Webinar recap: Third-Party Risk Management Trends & Predictions
We recently brought together some of the leading practitioners of third-party risk management to share their views on what the future holds. Our luminaries include Linda Tuck Chapman, CEO and President of Ontala Performance Solutions, Kelly White, CEO and Founder of RiskRecon and Shawn Malone, CEO and Founder of Security Diligence. You can watch the webinar discussion here.
Here are some of the highlights from our panel discussion on third-party risk management trends and predictions. The net takeaway can be summed up in one word—more. More third parties. More regulations. More innovations. More risk. More of everything.
More third parties
Early in the webinar, Tuck Chapman makes the point that the definition of a third party is expanding to include other types like resellers and agents. She defines third parties as “…any company you do business with that is not a customer relationship.”
Another reason third-party risk is on the rise is the increasing reliance on third parties. Tuck Chapman shares the example of an insurance company with 8,000 employees but relies on 100,000 third parties to conduct its insurance business.
Current and emerging regulations are driving change within third-party risk management circles. On the horizon is the California Consumer Privacy Act that takes effect on January 1, 2020. White advises focusing on what the regulation requires and extending it across third parties and the digital supply chain. Malone recommends building systems and applications that restrict access, and third parties should only access this type of data on an as-needed basis.
White refers to more regulations as an awaking. Regulations are shifting from a principled-based approach to being more prescriptive. It’s forcing organizations to be more responsive to regulations.
Innovations like IoT, AI, continuous monitoring platforms, and threat intelligence are impacting third-party risk management. Malone speaks about the heightened focus on IoT. White advises studying the venture capital industry as they have insights on what’s coming. Tuck Chapman discusses the emergence of robotic process automation that uses technology to accelerate and improve the accuracy of rules-based processing.
According to White, continuous monitoring and threat intelligence offer the promise of greater accountability. “You can send out questionnaires, but it says nothing about how they implement and operate.” These new tools objectively verify information attested to and dive deeper into a third party’s operations.
It stands to reason that a greater reliance on third parties by organizations translates into higher risk. However, there are other reasons that third-party risk is on the rise. Malone sees it coming from a growing risk from fourth parties.
There is also a conflict between what business demands and procurement or third-party risk management can deliver. Tuck Chapman points out that the demand for speed is causing risk. For example, the business needs a third party approved in two weeks and can’t afford to wait two months for due diligence. Her advice? Select the right third party in the first place. If risk identification is less time-consuming with a new third party, it’s faster to get them approved. It’s a win-win for business and risk management.
These latest trends point to more of everything– more third parties, more regulations, more innovations and more risk this year and into 2020. Watch the webinar for additional insights on third-party risk trends and predictions from our distinguished guests.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.
Here are five webinar highlights on NERC CIP-013-1’s impact that you can apply to your utility or vendor’s supply chain risk management program.