Vendor Management The Risks to Your Business

Slides:



Advertisements
Similar presentations
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
Advertisements

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Session 3 – Information Security Policies
Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Financial Times Matheson is ranked in the FT’s top 10 European law firms Matheson has also been commended by the FT for corporate law,
Data protection—training materials [Name and details of speaker]
-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.
Legal and Compliance Workshop July 28, 2016 Presented by: Lucy Du-Jones, Founder and Managing Director, du-tian.
Data Protection Officer’s Overview of the GDPR
Michael Wright • Chief Security Officer • Tech Lock
New Apprenticeship Regime
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
ISO 14001: 2004 Environmental Management Review Presentation
Managing a Data Breach Prevention-Detection-Mitigation
Privacy principles Individual written policies
Introduction What's my experience? Why am I talking to you?
Current ‘Hot Topics’ in Information Security Governance Auditing
IS4680 Security Auditing for Compliance
Introduction to the Federal Defense Acquisition Regulation
General Data Protection Regulations: what you really need to know
Managing a Data Breach Prevention-Detection-Mitigation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Chapter 3: IRS and FTC Data Security Rules
Data Privacy: Essentials for Payroll
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
General Data Protection Regulation
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
The Audit Function.
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Clerks’ Information Update Autumn Term September 2018
RECORDS AND INFORMATION
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
General Data Protection Regulation
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Introduction What's my experience? Why am I talking to you?
GPW ANNUAL PERFORMANCE PLAN 2018/19
Automating the Monitoring & Management of GDPR Compliance
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Neopay Practical Guides #2 PSD2 (Should I be worried?)
DSC Contract Management Committee Meeting
General Data Protection Regulation “11 months in”
MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further
What is an anonymous reporting hotline?
GDPR Workshop – Partnerships for Jewish Schools
Getting Ready For GDPR Simon Marks Director
Anatomy of a Common Cyber Attack
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

Vendor Management The Risks to Your Business By Gerard Joyce 6th March 2019

Agenda Data Processing Relationships Controller / Processor Processor / Processor Responsibilities of the Controller Responsibilities of the Processor Robust Processing Agreements Doing Due Diligence

Introduction Experienced Risk & Compliance Professionals Members of IRM, IOB, ACOI, ACCA, ISI... Involved in the Development of Standards We supply a Governance, Risk & Compliance Software Solution called CalQRisk CalQRisk is used by 170+ regulated firms Including Brokers, Financial Advisors, Fund Management Companies, Fund Administrators, Credit Unions, Solicitors, Hotels, Charities and Local Authorities

"Trust but Verify” Ronald Reagan Because you are responsible

Vendor Management Programme Control Costs Drive Service Excellence Mitigate Risks Vendor Risk Management is the ongoing process of ensuring you continue to reap the benefits of outsourcing You cannot outsource the Responsibility

Some Statistics Over 40% of business leaders said they experienced significant increases in third party dependence over the past year. (Forrester) 83% of business leaders lack confidence in 3rd party risk management processes (Deloitte) 20.6% of business leaders experienced a data breach caused by third parties (Deloitte)

The Relationship Controller retains ultimate responsibility Controller – Processor – Processor – Processor Controller must authorise and be informed about sub-contractors Controller must follow the chain to confirm compliance TOMs, Codes of Conduct, Adequacy of Data Protection Regime If a Processor is not compliant, the Controller is not compliant Processor must ensure sub-Processors meet Controllers requirements

Responsibilities of the Controller See Articles 24, 25, 26 Implement Technical and Organisational Measures (TOMs) Including Data protection policies Adherence to Code of Conduct E.g. CISPE Data Protection by Design In the processing of the data

Responsibilities of the Processor See Article 28 Guarantee appropriate TOMs implemented Not engage another processor without prior authorisation Only process under binding contract Process personal data only on documented instructions Ensure persons processing data are committed to confidentiality Adherence to Code of Conduct (where applicable)

The Agreement In writing Covers all activities To minimise the risk of non-compliance In writing Covers all activities Preclude sub-processors (without consent) Changes to sub-processors Duration of the processing Nature and purpose Type or data and categories of subjects Rights and obligations

Case Study: Ticketmaster What Happened April 6: Monzo Bank advised Ticketmaster of suspected hacking. June 23:News breaks that Ticketmaster suffered breach. 40,000 affected Vulnerable Third party service product sent customer information to hackers Ticketmaster said customers who bought tickets from Sept 2017 – June 2018 may be affected. (9 months!) Why did it happen? Sub-contractor (Inbenta) who operates a “Chatbot” on T’s website Modified code, used on payment’s page, exploited by hackers (in Feb)

Case Study: Ticketmaster Mitigating the Risks Should have discussed use of the modified Chatbot on a payments page Do Due Diligence on vendor before giving them access to sensitive data Was the PCIDSS (Payment Card Industry Data Security Standard) adhered to? Should have done a better job of investigating suspected breach in April Did seem to have a “playbook” for this scenario and were quick to issue statement that they had disabled the Inbenta product on all servers.

Why do Vendor Due Diligence? Because you are responsible Regulator says you have to Transparency and accountability Access to sensitive information Can’t manage what you don’t understand Manage Risk and Compliance It’s your Brand and Reputation that is at stake

Which Vendors? IT Service Provider Payroll Processor Internet Payments Processor Review your Accounts Payable system for list Tier into groups according to criticality Do more DD on the more critical vendors Do more DD on the more critical Vendors

When to Conduct Due Diligence Before Contract Signing Periodically throughout the year Before Contract Renewal Following a significant incident Change of ownership / restructuring of vendor

Before Contract Signing (Discovery Phase) Fundamentals: Co. Registration, Ownership, Regulated? By whom? Organisational structure, Who will you be dealing with Key Contacts: Information Security Officer, DPO Employment Practices: recruitment, contracts, confidentiality, training Information Security: Policies, Encryption, Updates, Incident response Physical Security: Access control, visitors, Business Continuity Plans Any litigation pending?

Periodically Throughout the Year Audit processes Training, re-fresher training of staff Any incidents? Investigate Policies Reviewed Updated Systems Patched to address critical flaws Vulnerability Assessments

Occasionally Following an Incident Before Contract Renewal Cause Incident handling Preventative measures put in place Before Contract Renewal Review performance Review incidents Change of Ownership Still the same business? Still a good match? Change of contacts?

How Should Due Diligence be Done? Physical Audits Questionnaires By key area of interest Mandatory Reporting Performance All incidents Continuous Monitoring Maintaining Standards

Concluding Comments If you are the Controller you are responsible Put a robust contract in place Do Due Diligence before you sign up a Processor Do ongoing Due Diligence to ensure they remain complaint If they’re not compliant, neither are you

Thank You gjoyce@calqrisk.com