Why transparency in third party relationships is essential
25 July 2016
By David Woerndl and Will Hogan
500k customer records lost”…“major data breach”……“significant cyber attack”
Headlines such as these seem to have become commonplace. Everywhere we look there is a new cyber security incident with a company left sitting in the dust trying to figure out what happened. No one can understate the risks cybercrime has brought; but this risk is especially acute for large corporations processing financial transactions and storing sensitive data, as there is so much at stake to lose. Just recently, the world witnessed the biggest online bank robbery in history.
In recent years, FS companies have been concentrating on regulatory risks and are now moving their focus to their cyber and data risk strategy. In the prevention of cyber risks, it can be easy for companies to maintain an inward looking approach. But in today’s working environment, outsourcing plays an integral part. Outsourcing relationships involve huge amounts of sensitive transactions, with data flowing between suppliers. This makes trust and transparency in third party relationships essential. Any minor missteps can have detrimental consequences.
It is often arduous and expensive to properly understand your suppliers’ processes and coordinate your supplier risk, but the potential financial cost and reputational damage for your business if something goes wrong for your suppliers, especially those holding sensitive data, can be huge. Smaller companies can often be the ‘weak link’ in security if they have lower investment so cyber criminals may look to target your supply chain as an easy way in to your organisation - even if your security posture is great, are you really confident in that for your thousands of suppliers?”
In last year’s Global State of Information Survey nearly 16% of global respondents reported suppliers/business partners as their estimated likely source of security incidents, but only 52% have security standards/baselines in place for third parties.
With these types of questions and costs on the line, how can trust and transparency be built and relationships maximised?
Trust, comfort and security
We use these questions to test transparency levels in organisations:
Supplier:
- Do our customers understand how our systems and their systems connect (interface/interact)?
- Do we have a control environment in place that protects our customers from cyber-attacks and confidential data losses?
- How do we convey and demonstrate to our (prospective) customers our value proposition over our competitors as it relates to cyber risks?
- What is the time and cost we are expending to manage due diligence requests from our customers?
Customer:
- Do you have a comprehensive understanding of all suppliers that have access to your network and/or sensitive data?
- Do our suppliers maintain a robust internal control environment to the level which you would expect of your own company?
- Are you comfortable that your suppliers comply with your internal policies and applicable regulatory requirements?
SOC 2 is a relatively new example of a framework, which allows a formal assessment of supplier performance across key domains, including security, confidentiality, availability, process integrity and privacy. This detailed assessment can help to satisfy an ever increasing demand for transparency. It will also encourage trust, strengthen relationships and build new ones.
If one thing is for sure, it is that risks related to technology, cyber security and data are increasing every day. You need to assess your (and your supplier’s) ability to cope with cyber-attacks or data loss, as well as assessing your adherence with regulatory requirements (e.g. the General Data Protection Regulation). As a result, expectations throughout the supply chain are changing –the supply chain must become seamless. Whether it is a cyber-attack or confidential data loss, the damage to reputation if you get it wrong is very real.
Connect with David Woerndl
Connect with Will Hogan