Expert Insight : IT Regulation and Risk in Financial Services
Mitigating Threats from Third Party Providers
This Q&A with Tom Garrubba of the Shared Assessments Program discusses the broad themes of increasing regulation and scrutiny, both global and local, as we enter the GPDR era. While GDPR has high visibility, it’s not just GDPR that drives this discussion.
In the emerging landscape, risk executives are under pressure to deliver and must closely consider the full extent of external parties’ influence across the supply chain.
Q. How has the scale and scrutiny of regulators in FS changed over the last few years? What have been the key drivers?
The regulators – regardless of industry – have made it very clear that they’re taking Third Party risk seriously. Taking appropriate measures to reduce Third Party risk has been around long before GDPR and that approach shouldn’t even be viewed as a “best practice” anymore; but rather something that’s mandatory.
I’m seeing the regulators – particularly in the financial services space – really focusing on a few key points. First, if you haven’t already, you must identify who your critical suppliers are; and I’m surprised at how many companies still cannot document who their key suppliers are. Mind you that this doesn’t necessarily equate to annual spend with each service provider, but rather it’s an understanding of which key suppliers can seriously impact operations and affect customers, which ultimately falls back to impacting the outsourcer’s revenue.
This leads into my second point – cyber and business resiliency. The regulators are looking to see if you’re participating in cyber and recovery efforts with critical Third Parties. You will need to provide evidence to regulators and auditors of table-top activities, testing, etc., to satisfy their inquiries. Furthermore, these tests need to be ‘plausible and realistic’ with testing complexity focusing on the adequacy of both the outsourcer and the Third Party’s incident response plan and crisis management.
Thirdly, regulatory examiners are asking questions about how you are continuously monitoring not just these critical Third Parties, but your critical subcontractors – which are your Fourth Parties – to ensure their performance, financials, and risk tolerances are in alignment with your tolerances and overall contractual expectations.
There are other considerations, but this short list of three key points is a good start in the financial services space.
Q. What have been the consequences?
In the financial sector here in the US, such matters are documented as an MRA or “Matter Requiring Attention”, which communicates specific supervisory concerns in writing to the boards of directors and management. When an MRA is issued, the organisation must perform timely and effective corrective action and follow-up with the regulator.
The same applies with the positions taken by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) in the UK. Irrespective of GDPR, UK regulators have high expectations of organisations to perform effective due diligence on their internal and Third Parties’ controls and have effective measures in place whenever an issue arises. This is applying a greater level of pressure and scrutiny on organisations and individuals with responsibility increasingly shared throughout the data supply chain.
This certainly doesn’t bode well for the entity or for the management of the organisation! But what can be worse is if the organisation suffers a breach or outage through a critical Third Party and then the outsourcer has no supporting evidence to support their Third Party risk due diligence. In my opinion, that would be deemed unforgivable by a regulator.
Q. How and why are risk and compliance converging?
I’ve told many organisations that when it comes to developing or even enhancing your Third Party risk management programs, you need to develop strategic partnerships within your organisation. This is akin to flying an airplane; you not flying the plane alone; you have a pilot and co-pilot, navigator, flight attendants, grounds crew, maintenance, baggage handlers, and other critical staff and partners. In Third Party risk management, you need to have relationships with legal, privacy, information security, procurement, business continuity, and other enterprise support functions. They all work with you and make sure the organisation is performing in accordance with the policies and procedures that govern the program.
In my opinion and experience, compliance is very black and white, either you have it or you don’t – there is not a lot of grey. There are some regulators who might throw in a touch of grey – that’s more along the lines of “conformity”, rather than compliance. In other words, the regulators may find some satisfaction in your organisation at least adhering to the spirit of the law, if you’re struggling to adhere to the letter of the law. However, to be certain, please be sure to work with your legal counsel, audit, and the regulator to remain on target when addressing matters that are required by the regulator.
Q. Are we seeing any standardisation or best-practices applied when building risk and compliance programs to mitigate Third Party risk in Financial Services?
The Shared Assessments Program – which is a member driven program – has been documenting best practices in risk assessment and management for more than a dozen years. The Program was founded by the financial services industry and is recognised as the trusted source on Third Party risk management across all verticals. Most risk professionals are familiar with their Program Tools, such as the SIG, the Standardised Information Gathering questionnaire, which is widely recognised as the standard for performing Third Party due diligence.
