Why Third Party Risk is Now a Board Level Concern
Cyber security and regulatory risks are coming at businesses from all angles. Data breaches, compliance failures, bribery, corruption — information security and risk management professionals have their hands full.
And they aren’t the only ones who are feeling the heat as the pressure ramps up. Boards of directors and c-suite executives are recognizing the need to take a more active role in their organization’s third party risk management.
Risk Management Starts at the Top
Boards are now being held more accountable for cyber security incidents or compliance lapses within their organizations. These kinds of events are damaging not just for their company, but for their personal reputations. Media coverage is unforgiving. Worse, significant missteps can mean a trip before a government panel.
The data leak at Facebook is one example of the implications for company execs. No CEO, board or c-suite member wants to be called out in public for a breach or compliance failure.
In such a world, it’s no surprise that boards of directors are more invested in their organization’s risk management process. The Ponemon Institute’s Third Party Data Risk Study found that 15% more respondents said their boards were more involved in their third-party risk management programs in 2017 over 2016. Third party business partners are one of the biggest risks: 56% of companies have experienced a third-party data breach. New regulations, like GDPR, and increased enforcement, particularly around FCPA violations, have put the spotlight on the need to follow third party risk management best practices.
Though boards and CEOs aren’t IT or compliance professionals themselves, they do have an important role to play in protecting their company. Listening to staff is the first step toward a sound risk management program.
There’s been an uptick in the involvement of chief information security officers (CISOs) in board level planning meetings. When CISOs are involved, they can help their companies fully embrace digital transformation while navigating the tricky security waters that come along with it. When the board understands their company’s biggest risks, they’re better able to allocate resources and provide the support needed to manage them.
What Types of Third Party Risks Are BODs Worried About?
Third party risk spans everything from bribery and corruption to the banking industry’s complex compliance requirements. These are the biggest challenges facing today’s companies.
Bribery and Corruption
Third parties are almost always the source of bribery and corruption. According to the OECD, 75% of enforcement actions involved bribes paid through third parties.
Compliance professionals have to navigate both local and global regulations, like the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act (UBKA), to protect their company from risk. Yet they often lack the staffing, resources, and budget needed. ABAC regulations are becoming more complex, and enforcements are increasing. To stay compliant, companies need to invest in strong due diligence programs.
Compliance with GDPR
May 25, 2018, ushered in a new era of data protection, with the EU’s General Data Protection Regulation (GDPR) coming into force. Most organizations are aware of how to prepare internally for the sweeping changes, but third parties can’t be overlooked in the process.
Under GDPR, “data controllers” are responsible for making sure their third party “data processors” are GDPR compliant. A lapse on the behalf of a data processor can result in regulatory repercussions for the data controller. This has made managing third-party GDPR risk a significant concern.
Companies that understand what information they hold, who has access to it and how it’s used will be well-prepared for third party compliance
Information security risk is top of mind for everyone these days, particularly for CISOs tasked with managing it. The stress is taking its toll. 69% of CISOs anticipate their roles will be even more stressful in 2018.
Much of that stress relates to third parties. 42% of CISOs worry about experiencing a third-party data breach. 44% worry that a third party will misuse or share confidential information with other third parties.
Sharing sensitive data with third parties is always tricky, with data breaches at major companies demonstrating the costs. A strong risk management plan reduces the odds of a cyber security incident and the operational, financial and reputational damages.
Regulations in Financial Services
The Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) make things very clear for the financial services community: board of directors and management are responsible for ensuring that all third party activity is conducted in compliance with applicable laws.
From Know Your Customer (KYC) and anti-money laundering compliance to FinCEN’s due diligence requirements and the introduction of MiFID II, the regulations are a plenty. They have raised the stakes for third party risk management, with forward-looking banks and financial institutions taking a risk-based approach. Banks are thinking beyond checking compliance boxes to actually protect against third party failures.
How You Can Work with Third Parties with Confidence
Third parties deliver a lot of your company’s revenue and are key drivers of business growth, especially as digital transformation sweeps across industries. You need third parties, despite the risk, to give customers the best experience of your product or service.
Businesses that follow risk management best practices can continue to rely on third party vendors with confidence. Research shows that companies that frequently review third-party management policies and programs are 18% less likely to suffer a data breach.
When the push for third party risk management comes from the top, the odds are even better for companies. Companies with strong board of director-level oversight and involvement are 10% less likely to suffer a data breach.
High-level collaboration leads to greater understanding of a company’s security needs. That leads to better security programs with the tools and personnel required to manage third party risk.
As businesses rely on more third parties, monitoring risk effectively and efficiently becomes a greater challenge. Automated, technology based solutions, like Opus’ Hiperos 3PM, can help. Third party risk can’t be denied, but it can be managed.
Need guidance for third party risk management best practices for your company? Let’s get in touch.