讨论的核心——在履行合同义务时，必须从前期采购流程开始着手。关键在于明确企业自身对第三方供应商的责任，以及对所管理方的管控义务。遗憾的是，我认为这确实是个好问题。 正如你所言，多数组织缺乏前瞻性管理能力与协议框架，无法有效管控第三方供应商。 这往往演变为被动应对的请求，迫使他们处理问题。我们确实看到更多组织开始成熟地建立合同条款，以确保对第四方的管控，但必须强调：责任无法完全外包。这种做法行不通。各方仍需协作识别并追踪问题。

伦·所罗门：嗯，我认为关键不仅在于依赖审计报告的认证。要知道，我在第三方风险领域工作多年，早年间SAS 70认证曾是行业标杆，但如今...现在有了不同级别的外部审计报告，但必须深入剖析——尤其在云环境或其他场景中——明确供应商负责哪些控制措施，客户承担哪些控制职责，这几乎涉及配置层面。必须要求对方提供证据，证明他们确实审阅了报告，并对报告中发现的内容进行了基于风险的分析。 因此关键不在于合同是否要求SOC 2认证，而在于获取报告后如何运用它？

阿利斯泰尔·帕尔：我赞同这个观点，同时要提醒大家：如果他们的办公区域恰好是某个扫帚柜之类的地方，务必确认好工作范围。

伦·所罗门：完全正确。因为这涉及产品或服务层面。我认为数据治理也正是在此发挥作用——在当今数字化环境中，实体位置的重要性有时会降低。 不过某些行业——比如制造业——物理位置依然至关重要。但关键是要通过供应商档案分析来确认：你是否获得了所需的保障？或者在哪些对组织或客户至关重要的特定领域需要补充保障措施。

艾米·特威特：好的，谢谢。这是个好问题。接下来我们来讨论刚冒出来的一个问题。我觉得这很大程度上与疫情时期的特殊情况有关。很多供应商不允许实地考察，这会成为问题吗？或者有什么替代方案可以满足需求？

伦·索洛姆：这是个好问题，有时我们似乎需要专门为服务提供商举办网络研讨会来普及相关知识。嗯，我认为关键在于认识到某些供应商无法安排现场服务，但供应商需要与客户群展开协作对话，说明："好的，但我们可以提供替代方案。"这里有补充证据。 提供补充文件。展示额外的控制措施证明，或探讨如何灵活运用虚拟/网络技术。这不该是简单的"行不行"问题，而是需要以不同方式实现相同功能。具体如何操作？关键在于双方展开对话并保持灵活态度，共同理解组织当前面临的挑战。

阿利斯泰尔·帕尔：完全同意。正如预期的那样，过去18个月里我们看到虚拟验证已成为真正的推动力。我们发现其中的关键在于简洁集中——毕竟时间有限，人们在Zoom会议中同样容易疲惫。 因此我们发现，通常只需向对方提供验证所需证据的大致标准， 我们会要求客户测试某些关键控制点，但不会详细说明具体检查内容。这样既避免客户提前掌握系统全貌，又能为其预留准备相关材料的时间。这种聚焦式验证——即通过测试特定控制点进行的简易检验——至少能提供保障，这已成为我们过去18个月的普遍做法。

伦·索洛姆：没错，去年我们举办了虚拟评估网络研讨会系列。从年初第二季度初首次举办这类活动时起，我们就观察到人们对虚拟评估和虚拟验证的看法发生了转变——到年底时这种转变尤为明显。因为他们不得不应对虚拟内部审计团队、虚拟外部审计团队、虚拟供应商以及虚拟第三方风险评估。 因此，过去18个月里许多流程都发生了变化，我认为这种演变趋势还将持续下去。

艾米·特威特：我超爱这个词——虚拟认可。太棒了，这真是个绝妙的问题。嗯，现在刚到整点时段。我们得确保大家能继续安排好剩余日程，若有最后问题，可联系拉娜·索洛姆。我觉得领英是联系你的好平台。

伦·索洛姆：嗯，没问题。我还列出了我的……

艾米·特威特：您在这里呢。我看见您了。我不得不把投票问题移开。不过关于Prevalent，如果您有任何问题，可以发送邮件至[email protected]。欢迎在领英或推特关注我们。再次衷心感谢您过去60分钟的参与，希望您学到了在第三方生态系统中应对数据保护风险的最佳实践。 感谢各位，感谢Alistister，感谢Lene。祝大家余下时光愉快，也祝所有人度过美好的一天。

伦·索洛姆：太棒了。

艾米推文：大家再见。

伦·索洛姆：再见。谢谢。