Third-Party Risk Management

Explore top LinkedIn content from expert professionals.

  • View profile for Brian Levine

    Cybersecurity & Data Privacy Leader • Founder & Executive Director of Former Gov • Speaker • Former DOJ Cybercrime Prosecutor • NYAG Regulator • Civil Litigator • Posts reflect my own views.

    13,881 followers

    After an AI company terminated an employee, it allegedly learned the employee had been transcribing work meetings using an automated transcription service which sent all of the transcribed information to the employee. See https://lnkd.in/eUFV2Ur4. The employer promptly brought a federal trade secret theft case and the Court issued a preliminary injunction requiring the former employee to return what he had allegedly taken, including the meeting minutes. https://lnkd.in/e4vS457g.    It is important for organizations to minimize the use of "Shadow Vendors"--vendors that are not being centrally managed by the organization. Why? It's hard enough to do effective third-party risk management (TPRM) with respect to the vendors you know about. It's not realistic to do TPRM on "shadow vendors" that you don't know about. Unapproved technology and vendors may be insecure and my lead to breaches, trade secret theft, and other cyber or compliance incidents. Here are five tips for minimizing the use of "shadow vendors":   1. PROHIBIT THE USE OF SHADOW VENDORS: Consider having a clear written policy precluding the use of unapproved technology. Train employees on the policy upon onboarding and at least annually thereafter.    2. MINIMIZE ADMINISTRATIVE RIGHTS: If an employee's job function does not actually require the employee to have administrative rights over the employee's laptop or desktop, do not grant such rights. This will prevent employees from downloading unauthorized and unmanaged software.    3. SEARCH FOR THE BIGGEST OFFENDERS: If you are particularly concerned about employee use of particular tools, consider forensic monitoring or searching for evidence that employees may be using these tools. For example, employees may be using a transcribing tool on a personal device, but they may store some of the transcripts on a work computer. Thus, even if you cannot detect the use of the tool directly, you may be able to detect indicia of the use on a personal device.    4. VET YOUR BIGGEST OFFENDERS: Consider conducting TPRM on your biggest offenders in this area. You may determine that a particular vendor is not as risky as you thought and you may decide to make it permissible (perhaps with certain use limitations). Alternatively, you might find that you become better able to understand and/or articulate the risk of using these vendors, which may help you convince employees to stay away.      5. PROVIDE FLEXIBLE SOLUTIONS: Today employees are very tech savvy, so if they are aware of a helpful technology solution for doing their job and the organization prohibits them from using it, they may just use it on a personal device, which may be equally problematic but harder for the organization to detect. Thus, create a simple channel for employees to openly request access to certain technology. This will give the organization the opportunity to either fully vet potentially new and helpful technology or to offer employees acceptable alternative solutions.  

  • View profile for Shea Brown
    Shea Brown Shea Brown is an Influencer

    AI & Algorithm Auditing | Founder & CEO, BABL AI Inc. | ForHumanity Fellow & Certified Auditor (FHCA)

