Third Party Risk Management (TPRM) has always been a compliance hurdle that seems to be a 9-headed monster, due to the ever-evolving headaches associated with vendor onboarding/off boarding, due diligence, the RFP process, legal obligations, contractual requirements, compliance requirements, performance requirements and continuous monitoring.
Additionally, third party relationships carry numerous hidden risk factors including strategic risk, reputation risk, operational risk, transaction risk, credit risk and compliance risks (our main area of focus today).
Fortunately for our readers, our team at Schneider Downs have developed a cheat-sheet to help you and your organization better understand the regulatory and compliance landscape, and how it fits into your third party risk management program.
Our Compliance and Third Party Risk Management Guide is outlined below and also available as a PDF.
1. Understand your enterprise’s compliance concerns through an enterprise risk assessment.
An enterprise-wide risk assessment can help you better understand the interworking third party relationships that your company relies on to perform daily business operations. A few things to consider when embarking on an enterprise risk assessment is to first identify critical/high risk suppliers/third parties. For example, if you are a company positioned in the financial sector, understanding a supplier’s risk for potential bribery can be a great starting point. Additionally, other raw attributes such as time in business, degree of marketplace activity, location, severe financial risk indicators and changes in circumstances can help fuel your risk-assessment model. In assessing risk, businesses should consider leveraging third party data, insights and proprietary predictive scores, which can greatly strengthen client controls, risk triggers and defensible position pillars. Various third party “insight” tools exist, such as BitSight, RiskRecon, SecurityScorecard and RiskLens. These insights help strengthen compliance programs by enhancing depth of due diligence and moving beyond sole reliance on self-disclosed information from a questionnaire.
2. Perform necessary due diligence related to the business sector and risk of the third party.
A simple employee screening/background check is not enough information to comprehensively assess a potential vendor to determine whether that third party is viable to work with your organization. We recommend seeking a depth of diligence that includes leveraging global data assets on entities, including legal name, organizational structure, parent companies, names of all principals/officers/beneficial owners, and industry. This allows your company to understand the holistic structure behind a specific vendor/supplier and understand their risk at an even better level than through the enterprise risk assessment.
3. Establish a comprehensive Third Party Management Program
Your firm/company should leverage a third party/vendor management program that includes all the necessary steps to performing a full end-to-end third party/vendor management review. This program should include all the necessary touchpoints your firm believes are necessary to properly assess and onboard a potential vendor or supplier. Schneider Downs suggests that a third party/vendor management program should include the following requirements:
Vendor Selection Process
Vendor Risk Assessment Process
Due Diligence Process
Contractual / Regulatory Review Process
Ongoing Monitoring Procedure
Although a third party/vendor management program should include the items listed above, a program is not limited to this list. It is helpful to note that the process’ noted above are “living and breathing” meaning that these process’ will need tuned in order to assist your organization in assessing third parties and vendors properly.
4. Create a process for company-wide monitoring and an approach to risk management
Having the right governance and internal controls in place helps companies benefit from complete visibility into third party transactions. By managing internal regulatory requirements, incoming third party compliance requirements can seem less daunting as your firm may already have a process established on how to deal with evolving compliance hurdles. Additional risks you should also consider monitoring for are financial, human rights, data privacy and cybersecurity risks.
Although the listing above provides a great summary of an efficient TPRM program, we would like to direct you to the listing below that identifies the most relevant TPRM-specific compliance requirements. The following regulatory/certification standards all include requirements that your organization (if working with third parties) must maintain the following:
A listing of your critical third parties as it relates to your business operations (a company that provides your daily kitchen supplies is not a critical third party)
Assess your critical third parties on an annual basis through an agreed upon methodology and determine whether your third parties are adhering to the same regulatory/certification standards
Establish an ongoing monitoring program to ensure all your critical third parties are aligning to regulatory, legal and contractual standards.