Other Program Tools include the Standardised Control Assessment or SCA, which are test steps to verify that a control exists and it’s operating effectively, and the Vendor Risk Management Maturity Model or “VRMMM”, which is a widely adopted self-assessment tool used by organisations to provide evidence to regulators and auditors as to their program’s maturity. The Program also has a GDPR Tool Kit, which provides preliminary guidance for both data controllers and data processors to effectively evaluate and manage Third Party processor risk under the European Union General Data Protection Regulation (GDPR) 2016/679 Article 28 “Processor” directives.
Q. What is “collaboration” and what value can it bring in improving TPRM and compliance processes and outcomes?
Outsourcing organisations share a number of common key industry Third Party services, and while many of the Shared Assessments Tools, such as the SIG and the SCA, have helped streamline assessments, many outsourcers still utilise their own proprietary questionnaires and onsite audit criteria that they feel accurately reflect their unique interpretation of regulations, divisional needs, and risk appetites. The demand for a tailored assessment frequently requires intensive, multiple, and even overlapping information requests from clients to their service providers that often result in grossly inefficient use of resources for both the outsourcer and their Third Parties.
I encourage outsourcers to talk to industry colleagues to see if they can partner in finding a common service provider that they could collectively assess together. They would be able to set the ground rules, the assessment steps and criteria, the documentation to be reviewed, and establish who will conduct the assessment. This process can be complex, so I’d encourage anyone interested in this process to reach out to the Shared Assessments Program, as we’ve assisted many of our members in this in the past and can help identify pitfalls and successes with this process.
Q. What is the board’s role in ensuring success? How critical is support from the top?
The Board’s role is a very important one. An organisation needs to have tone at the top if the message is to get through. Not too long ago I presented to the Pittsburgh chapter of the National Association of Corporate Directors (NACD), an organisation consisting of company board members from various industries, on Third Party risk and surveyed the room as to their familiarity and if they’re keeping tabs on what their organisation is doing. To my surprise, about three-quarters of the hands went up – I honestly expected less!
That was a great indicator to me that Third Party risk is now being watched closely by board members. Additional dialogue evidenced that they’re also asking questions of their management and asking for periodic updates on how their company’s Third Party risk is being addressed.
In short; the board gets it!
Q. What do you expect to be the next big shift in regulatory compliance and enforcement?
I agree with the assessment made a few years ago by former US Attorney General John Ashcroft at an annual Securities Industry and Financial Markets Association’s (SIFMA) Internal Auditors Society conference. He mentioned that organisations should prepare to adopt what he called “anticipatory compliance”, meaning that organisations will need to be prepared to show that they are actively anticipating, studying, and acting on perceived threats.
After heeding such warnings and reviewing the increasing regulatory guidance that is emerging, I’ll add what I’ve termed “participatory compliance”. This means not only should an organisation adopt and evidence anticipatory compliance, they should also participate, that is, work with their Third Parties in anticipating what the next threats, outages, etc., and actively perform plausible and realistic testing with those Third Parties as well.
About Tom Garrubba
Shared Assessments Senior Director and CISO, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on Third Party risk (TPR) programs for Fortune 100 companies. He is an internationally recognised subject matter expert and top-rated speaker on Third Party risk.
Welcome to DVV Solutions
Established in 1999, we have become one of the UK’s leading providers in the design, implementation and management of TPRM solutions and are uniquely positioned to provide a comprehensive suite of Third Party risk management software and automation solutions to support any organisation’s TPRM requirements.
We work with you to:
- Scrutinise your Third Party relationships – service by service, supplier by supplier
- Identify and evaluate real risks and emerging threats
- Develop and manage your risk exposure, cyber strategy and data protection strategies
- Establish and mature your Third Party Risk Management capabilities
- Ensure regulatory compliance with standards including GDPR and PCI, and
- Provide clear and concise guidance that illustrates the impact and value of your IT security investments
We’d be pleased to hear from you and help find the most cost-effective way to develop, maintain or expand your Third Party risk management efforts.
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do