Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vendor Management The Risks to Your Business

Similar presentations


Presentation on theme: "Vendor Management The Risks to Your Business"— Presentation transcript:

1 Vendor Management The Risks to Your Business
By Gerard Joyce 6th March 2019

2 Agenda Data Processing Relationships
Controller / Processor Processor / Processor Responsibilities of the Controller Responsibilities of the Processor Robust Processing Agreements Doing Due Diligence

3 Introduction Experienced Risk & Compliance Professionals
Members of IRM, IOB, ACOI, ACCA, ISI... Involved in the Development of Standards We supply a Governance, Risk & Compliance Software Solution called CalQRisk CalQRisk is used by 170+ regulated firms Including Brokers, Financial Advisors, Fund Management Companies, Fund Administrators, Credit Unions, Solicitors, Hotels, Charities and Local Authorities

4 "Trust but Verify” Ronald Reagan Because you are responsible

5 Vendor Management Programme
Control Costs Drive Service Excellence Mitigate Risks Vendor Risk Management is the ongoing process of ensuring you continue to reap the benefits of outsourcing You cannot outsource the Responsibility

6 Some Statistics Over 40% of business leaders said they experienced significant increases in third party dependence over the past year. (Forrester) 83% of business leaders lack confidence in 3rd party risk management processes (Deloitte) 20.6% of business leaders experienced a data breach caused by third parties (Deloitte)

7 The Relationship Controller retains ultimate responsibility
Controller – Processor – Processor – Processor Controller must authorise and be informed about sub-contractors Controller must follow the chain to confirm compliance TOMs, Codes of Conduct, Adequacy of Data Protection Regime If a Processor is not compliant, the Controller is not compliant Processor must ensure sub-Processors meet Controllers requirements

8 Responsibilities of the Controller
See Articles 24, 25, 26 Implement Technical and Organisational Measures (TOMs) Including Data protection policies Adherence to Code of Conduct E.g. CISPE Data Protection by Design In the processing of the data

9 Responsibilities of the Processor
See Article 28 Guarantee appropriate TOMs implemented Not engage another processor without prior authorisation Only process under binding contract Process personal data only on documented instructions Ensure persons processing data are committed to confidentiality Adherence to Code of Conduct (where applicable)

10 The Agreement In writing Covers all activities
To minimise the risk of non-compliance In writing Covers all activities Preclude sub-processors (without consent) Changes to sub-processors Duration of the processing Nature and purpose Type or data and categories of subjects Rights and obligations

11 Case Study: Ticketmaster
What Happened April 6: Monzo Bank advised Ticketmaster of suspected hacking. June 23:News breaks that Ticketmaster suffered breach. 40,000 affected Vulnerable Third party service product sent customer information to hackers Ticketmaster said customers who bought tickets from Sept 2017 – June may be affected. (9 months!) Why did it happen? Sub-contractor (Inbenta) who operates a “Chatbot” on T’s website Modified code, used on payment’s page, exploited by hackers (in Feb)

12 Case Study: Ticketmaster
Mitigating the Risks Should have discussed use of the modified Chatbot on a payments page Do Due Diligence on vendor before giving them access to sensitive data Was the PCIDSS (Payment Card Industry Data Security Standard) adhered to? Should have done a better job of investigating suspected breach in April Did seem to have a “playbook” for this scenario and were quick to issue statement that they had disabled the Inbenta product on all servers.

13 Why do Vendor Due Diligence?
Because you are responsible Regulator says you have to Transparency and accountability Access to sensitive information Can’t manage what you don’t understand Manage Risk and Compliance It’s your Brand and Reputation that is at stake

14 Which Vendors? IT Service Provider Payroll Processor
Internet Payments Processor Review your Accounts Payable system for list Tier into groups according to criticality Do more DD on the more critical vendors Do more DD on the more critical Vendors

15 When to Conduct Due Diligence
Before Contract Signing Periodically throughout the year Before Contract Renewal Following a significant incident Change of ownership / restructuring of vendor

16 Before Contract Signing (Discovery Phase)
Fundamentals: Co. Registration, Ownership, Regulated? By whom? Organisational structure, Who will you be dealing with Key Contacts: Information Security Officer, DPO Employment Practices: recruitment, contracts, confidentiality, training Information Security: Policies, Encryption, Updates, Incident response Physical Security: Access control, visitors, Business Continuity Plans Any litigation pending?

17 Periodically Throughout the Year
Audit processes Training, re-fresher training of staff Any incidents? Investigate Policies Reviewed Updated Systems Patched to address critical flaws Vulnerability Assessments

18 Occasionally Following an Incident Before Contract Renewal
Cause Incident handling Preventative measures put in place Before Contract Renewal Review performance Review incidents Change of Ownership Still the same business? Still a good match? Change of contacts?

19 How Should Due Diligence be Done?
Physical Audits Questionnaires By key area of interest Mandatory Reporting Performance All incidents Continuous Monitoring Maintaining Standards

20 Concluding Comments If you are the Controller you are responsible
Put a robust contract in place Do Due Diligence before you sign up a Processor Do ongoing Due Diligence to ensure they remain complaint If they’re not compliant, neither are you

21 Thank You


Download ppt "Vendor Management The Risks to Your Business"

Similar presentations


Ads by Google