Vendor Management The Risks to Your Business By Gerard Joyce 6th March 2019
Agenda Data Processing Relationships Controller / Processor Processor / Processor Responsibilities of the Controller Responsibilities of the Processor Robust Processing Agreements Doing Due Diligence
Introduction Experienced Risk & Compliance Professionals Members of IRM, IOB, ACOI, ACCA, ISI... Involved in the Development of Standards We supply a Governance, Risk & Compliance Software Solution called CalQRisk CalQRisk is used by 170+ regulated firms Including Brokers, Financial Advisors, Fund Management Companies, Fund Administrators, Credit Unions, Solicitors, Hotels, Charities and Local Authorities
"Trust but Verify” Ronald Reagan Because you are responsible
Vendor Management Programme Control Costs Drive Service Excellence Mitigate Risks Vendor Risk Management is the ongoing process of ensuring you continue to reap the benefits of outsourcing You cannot outsource the Responsibility
Some Statistics Over 40% of business leaders said they experienced significant increases in third party dependence over the past year. (Forrester) 83% of business leaders lack confidence in 3rd party risk management processes (Deloitte) 20.6% of business leaders experienced a data breach caused by third parties (Deloitte)
The Relationship Controller retains ultimate responsibility Controller – Processor – Processor – Processor Controller must authorise and be informed about sub-contractors Controller must follow the chain to confirm compliance TOMs, Codes of Conduct, Adequacy of Data Protection Regime If a Processor is not compliant, the Controller is not compliant Processor must ensure sub-Processors meet Controllers requirements
Responsibilities of the Controller See Articles 24, 25, 26 Implement Technical and Organisational Measures (TOMs) Including Data protection policies Adherence to Code of Conduct E.g. CISPE Data Protection by Design In the processing of the data
Responsibilities of the Processor See Article 28 Guarantee appropriate TOMs implemented Not engage another processor without prior authorisation Only process under binding contract Process personal data only on documented instructions Ensure persons processing data are committed to confidentiality Adherence to Code of Conduct (where applicable)
The Agreement In writing Covers all activities To minimise the risk of non-compliance In writing Covers all activities Preclude sub-processors (without consent) Changes to sub-processors Duration of the processing Nature and purpose Type or data and categories of subjects Rights and obligations
Case Study: Ticketmaster What Happened April 6: Monzo Bank advised Ticketmaster of suspected hacking. June 23:News breaks that Ticketmaster suffered breach. 40,000 affected Vulnerable Third party service product sent customer information to hackers Ticketmaster said customers who bought tickets from Sept 2017 – June 2018 may be affected. (9 months!) Why did it happen? Sub-contractor (Inbenta) who operates a “Chatbot” on T’s website Modified code, used on payment’s page, exploited by hackers (in Feb)
Case Study: Ticketmaster Mitigating the Risks Should have discussed use of the modified Chatbot on a payments page Do Due Diligence on vendor before giving them access to sensitive data Was the PCIDSS (Payment Card Industry Data Security Standard) adhered to? Should have done a better job of investigating suspected breach in April Did seem to have a “playbook” for this scenario and were quick to issue statement that they had disabled the Inbenta product on all servers.
Why do Vendor Due Diligence? Because you are responsible Regulator says you have to Transparency and accountability Access to sensitive information Can’t manage what you don’t understand Manage Risk and Compliance It’s your Brand and Reputation that is at stake
Which Vendors? IT Service Provider Payroll Processor Internet Payments Processor Review your Accounts Payable system for list Tier into groups according to criticality Do more DD on the more critical vendors Do more DD on the more critical Vendors
When to Conduct Due Diligence Before Contract Signing Periodically throughout the year Before Contract Renewal Following a significant incident Change of ownership / restructuring of vendor
Before Contract Signing (Discovery Phase) Fundamentals: Co. Registration, Ownership, Regulated? By whom? Organisational structure, Who will you be dealing with Key Contacts: Information Security Officer, DPO Employment Practices: recruitment, contracts, confidentiality, training Information Security: Policies, Encryption, Updates, Incident response Physical Security: Access control, visitors, Business Continuity Plans Any litigation pending?
Periodically Throughout the Year Audit processes Training, re-fresher training of staff Any incidents? Investigate Policies Reviewed Updated Systems Patched to address critical flaws Vulnerability Assessments
Occasionally Following an Incident Before Contract Renewal Cause Incident handling Preventative measures put in place Before Contract Renewal Review performance Review incidents Change of Ownership Still the same business? Still a good match? Change of contacts?
How Should Due Diligence be Done? Physical Audits Questionnaires By key area of interest Mandatory Reporting Performance All incidents Continuous Monitoring Maintaining Standards
Concluding Comments If you are the Controller you are responsible Put a robust contract in place Do Due Diligence before you sign up a Processor Do ongoing Due Diligence to ensure they remain complaint If they’re not compliant, neither are you
Thank You gjoyce@calqrisk.com