Third Party Risk Management 12 April 2012

Transcription

1 Third Party Risk Management 12 April 2012

2 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6. Third Party Monitoring 7. Technology Enablers 8. Service Organization Reports and Standards

3 Globalization and business partnerships are increasingly being leveraged as strategic enablers According to s 14 th Annual Global CEO Survey: Companies are reshaping strategies and operating models focusing on innovation, collaboration, and talent to find new sources of revenue growth and competitive advantage Partnerships will be key - 40% of CEOs expect the majority of innovations over the next three years to be co-developed with partners - 50% said their companies will enter into a strategic alliance or JV in the coming year Roughly a third of CEOs indicated their companies plan to complete a cross-border merger or acquisition, or outsource a business process or function in the next year As organizational models shift and risk profiles evolve, executives and Boards seek greater transparency and increased assurance that the company s most significant risks are appropriately mitigated Slide 3

4 Some additional data points on third-parties and security 39% have established security baselines for partners/customers/vendors. Taking this one step further, only 23.6% of respondents stated they have security procedures partners/suppliers must comply with. 69% of respondents said somewhat to very confident when asked how confident they are in partners'/suppliers' information security. 35% of the time, respondents state their organizations were informed of security breaches by customers or suppliers, government officials, the media or perpetrator. What is the greatest security risk to your cloud computing strategy? Uncertain ability to enforce provider site security policies % Questionable privileged access control at provider site % Proximity of your data to someone else's % Uncertain ability to recover data - 9.0% Uncertain continued existence of provider - 3.7% Uncertain provider regulatory compliance - 3.5% Uncertain ability to audit provider - 2.8% Access across an untrusted network - 4.1% Slide 4

5 Managing security-related risks associated with business partners has always been an issue; however, it s getting worse Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled. Customer 10% 12% 17% 2009 Partner or supplier 8% 11% 15% % 5% 10% 15% 20% Source: 2012 Global State of Information Security Survey. Question 22: Estimated likely source of incident. (Not all factors shown. Totals do not add up to 100%.) Slide 5

6 While risks associated with third parties continue to increase, many companies are less prepared to defend their data Over the past two years, organizations have allowed data privacy safeguards to degrade, exposing the enterprise to potential compromise. (Source: 2012 Global Information Security Survey) GISS Survey results Due diligence of third parties handling personal data 35% 32% 29% Inventory of all third parties handling personal data Require third parties to comply with our policies 29% 28% 24% 29% 34% 39% Incident response process to report and handle breaches 30% 27% 35% 0% 10% 20% 30% 40% 50% 60% Question 15: Which data privacy safeguards does your organization have in place? Question 16: What information security safeguards related to people does your organization currently have in place? Not all factors shown. Totals do not add up to 100%. Slide 6

7 Level-setting: definitions Third-party defined: For our purposes, we define a third-party as any entity not under direct business control of a given organization. Many people equate thirdparties with vendors, but that s not always the case; consider: Vendors / suppliers of products or services Business partners (JV partners, alliances, etc.) Marketing partners Strategic consultants Government agencies Regulatory bodies Customers Third-party risk management encompasses vendor risk management, but is more broadly focused on gaining a understanding of organizational risks and understanding which of those risks may be either positively or negatively affected by third-parties that the company does business with. Third-party risk assessment is the process determining the risk associated to a specific third party. Results of risk assessment are used to determine if a review is required. Third-party review is the process of evaluating third parties control environment. These may be performed on-site or remotely. How do you define third-party risk? Slide 7

8 Example third party risk management governance Enterprise Risk Committee Governance Critical Third Party Oversight Committee Third Party Management Office Third Party Relationship Officer Management & Oversight Business Unit Operational Risk Oversight Third Party Risk Manager (High & Critical Risk Services) Procurement Sourcing Contracts Management InfoSec TBD Subject Matter Specialists PhySec TBD Financial Due Diligence Reputational Due Diligence BCM TBD Legal & Compliance Internal Audit Vendors Slide 8

9 Governance Organization 1. Who leads IT control assessments of third-parties at your organization? 2. How does internal audit play a role? 3. How formal is your third-party security assessment function? Slide 9