    21,155 followers

    New York State DFS is looking for comments on a proposed circular letter that outlines proper risk management for AI systems and external data used in insurance underwriting. The "Proposed Insurance Circular Letter" addresses the use of Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS) in insurance underwriting and pricing. The key points include: 💡 Purpose and Background: The DFS aims to foster innovation and responsible technology use in the insurance sector. It acknowledges the benefits of AIS and ECDIS, but also highlights potential risks such as reinforcing systemic biases, leading to unfair or discriminatory outcomes. 💡 Definitions and Scope: AIS refers to machine-based systems that perform functions akin to human intelligence, such as reasoning and learning, used in insurance underwriting or pricing. ECDIS includes data used to supplement or proxy traditional underwriting and pricing but excludes specific traditional data sources like MIB Group exchanges, motor vehicle reports, or criminal history searches. 💡 Management and Use: Insurers are expected to develop and manage their use of ECDIS and AIS in a manner that is reasonable and aligns with their business model. 💡 Fairness Principles: Insurers must ensure that ECDIS and AIS do not use or are not based on protected class information, do not result in unfair discrimination, and comply with all applicable laws and regulations. 💡 Data Actuarial Validity: The data used must adhere to generally accepted actuarial practices, demonstrating a significant, rational, and non-discriminatory relationship between the variables used and the risk insured. 💡 Unfair and Unlawful Discrimination: Insurers must establish that their underwriting or pricing guidelines derived from ECDIS and AIS do not result in unfair or unlawful discrimination, including performing comprehensive assessments and regular testing. 💡 Governance and Risk Management: Insurers are required to have a corporate governance framework that provides oversight. This includes board and senior management oversight, formal policies and procedures, documentation, and internal control mechanisms. 💡 Third-Party Vendors: Insurers remain responsible for ensuring that tools, ECDIS, or AIS developed or deployed by third-party vendors comply with all applicable laws and regulations. 💡 Transparency and Disclosure: Insurers must disclose their use of ECDIS and AIS in underwriting and pricing. 📣 Feedback Request: The Department is seeking feedback on the circular letter by March 17, 2024, encouraging stakeholders to contribute to the proposed guidance. #ai #insurance #aigovernance #airiskmanagement Jeffery Recker, Dr. Benjamin Lange, Borhane Blili-Hamelin, PhD, Kenneth Cherrier

  • View profile for Sarah Beth Felix

    Palmera Consulting; Co-Founder & Chief AML Officer at Acceleron Bank; Co-Founder at Hyper-S Research

    13,437 followers

    The Office of the Comptroller of the Currency dropped Blue Ridge Bank's C&D today. And it is laser specific on the issues. A few comments, lessons learned, and questions below - 1) I'll say it on repeat for BaaS banks - if your #fintechs can't tell you how a criminal will exploit their rails for ML/TF (not just fraud), then you will have problems managing their transference of risk. 2) Pg. 7 the OCC states - "an assessment of BSA risk for each third-party relationship... money laundering, terrorist financing and sanctions risk, as well as each third-party relationship’s processes for mitigating such risks and complying with applicable laws and regulations...". Keywords being here - APPLICABLE. Most fintechs are unregulated or partially regulated. BaaS banks must lead with that. 3) The Board will now have to review and approve every new fintech relationship. That means that the Board must understand - or rather - the AMLO must make them understand the various threats within each fintech. 4) BaaS banks must have an exit strategy - that outlines the escalation of risks and the decision. (pg. 7) 5) Again - MSAs must be customized to your bank and your threats within the BaaS partner. If your attorneys are using standard MSAs, your bank will be exposed. Pg. 8. 6) KYCC or CCDD is here - that has always been implied. But it is actually written out - pg. 9 - "OCC the criteria it is using for end user accounts to be approved for each third-party fintech relationship, including fintech subpartners". And it doesn't delineate between direct and indirect BaaS clients. 7) Sanctions is found throughout - for the #fintechs out there... you need to screening, blocking, etc for sanctions. You cannot just rely on your bank partner. 8) Would be interesting to see a revised OCC MLR focused on BaaS/fintech customers and transactions. 9) #AML audits - I've said it many times before - a clean audit is NOT A GOOD AUDIT. Full stop. 10) As a recovering auditor, if audits are 'risk-based' then they must actually audit/test the Risk Assessment for effectiveness prior to scoping the 'risk-based audit'. Audit firms cannot pitch/price a 'risk-based audit' if they don't know what the risks are yet. 11) Staffing is a big item yet again. People. The right people. With the right authority. It will continue to be a theme in #consentorders until Boards get with it. AML and #sanctions compliance is not cheap. Either you pay now or pay a lot more later. 12) "Executive authority" - Yep. Executive. We've seen this a few times. If your AMLO is buried under a chief, then an SVP, they do not have executive authority. 13) An interesting statement on pg. 13 - it appears to be warning shot to all those #communitybanks that have the AML Officer wear many hats. Cut it out. "Board shall ensure the responsibilities...be limited to...BSA" Wow! Several more comments I'll post below and the pdf is attached. #ifollowdirtymoney

