Third Party Due Diligence: Be a Good Example-Not a Horrible Warning

Melinda Burrows, VP and Corporate Compliance Lead at Outerwall

It’s midnight. Do you know where your customer’s data is? Have you shared that data with a third party?  If you have, are you comfortable with the third party’s approach to data security, and do they take it as seriously as you do?

As consumers more directly feel the brunt of data security fallout, they’re becoming more interested and concerned about how much data they’re willing to share, what companies do with the data they collect and how the data is secured. According to a new 2016 report from the TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index, American consumers feel more concerned about the privacy of their data than the loss of their personal income. 

It’s a Risky Business  

According to the Ponemon Institute’s 2015 Cost of Data Breach Global Study, the total cost of a data breach is $3.8 million. The brand reputation impact is unquantifiable, as the impact can be felt for years to come after the breach because shifting negative perceptions takes time.   

Consider this: the NCSA Consumer Privacy Index report showed that 89 percent of American consumers say they avoid companies that do not protect their privacy. It only takes one mistake to fracture trust with your customers. And that mistake may be sharing sensitive information with a third party. According to PricewaterhouseCoopers’ 2016 Global State of Information Security Survey, “[security] incidents attributed to business partners climbed 22 percent,” from 2014 to 2015.”  

“‘Third-party due diligence must be robust, thorough, impeccably documented and preserved.’— Former U.S. Department of Justice Fraud Section Deputy Chief Mark Mendelsohn (2005–2010)”  

Unfortunately, many organizations do not:
• Know which suppliers have access to sensitive data, 
• Require suppliers to comply with security policies, or 
• Assess data security compliance of suppliers. 

Regardless of your company’s size or industry, a multi-phase, risk-based approach is recommended to develop or to shore up your third party due diligence program. This approach should assess the type(s) of data provided to outside organizations and the way in which these organizations use and protect the data to determine the level of diligence and monitoring required.Margaret Chrzanowska, Director of Information Security at Outerwall

Phase I: Establish a Governance Model, Policies and Procedures  

The first phase aims to establish the program strategy and governance, as well as set the policies, processes, standards and guidelines to be followed. It will likely be the lengthiest phase, as it requires much research, analysis and developing recommendations.   

At the inception of the project you should engage company’s executive leadership and secure their support. And don’t overlook your company’s Board of Directors. Given the risk levels and impact when something goes awry, PricewaterhouseCoopers’ 2016 Global State of Information Security Survey showed that 45 percent of respondents noted their Board is involved in the overall security strategy.  

After obtaining leadership support, you should determine your level of risk, beginning with identifying existing third parties with access to your company’s data, as well as the type of data being shared. This can be done internally with existing, capable team members, or externally by a third party. 

In conducting the risk assessment, be sure to engage your technology organization, business owners who collect and manage customer and employee data, and personnel involved in developing and managing contracts such as your legal and supply chain organizations.  

Once you have identified the types of data shared with third parties, design a vendor vetting and monitoring process that is stratified based on identified risk tiers. As an example, your model may include the following tiers (Tier 1 is highest risk requiring highest level of assessment and monitoring):  

• Tier 1: Suppliers who manage personally-identifiable information (PII) and critical systems, such as Human Resources Information Systems (HRIS) or credit card processors.  
• Tier 2: These include suppliers who manage PII – or– critical systems, such as third party customer service or customer analytics providers.
• Tier 3: This tier comprises suppliers who manage non-PII or other sensitive data.  

Once the tier levels and corresponding assessment and monitoring standards have been determined, requirements should be documented in policies and procedures that are clear, concise and accessible to all involved in the contracting process.

  Regardless of your company’s size or industry, a multi-phase, risk-based approach is recommended to develop or to shore up your third party due diligence program  

Following this work, you’re ready to move into the next phase.   

Phase II: Transform your Vendor risk Management Profile  

The second phase aims to operationalize your program, build awareness of the new program and deliver training to those who will be key players in the vendor compliance and management program. In this phase you’ll begin to see the operational process running and be able to identify issues or gaps and correct them. 

This phase may also include retroactive work to bring existing third-party relationships in compliance with your new standards. The organization should make risk-based determinations regarding whether and when to fill security and compliance gaps with existing vendors by reviewing the risk tier along with the scope, materiality and remaining contract term with the existing vendor.    

While Phase I was the lengthiest, Phase II may be the most challenging as you work to build awareness, improve security and drive compliance. People are often averse to change, particularly when the change may disrupt existing and long-term vendor relationships. Shifting behaviors takes time and patience; it will be important to leverage the leadership support secured during Phase I to drive the necessary change.  

Phase III: Sustain the Momentum  

Ideally, in this phase your program should begin to function like a well-oiled machine. With processes, systems and technology in place, you should be able to shift to programmatic monitoring and oversight, while reporting regularly against pre-defined metrics.   

Your goal in this phase of the program is continuous improvement.   

Manage the Risks  

As the Internet of Things (IoT) continues to grow, so do the data security risks, both internally—for the data your company manages–and externally–for your company’s data managed by third parties.   

Don’t serve as a horrible warning to other companies, but do work to get your third party due diligence program in place now, using best practices from those who have gone before you. Above all, ensure you have a program which flexes sufficiently based on your company’s needs and shifting risk profile.