10 Third Party Risk Management Information Technology Contracts Management Legal Information Security Business & Operations Privacy Business Continuity Compliance Vendor Risk Assessment Risk Prioritized Planning Process Determine risk factors Survey relationships Leverage internal stakeholder knowledge Develop prioritized assessment schedule Pre-visit activities Communicate review process, goals, and methodologies to third-party Prepare/process paperwork Survey third-party Arrange site visit schedule Reporting Document reviews Communicate findings with internal stakeholders Develop plan of action to address significant deficiencies Plan re-testing Site visit Meet third-party Review survey responses Physical walkthrough Contracts, policy, configuration examination Solution Delivery Foundation Risk-prioritized selection approach Third-Party Surveys Physical Security Walkthrough Policy & procedure Reviews Technical configuration validation Third-Party Sub-contract Review Reporting and Ranking Follow-up with Internal Customers Slide 10

11 Landscape of third party risk Focus on third parties that: Perform functions on behalf of the Company Provide products and services that the Company does not originate Franchise the Company s attributes (Brand) Risks to be managed when using third parties Reputation Technology Strategic Supply Chain Security Credit Compliance Privacy Other (liquidity, price, Fx, country) Transactional Operations Due Diligence Experience Audited financial statements Reputation, complaints, litigation Qualifications Internal controls Adequacy of MIS BCP/DR Cost of development, implementation and support Use of third parties Supply Chain Transparency Insurance Risk Assessment Integration with strategic objectives Expertise to oversee and manage activity Cost/Benefit Customer expectations Contract Scope of arrangement Performance measures Responsibility for management information reports Right to audit Cost and compensation Ownership and license Confidentiality and security Business resumption Indemnification Insurance Dispute resolution Limits on liability Default and termination Customer complaints Ongoing Oversight Financial condition Financial statements Supplier s obligations to sub-suppliers Insurance coverage Monitor controls Audit reports Supplier policies On-site visits Compliance risks BC/DR plans and test results Quality of service and support SLA reporting Problem management Alignment with organization s strategy Customer complaints Customer satisfaction survey Periodic performance meetings Expected documentation List of suppliers - valid, current and complete contracts Business plans identifying management s planning process, decisions and due diligence Evidence the firm evaluated supplier s controls and monitors supplier s performance Regular reports to board, or delegated committee, of the results of ongoing oversight activity Slide 11

12 Types of risk to consider Operational Risk Risk that arises from the potential that inadequate internal controls, operational problems, breaches in internal controls, unforeseen catastrophes, or decentralized operations could result in unexpected losses, the inability to maintain a competitive position, or the inability to maintain a well controlled IT processing environment. Associated with: Business locations Business units Business process Transaction processing Unauthorized activities Cost efficiencies Intellectual property Functionality Security Business continuity IT change management Compliance & Regulatory Risk Risk arising from the potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect the operations of client and adverse consequences from nonconformance with rules and regulations. Associated with: HIPAA HITECH PCI Sarbanes-Oxley Litigation Human resource regulation Contracts Privacy laws and regulations Developing e-business laws and regulations (local, state, national, international) State laws Financial Risk Technology Risk Strategic Risk Risk arising from the potential that incomplete, inaccurate, or unauthorized transactions, fraud, or inadequate internal controls could affect the integrity of information regarding the financial condition of client. Associated with: Sarbanes-Oxley Transaction processing Unauthorized activities SEC and accounting governance standards Fair disclosure IT change management Security Interface Consolidations Data integrity Data sensitivity Risk arising from the potential that new systems, technologies, inter- and intra -connectivity, third-party connectivity, changes, and security threats could adversely affect the integrity and confidentially of client data and transactions, as well as the efficiency, effectiveness, and availability of the IT processing environment. Associated with: IT change management Operating platforms Databases Web-based applications Network connectivity Electronic communications and data transfers Security IT outsourcing / cloud Risk arising from the potential for negative publicity around client s business practices, adverse business decisions, or lack of responsiveness to changed business conditions that will cause a decline in the customer base, costly litigation, or revenue reductions. Associated with: Security or internal control breaches Intellectual property Fraud Competition Business development New products and markets Alliances Brand value Ethics and governance Third-party connections Slide 12

