
Third Party Due Diligence: Be a Good Example-Not a Horrible Warning


Melinda Burrows, VP and Corporate Compliance Lead at Outerwall
It’s midnight. Do you know where your customer’s data is? Have you shared that data with a third party? If you have, are you comfortable with the third party’s approach to data security, and do they take it as seriously as you do?
As consumers more directly feel the brunt of data security fallout, they’re becoming more interested and concerned about how much data they’re willing to share, what companies do with the data they collect and how the data is secured. According to a new 2016 report from the TRUSTe/National Cyber Security Alliance (NCSA) Consumer Privacy Index, American consumers feel more concerned about the privacy of their data than the loss of their personal income.
It’s a Risky Business
According to the Ponemon Institute’s 2015 Cost of Data Breach Global Study, the total cost of a data breach is $3.8 million. The brand reputation impact is unquantifiable, as the impact can be felt for years to come after the breach because shifting negative perceptions takes time.
Consider this: the NCSA Consumer Privacy Index report showed that 89 percent of American consumers say they avoid companies that do not protect their privacy. It only takes one mistake to fracture trust with your customers. And that mistake may be sharing sensitive information with a third party. According to PricewaterhouseCoopers’ 2016 Global State of Information Security Survey, “[security] incidents attributed to business partners climbed 22 percent,” from 2014 to 2015.”
“‘Third-party due diligence must be robust, thorough, impeccably documented and preserved.’— Former U.S. Department of Justice Fraud Section Deputy Chief Mark Mendelsohn (2005–2010)”
Unfortunately, many organizations do not:
• Know which suppliers have access to sensitive data,
• Require suppliers to comply with security policies, or
• Assess data security compliance of suppliers.
Regardless of your company’s size or industry, a multi-phase, risk-based approach is recommended to develop or to shore up your third party due diligence program. This approach should assess the type(s) of data provided to outside organizations and the way in which these organizations use and protect the data to determine the level of diligence and monitoring required.Margaret Chrzanowska, Director of Information Security at Outerwall
Phase I: Establish a Governance Model, Policies and Procedures
The first phase aims to establish the program strategy and governance, as well as set the policies, processes, standards and guidelines to be followed. It will likely be the lengthiest phase, as it requires much research, analysis and developing recommendations.
At the inception of the project you should engage company’s executive leadership and secure their support. And don’t overlook your company’s Board of Directors. Given the risk levels and impact when something goes awry, PricewaterhouseCoopers’ 2016 Global State of Information Security Survey showed that 45 percent of respondents noted their Board is involved in the overall security strategy.
After obtaining leadership support, you should determine your level of risk, beginning with identifying existing third parties with access to your company’s data, as well as the type of data being shared. This can be done internally with existing, capable team members, or externally by a third party.
In conducting the risk assessment, be sure to engage your technology organization, business owners who collect and manage customer and employee data, and personnel involved in developing and managing contracts such as your legal and supply chain organizations.
Once you have identified the types of data shared with third parties, design a vendor vetting and monitoring process that is stratified based on identified risk tiers. As an example, your model may include the following tiers (Tier 1 is highest risk requiring highest level of assessment and monitoring):
• Tier 1: Suppliers who manage personally-identifiable information (PII) and critical systems, such as Human Resources Information Systems (HRIS) or credit card processors.
• Tier 2: These include suppliers who manage PII – or– critical systems, such as third party customer service or customer analytics providers.
• Tier 3: This tier comprises suppliers who manage non-PII or other sensitive data.
Once the tier levels and corresponding assessment and monitoring standards have been determined, requirements should be documented in policies and procedures that are clear, concise and accessible to all involved in the contracting process.
Regardless of your company’s size or industry, a multi-phase, risk-based approach is recommended to develop or to shore up your third party due diligence program
Following this work, you’re ready to move into the next phase.
Phase II: Transform your Vendor risk Management Profile
The second phase aims to operationalize your program, build awareness of the new program and deliver training to those who will be key players in the vendor compliance and management program. In this phase you’ll begin to see the operational process running and be able to identify issues or gaps and correct them.
This phase may also include retroactive work to bring existing third-party relationships in compliance with your new standards. The organization should make risk-based determinations regarding whether and when to fill security and compliance gaps with existing vendors by reviewing the risk tier along with the scope, materiality and remaining contract term with the existing vendor.
While Phase I was the lengthiest, Phase II may be the most challenging as you work to build awareness, improve security and drive compliance. People are often averse to change, particularly when the change may disrupt existing and long-term vendor relationships. Shifting behaviors takes time and patience; it will be important to leverage the leadership support secured during Phase I to drive the necessary change.
Phase III: Sustain the Momentum
Ideally, in this phase your program should begin to function like a well-oiled machine. With processes, systems and technology in place, you should be able to shift to programmatic monitoring and oversight, while reporting regularly against pre-defined metrics.
Your goal in this phase of the program is continuous improvement.
Manage the Risks
As the Internet of Things (IoT) continues to grow, so do the data security risks, both internally—for the data your company manages–and externally–for your company’s data managed by third parties.
Don’t serve as a horrible warning to other companies, but do work to get your third party due diligence program in place now, using best practices from those who have gone before you. Above all, ensure you have a program which flexes sufficiently based on your company’s needs and shifting risk profile.
ON THE DECK

Featured Vendors
Expert-Nation.com Network: “Facts Matter,” and Subject Matter Expert Witnesses Bring the Facts from Expert-Nation.com Network
Canon Business Process Services: Timesaving, Cost-Effective Litigation Support Services and Technology for Law Firms
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Digital Transformation and technological advancements in a NEO Bank
Digitising your businesses DNA
The Bank's Experience: How a Company's Use of Fintech Can Accelerate...
Fintech solutions for the exploding savings market: How banks can...
Looking to Finance a Tech Startup? Your Timing May Be Just Right
A Proven Use Case of EDI at Malouf