  • View profile for Vishal Chawla

    Cybersecurity Strategist & CEO @ BluOcean

    10,014 followers

    𝐇𝐨𝐦𝐞 𝐃𝐞𝐩𝐨𝐭'𝐬 𝐓𝐡𝐢𝐫𝐝-𝐏𝐚𝐫𝐭𝐲 𝐒𝐚𝐚𝐒 𝐒𝐥𝐢𝐩-𝐔𝐩 - 𝐀 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐖𝐚𝐤𝐞-𝐔𝐩 𝐂𝐚𝐥𝐥 𝐟𝐨𝐫 𝐄𝐯𝐞𝐫𝐲𝐨𝐧𝐞 In today's day and age, third-party SaaS vendors are like the proverbial banana peel, and mighty companies like #Microsoft, #Okta are all slipping over them, despite stringent cybersecurity controls. Earlier this month, Intel Broker published online the personal information of 10,000 #HomeDepot employees. This data leak included names, work emails, and User IDs — enough to set the stage for ripple effect. This fiasco sounds the alarm bells for all corporations utilizing third-party SaaS applications. That's practically everyone! Is the existing cybersecurity strategy enough to ensure employee and customer trust as well? I wouldn’t be so sure. The need is for a full-fledged cybersecurity strategy that leaves no stone—or vendor—unturned. ➡️ Rigorous vendor assessments based on SaaS security controls ➡️ Third-party SaaS governance and SaaS sanctioning ➡️ Proactive monitoring and remediation of third-party SaaS applications,  ➡️ and an associated incident response playbook These aren't just checkboxes; they're the building blocks of a robust defense in depth strategy against the ever-evolving cyber threat landscape. Now, let's turn the spotlight to you! ❓❓Do you think traditional Third Party Risk Management programs, anchored in outdated models and reliant on procurement reviews, are sufficient to address the shared responsibility model for SaaS Ecosystem? ❓❓How do you tackle the evolving third-party threat landscape? Share your war stories and battle-tested strategies. How do you keep your organisation's cybersecurity mojo intact while dodging the digital pitfalls? Let's get the conversation buzzing! 💬 #SaaS #ThirdPartyRisks #SharedResponsibility

  • View profile for Adam Shapiro

    Co-Founder at Klaros Group | Advisor to Hundreds of Financial Innovators | Led Promontory's FinTech Practice | x Head of Strategy at BBVA Open Platform (BaaS) | Regulatory Partner at Core VC

    6,881 followers

    Regulators can often feel unfair and I’ve certainly seen cases where regulators have reached some truly odd conclusions. However, the smart reaction is to recognize that the primary source of information the regulators have is the bank’s own files. This is all the more important in areas like partner banking with high levels of regulatory scrutiny and limited regulatory understanding of the underlying business. Here are four mistakes I’ve seen banks make: 1️⃣ Partner due diligence that doesn’t paint the big picture. There’s lots of specifics that need to be covered in partner diligence. But the single best starting place is a clear, plain-language description of what the partner’s program will do and what the risks are. Bonus points if this can be done in language that relates the nature of the activity to more traditional banking, helping demystify the business for bank staff and examiners alike. 2️⃣ Failure to describe roles and responsibilities clearly. Partner documentation needs to be crystal clear about the respective roles and responsibilities of the bank, the partner, and other third parties. Regulators want to see that everything needed to control the program is assigned - and that the bank has effective oversight in place for the things it is not doing. 3️⃣ Risk assessments that understate partner risk. Calling a BaaS client low risk is one of the easiest ways to get a regulator to dig in and look for issues. And it's hard to justify given the inherent third-party risks in the business. If a bank has a customer risk rating habitually rates BaaS clients as low risk, it’s effectively placing a “Kick Me” sign on its rear end. 4️⃣ Lack of documented evidence for determining partner controls are effective. A policy is just words on a piece of paper, not evidence that controls work. If a bank doesn’t document outcomes-based evidence (e.g. testing results, data analytics) every time it determines a client has effective controls, it risks its regulators thinking it lacks evidence. When you have the power to control the narrative, take advantage of it.

