The following is a guest post from Daniel Ravner, Chief Marketing Officer at Mirato.
Geopolitical unrest, extreme weather events, inflation, and the global energy crisis…there is growing recognition that we have entered a new phase of risk, a post-lockdown era in which there will be no more black swans because black swans are everywhere — the unexpected is now the expected.
The financial services industry’s approach to third-party risk management (TPRM) is changing in response to this increasingly complex risk environment. Here are five notable TPRM trends happening now:
ESG (Environmental/Social/Governance) is an increasingly important part of TPRM
Environmental, social, and governance (ESG). Its role in third-party risk management is finally getting its due, thanks to customers driving the trend.
ESG is not just about compliance. It is also about being competitive. Consumers are choosing which companies to purchase from based on the values they represent.
There is also growing recognition that diversity indicates a team’s ability to handle crisis and risk-related events.
At the same time, global ESG policies are evolving rapidly, with Europe leading the way by putting a regime for sustainable finance at the forefront of its agenda.
The U.S. is also taking steps towards setting ESG priorities, with the SEC issuing regulations for companies to make climate-related disclosures. With global attention now focused on ESG issues, it is more important than ever that organizations understand their vendors’ practices.
Ransomware attacks will continue to rise
Ransomware attacks represent the most potent cyber threat of the future. Key third parties will continue to get hacked, as well as your organizations.
There was a 300% increase in supply chain attacks in 2021. Specifically, ransomware attacks increased by over 140% in Q3 of 2021 alone, and the research firm Forrester projects that 60% of this year’s security events will stem from third parties.
Immediate notification is critical: one must ask how long it takes for a third party to learn of a breach because a vendor might be compromised for weeks or even months before anyone knows it (one example is the recent Okta attack).
The SEC proposes 48 hours of incident reporting, while the FDIC and OCC require 36 hours. Banks and other companies must keep up with these regulatory requirements and ensure that their third parties are.
Compounding the challenge for TPRM practitioners is that cybersecurity insurance, the last mitigation resort to cover a company’s bottom line, is becoming too expensive to purchase.
Hence, a mature cyber program needs to be in place. Nonetheless, ransomware attacks can be avoided if the proper controls and training are implemented, and effective resiliency programs can keep an organization safe.
Operational resiliency is critical
Supply chain disruptions are impossible to predict, but organizations can protect against downside risks by increasing their visibility in their supply chain.
The first step is understanding third parties’ business continuity programs. Vendors often have minimal formal resiliency or business continuity management programs, focusing solely on IT disaster recovery and life safety.
One way to assess a vendor’s resiliency is to look at experience, which reveals much about the ability to maintain continuity of service. Another essential step is to enhance ongoing third-party monitoring capabilities to ensure immediate visibility into any risk development (especially concentration risk).
The COVID pandemic has proven to be a valuable test of operational resilience, and so far, financial institutions have passed it.
Banks have remained active throughout the pandemic, but they face aftershocks they must deal with today.
For example, TPRM staffing is a problem and getting worse; it’s more complicated than ever to find TPRM talent. On top of that, the post-Covid economy and the war in Ukraine are driving up inflation, making TPRM operations more expensive.
Cloud vendors require special attention
Cloud vendors have become a significant focus of financial industry regulators in the U.S., Europe, and Asia PAC.
Contrary to what one might think, cloud environments are often more secure than older, alternative solutions and are generally much more resilient.
However, it’s challenging to migrate on-premises solution contracts to the cloud because it’s much harder to agree on the limitation of liability, ownership issues, and technical challenges. The regulations are not clear yet on this front, and it is critical to have the right team to assess cloud third parties.
Since cloud vendors have become mission-critical elements of the supply chain, it’s vital to have the proper controls in place.
More sensitive information or data types might require better access or encryption controls. Information and data critical for business purposes might require the provider to exhibit heightened levels of resiliency after an outage.
It’s also important to understand what data might flow to 4th parties or can be accessed through open code to form the basic risk rating for that vendor.
Artificial Intelligence (AI) is the future
There is widespread agreement that AI is the future of TPRM. AI is specifically needed to fill the gap between the organization’s annual budget, the ever-growing number of third-party vendors they rely on, and the ever-increasing risk environment.
TPRM remains seriously understaffed and underfunded in most organizations and involves the accumulation of unstructured data documents, evidence from multiple platforms and sources, and the correlation of this data.
AI-based solutions can help by automating these enormous tasks, replacing the repetitive and administrative manual work associated with risk management, freeing up practitioners to engage in more high-value work, and enabling the program to scale.
A recent Deloitte & Touche survey has borne this out.
According to its report, “technological advancements have now made it possible to accelerate the integration of TPM processes and data from supporting systems in case of organizations that have reached the developing ‘stage by smartly applying an’ engagement layer.’ This leverages user interfaces (UI) and analytics to provide a user experience (UX)-based design that enables interoperability and creates a cogent view of their third-party ecosystem.”
There is no question that the pace and impact of risk facing today’s companies are unprecedented and unrelenting.
This means we must rethink how we approach TPRM and implement new strategies and technologies that will enable us to manage risk, compliance, performance, and vulnerabilities intelligently.
The tools and tactics are out there and have been tried and tested in other industries: they now need to be adopted for TPRM.