Managing the Risk of External Relationships…3rd and 4th Party…! October 2017

1

Agenda

2

Best Practices

Building a 4th Party Risk Management Program

Issues

4th Party Risk

Issues

• Naming convention… 3rd party, 4th party, 5th party and so on

• Misconception – applying the same due diligence to all YOUR 3rd parties AND every 4th party and subcontractor

• Lack of direct contractual relationship with the 4th party or subcontractor.

• Let’s talk – 3rd party relationship life cycle – Do YOU have issues?

• Planning - Do you know the inherent risk of your critical vendors?

• Due diligence – Do your critical vendors have sufficient resilience?

• Contracting – Board approval required before contracting for 3rd party critical activities?

• Ongoing monitoring – Senior management able to assess 3rd party for critical activities?

• Termination – Is “termination” (Exit Strategy) part of your vendor life cycle?

3

4th Party Risk

• Who are they?

• What products and services are they providing to your vendor to be classified as critical to their operation?

• What due diligence has your vendor performed on these vendors?

• What critical data you share with your 3rd party is passed along to their service provider with poor security practices?

4

How to mitigate 4th Party (subcontractor) Risk

• Third Party contract term “Must Haves” • Regular independent audits of 3rd parties and important

subcontractors

• Use of bank information restrictions by 3rd and 4th parties

• Use of a subcontractor – when, how, and origin location

• Document activities that cannot be subcontracted or to particular locations or specific subcontractors

• Document subcontractor’s performance and 3rd party’s liability for activities and actions of subcontractor

5

How to mitigate 4th Party (subcontractor) Risk

• Due diligence • Volume and type of subcontracted activities – subcontractors’

physical locations

• 3rd parties ability to access, monitor, and mitigate risk from use of subcontractors

• Level of quality and controls where subcontractors’ reside

• Concentration risk - 3rd party’s reliance on subcontractors

• Due diligence on 3rd party’s critical subcontractors

6

Best Practices - Methods and techniques that provide optimal results

• Right to audit 4th parties: mitigate data breach risk if 3rd party experiences a breach

• Establish risk-based program, implement appropriate governance and oversight programs for 3rd parties, and develop approaches to assess and manage 4th party risk

• Focus how YOUR 3rd party has structured its program for oversight of their providers

• Inspect YOUR 3rd party provider’s program

• Documented policy & procedures to manage and assess risk of their 3rd parties

• Risk assessment, onboarding, termination and periodic assessments

• Use External Assurance tools

• SSAE 18 – Adequacy of controls and testing of controls

• Agreed Upon Procedures (AUP) – Shared Assessments Program tool

• On-site assessment of a 3rd party

• Trust but Verify approach – Vendor uses outside assessment firm to conduct an AUP engagement for all clients to use

• Provide risk reporting to senior management regarding program oversight

7

Building a 4th Party Risk Management Program

• Identify YOUR most risk-critical vendors

• List YOUR vendor’s 3rd parties:

• What services do they provide?

• Do they have access to YOUR sensitive data? YOUR vendor’s sensitive data?

• If they are breached, how vulnerable is YOUR data?

• Is there network segmentation between YOU and YOUR 4th party?

• Where are YOUR 4th parties located? Are they offshore?

• Educating YOUR 3rd parties on what they NEED to do monitor their 3rd parties

• Understand the security monitoring capabilities of YOUR vendor

• Utilize the POWER of YOUR Contracts to protect against “high-risk” 4th parties

8

4th party monitoring is a collaborative effort with your vendors

9

Contract Management related to 4th parties

“Services” only your vendor can provide with specific terms and requirements

Mitigate increased risk caused by 4th parties and subcontractors, especially for critical services

Define Services

Add notice and approval provisions prior to use of a 4th parties and subcontractors

Approval requirement ensures you are in control of your own 3rd and 4th parties

Prior Notice

Required

Offshore Risks

Know the standards, risks, and controls with offshore 4th parties

Companies in the EU have different data sharing policies than companies in the US

Summary

• Issues with 3rd and 4th parties

• Naming convention

• Lack of contractual relationship with 4th party

• 4th Party Risks

• Contract “Must Haves”

• Due diligence necessary

• Best Practices

• Right to audit

• YOUR 3rd party provider’s oversight program

• Use of eternal assurance tools

• Building a 4th Party Risk Management Program

• Vendor identification

• Security monitoring capabilities of YOUR vendor

• Contract Management

10

Q & A

THANK YOU

Contact Information:

Mary Kay Merkt

mmerkt@johnsonbank.com

11

BAI

12

Who We Are BAI delivers:

so you can make smart decisions with clarity and confidence.

In-depth

Data Analysis

Unbiased

Perspectives

Industry

Expertise

13