  • View profile for Craig McDonald

    Protecting Microsoft 365 from AI Email Threats Before User Impact | Endorsed by Microsoft - Satya Nadella | Trusted by Global Brands | 5,500+ clients like Porsche | AI Email Security

    32,385 followers

    Third-party vendors are often the weak link in your data security chain.  Cybercriminals exploit their vulnerabilities to access your network and data.  To prevent this, you need to perform rigorous due diligence on your vendors.  Yes, this may seem uncomfortable or inconvenient to do. But a false sense of security will lead to disaster down the road. So, what can you do about it? The answer lies in conducting thorough due diligence on third-party vendors. But this isn’t just about checking their credentials and references. It’s about understanding their security practices, policies, and protocols.  And ensuring they have robust security measures in place, including firewalls, encryption, and intrusion detection systems. You need total visibility into their data security posture before you engage them. Request that they complete in-depth risk assessments and adhere to access limitations and encryption protocols that you define. Then conduct regular audits for compliance and limit data access only on a need-to-know basis. Treat vendor risk assessment with the same intensity as protecting your own infrastructure. Your data deserves nothing less.

  • View profile for Aurobindo Sundaram

    CISO | Startup advisor | Board member | VC fund advisor ➕ Photographer | Sharer of financial & life lessons

    7,397 followers

    Quick - name the greatest time suck for the smallest reward in cybersecurity. If you say"third-party risk management", you won't be wrong. Here's the raw truth. 🔴 We spend 𝘄𝗮𝘆 too much time sending 600-question spreadsheets to suppliers. Don't believe me? Go take a look at the Shared Assessments SIG. I'll wait. 🔴 We will take a SOC2 or ISO certification but turn around and say, "That's nice, but we also need you to complete the spreadsheet." 🔴 When someone tells us, "I have a shared assessment SIG completed.", we will say, "That's nice, but our company is unique, fill out the questionnaire that our security team created as well." It's endemic in the industry. Everybody knows the third-party risk management ("TPRM") process is broken, but we all do more of it every year to keep up with the Joneses; to follow regulator guidance; or to follow legal advice that says, "If we have an incident, we had better have done more TPRM than less." 𝗧𝗵𝗲𝗿𝗲 𝗶𝘀 𝗮 𝗯𝗲𝘁𝘁𝗲𝗿 𝘄𝗮𝘆. 👉🏽 A few questions to understand the business risk and tier the supplier. This is where documenting the business use case and data flows are 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹. 👉🏽 If the supplier is low risk, send standard contractual terms and move on. 👉🏽 If the vendor has a third-party report for the services in scope, and that covers the appropriate control areas (e.g., trust principles of security and confidentiality), accept it and move on. (Yes, this requires some reading. That's your job.) 👉🏽 If you have high-risk suppliers without third-party reports, perhaps that's a flag in itself. But at least use an industry-standard sheet they can complete (e.g., SIG, I recognize the irony) rather than a custom one just for you. 👉🏽 Recognize that your assessments are a point-in-time, best-case scenario and account for that risk (it's like asking your first date to share his personality flaws. "Oh, people tell me I can be TOO caring."). What would 𝗬𝗢𝗨 do differently in TPRM if you weren't straitjacketed by the status quo? -- Interested in more content like this and don't want to miss a post? Connect with me for 3x/week posts on cybersecurity, leadership, photography, life lessons & personal finance (View my profile, click 🔔). #lessonsfromaCISO #cybersecurity #security #infosec #commonsense #leadership #leadershipadvice #cyber #CISO 🔐