13 Profiling third party risk 1. Profile Third Party Data Collection Business Sponsor Previous Assessments Third party contacts Contracts Preliminary Entity Profiling Preliminary Service Profiling Preliminary Third Party Rating Output: Assessment Type Assessment Scope 2. Assess Technical Security Assessment Third Party Processes and Controls Periodic Review 3. Review and Decide Residual Risk Rating and Score Business Action: Accept Share / Transfer Reduce Remediation and Reassessment Assessment Report Third Party Report Risk Rating and Score Slide 13

14 Components of the third party risk profile Third Party Risk Profile Entity Profile (Max Score 100) Service Profile Experience & size etc. (10%) Familiarity to Company (Includes contract status) (35%) Prior Reviews (55%) Service Operation Data & Information Regulatory & Legal Depicts Category Weighting Service Scope (15%) Service Type (25%) Data Access (5%) Data Sensitivity (25%) Availability Impact (5%) Uptime Req. (5%) SOX GxP PCI PII HIPAA (2o%) Slide 14

15 Profile output (example) Slide 15 Slide 15

16 GRC & Third Party Risk Management Governance, Risk and Compliance (GRC) is an organization s response to integrated risk management Risk is managed throughout the business to better prepare the organization to be aware of and respond to risks should they materialize Common components of an operational GRC program are provided in the graphic below 3 rd party management is a key element in any formal GRC program Threat & Vulnerability Management Risk & Compliance Management Incident Management & Business Continuity Governance Third Party Management 3 rd party management is the active monitoring and evaluation of risk that pertains to the population of vendors that an organization chooses to conduct business with Risk elements specific to 3 rd party management can include such topics as: Data exchange, processing, sharing and storing A vendor s ability to recover from an incident or a disastrous event Types of data a 3 rd party manages on behalf of a company they do business with Slide 16

17 Using Technology to Improve Processes Technology solutions exist to support vendor management and the corresponding risks associated with contracted vendors Vendor management solutions can provide numerous features that allow an organization strategic advantages, as well as process efficiencies. Some of these key features include: Automated workflow routing processes such as review and approval using integrated functionality Central repository for all vendor management data a single repository containing all vendor management data allowing for consistency of data captured as well as a single data store for reports to query Ad-hoc, dashboard and schedule reporting multiple types of reports providing flexibility to look at specific vendor data details by different internal audiences Access control capabilities to control who can see what types of data and how can create, read, update or delete content records Vendor assessment the ability to create tailored questionnaires based on specific risk profiles allows an organization to gather the information they need to actively manage vendor relationships Offshoring Centers of Excellence - This support leverages an offshore model and can offload data entry, data aggregation, initial risk ranking/scoring exercises, and desktop reviews to lower costs amongst over services. Slide 17

18 Assessing third-parties: other forms of assurance Forms of assurance users may receive include: Payment Card Industry (PCI) Report of Compliance (ROC) ISO certification Safe Harbor Certification Opinions issued by CPAs under AT101 Organizations that operate information systems and provide services often provide assurance on the design and operating effectiveness via reporting under AICPA Attestation Standard No These providers typically collect, process, transmit, store, organize, maintain, or dispose of information for other entities. The AICPA recently clarified guidance under AT101 by describing three types of Service Organization Controls (SOC) reporting that may be relevant to user needs. Slide 18

19 Summary of Service Organization Control Reports SOC1 Reports SSAE No. 16, Reporting on Controls at a Service Organization establishes the requirements and guidance for a CPA examining and reporting on a service organization's description of its system and its controls that are likely to be relevant to user entities' internal control over financial reporting. SOC1 reports are needed by the auditors of the user entities' financial statements to obtain information about controls at the service organization that may affect assertions in the user entities' financial statements. SOC 1 reports are intended solely for the information and use of existing user entities, their financial statement auditors and management of the service organization. SOC 2 Reports Under AT 101 and the AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy An examination engagement to report on controls at a service organization intended to mitigate risks related to security, availability, processing integrity, confidentiality, or privacy (trust services principles). Contains a detailed description of the service auditor's tests of the operating effectiveness of controls and the results of those tests, which may be necessary for a particular user to determine how it is affected by those controls. SOC 3 Reports Under AT101 following Trust Services Principles for Security, Availability, Processing Integrity, Confidentiality, or Privacy A practitioner may report on one or more of the five trust services principles. In the examination report, the opinion concludes whether the service organization maintained effective controls over its system, based on relevant TSP criteria. Slide 19

20 Questions? Rob Stouder (317) All rights reserved. In this document, "" refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.