Regulatory / Certification Standards
System and Organization Controls (SOC) are a series of standards designed to help measure how well a given service organization conducts and regulates its information. A SOC 1 report is designed to address internal controls over financial reporting while a SOC 2 report addresses a service organization's controls that are relevant to their operations and compliance. One or both could be right for your organization. Controls in scope of TPRM
CC2.3: The entity communicates with external parties regarding matters affecting the functioning of internal control.
CC9.2: The entity assesses and manages risks associated with vendors and business partners.
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. The Payment Card Industry Security Standards Council was originally formed in September 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. Controls in scope related to TPRM:
8.3: Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)?
9.9.3: Are personnel (including third party employees) trained to be aware of attempted tampering or replacement of devices?
12.3.9: Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
12.3.10: For personnel accessing cardholder data via remote-access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need?
12.8: Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data?
12.8.1: Is a list of service providers maintained?
12.8.2: Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?
12.8.3: Is there an established process for engaging service providers, including proper due diligence prior to engagement?
12.8.4: Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
12.8.5: Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
The Office of the Comptroller of the Currency (OCC) is a federal agency that oversees the execution of laws relating to national banks. The OCC charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. Controls in scope of TPRM:
OCC Bulletin 2013-29:
A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
An effective risk management process throughout the life cycle of the relationship.
Plans that outline the bank's strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
Proper due diligence in selecting a third party.
Written contracts that outline the rights and responsibilities of all parties.
ISO/IEC 27001 specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit. Controls in Scope related to TPRM:
15.1: Information Security in supplier relationships
15.2: Supplier service delivery management
Sarbanes-Oxley Compliance (SOX) The United States Congress passed the Sarbanes-Oxley Act in 2002 and established rules to protect the public from fraudulent or erroneous practices by corporations and other business entities. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company. Controls in Scope of TPRM:
APO10.01/APO10.02: Selection of vendors for outsourced services is performed in accordance with the enterprise’s vendor management policy and process.
APO10.03: A designated individual is responsible for regular monitoring and reporting on the achievement of the third-party service level performance criteria.
APO10.04: Third-party service contracts address the risk, security controls and procedures for information systems and networks in the contract between the parties.
HITRUST CSF is a security framework that aggregates relevant information security controls from the standards and regulations incorporated into HIPAA. Thus, it creates a single framework that healthcare providers and their business associates can use to meet the technology requirements embedded in HIPAA. Controls in Scope of TPRM:
5.02 External Parties: To ensure that the security of the organization’s information and information assets, are not reduced by the introduction of external party products or services.
05.i Identification of Risks Related to External Parties: The risks to the organization’s information and information assets from business processes involving external parties shall be identified, and appropriate controls implemented before granting access.
Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments. Requirements to be considered related to TPRM:
3rd Party Assessment Organizations (3PAOS) play a critical role in the FedRAMP security assessment process, as they are the independent assessment organizations that verify cloud providers’ security implementations and provide the overall risk posture of a cloud environment for a security authorization decision. These assessment organizations must demonstrate independence and the technical competence required to test security implementations and collect representative evidence. 3PAOs must:
Plan and perform security assessments of CSP systems
Review security package artifacts in accordance with FedRAMP requirements
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is also known as the Financial Modernization Act of 1999, is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information. Requirements to be considered related to TPRM:
A financial institution must provide notice of its privacy policies and practices, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14, or 15 of the regulation.
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Requirements to be considered related to TPRM:
Sign a data processing agreement between your organization and any third parties that process personal data on your behalf.
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
The New York SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York (“covered business”) to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Requirements to be considered related to TPRM:
Is the organization conducting internal controls-based assessments of third-parties based on the requirements in applicable laws such as GLBA, HIPAA, or NYCRR Part 500?
Is the organization monitoring external third-party networks and utilizing business risk intelligence such as news events, financials, layoffs, leadership changes, lawsuits, etc. that can serve as predictors of future vulnerabilities?
Is there a defined process in place to identify, categorize, prioritize, and manage risks to an acceptable level?
Does the organization have a defined workflow process in place to escalate identified risks for remediation?
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
View our entire Third Party Risk Management article library here.
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.