  • View profile for Jennifer Bisceglie

    Investor / Founder at Interos Inc

    10,131 followers

    🌐 Control the Blast Radius: Navigating Cyber Breaches in Banking 🛡️ LinkedIn, Adobe, and dozens of other brands are working to control the fallout from what’s being called the “Mother of All Breaches.” Over 100 billion records have been exposed, drawing on a database of previously stolen data. This latest large-scale attack is a reminder that sensitive personal data is everywhere, as is the risk. Few targets in today’s interconnected digital landscape are bigger – or more lucrative – than banks. At least 60% of banks are targeted each year via supply chain cyberattacks. Bad actors are getting smarter and targeting insecure third-party software to bypass corporate security. The complexity and interdependency of modern supply chains mean the blast radius of a single cyber breach reverberates wider and more deeply than has ever before been possible – especially within the banking sector, where hundreds of thousands of sub-tier vendors power critical operations. A single breach at any one of these entities impacts not just the immediate third-party, but every organization throughout its entire digital supply chain. The key to controlling the blast radius is sub-tier supply chain illumination. With businesses happening at click speed, it’s critical that risk leaders map and monitor third-party connections in real time to develop proactive resilience and ensure a rapid response to disruption. Here's four key principles that strengthen banks empower organizations: 1. Multi-tier Visibility: Understanding your 3rd, 4th, and 5th parties is crucial to identifying and mitigating hidden risks and ensuring proper resource deployment. 2. Real-Time Monitoring: Continuously tracking the health and security posture of your supply chain partners, providing early warnings of potential disruptions. 3. Predictive Analytics: Leveraging AI to anticipate vulnerabilities and foresee potential breach impacts, allowing for proactive risk management. Collaborative Risk Management: Creating a shared platform for risk mitigation, where suppliers can work together to fortify their defenses against cyber threats. Our latest customer case study demonstrates how one of the world’s largest banks puts these practices into effect, helping it put an end to a “needle in a haystack” approach. (https://lnkd.in/dyw5hie9) In this digital era, understanding and managing the complexities of your supply chain is not just a competitive advantage – it's a necessity for survival. With the right tools, we can illuminate our supply chains and safeguard our collective futures. #CyberSecurity #SupplyChainResilience #Interos #RiskManagement #OperationalResilience #BankingRisk

  • View profile for Michael Rasmussen

    GRC Analyst & Pundit at GRC 20/20 Research, LLC

    31,724 followers

    I am having a lot of interactions with organizations looking for #GRC-related solutions or expanding their current implementations (and many RFPs to consolidate as they find they have many different competing solutions in their organizations). There is a lot of focus on #risk #resiliencemanagement #ESG #thirdpartyriskmanagement #compliancemanagement #ITriskmanagement.     Some of the things that I see organizations are really looking for is: Engagement. They want solutions that not only engage and provide the depth for the back-office (2nd and 3rd line) of risk and compliance but can also engage executives, operational management, and front-line employees who are taking risks and making daily risk and compliance decisions. Simplicity/Intuitiveness. Organizations are looking for solutions that have a next-generation user experience to engage these employees and provide ways to interact with GRC that make sense with minimal impact. Business Case of Value, not Just ROI. I am interacting on many business cases and economic models of solutions (Value Perspectives) that provide a framework for measuring value and building a business case. ROI, what I refer to as efficiency is one angle (time-saved and money-saved, but also effectiveness (more getting done, less things slipping through cracks, reduction in exposure/gaps), resilience in the ability to find and resolve issues before they become big issues, and agility to keep up with changing risks, regulations, and business. Organizations want to measure a risk reduction. Before implementing a solution, they have their inherent risk after implementing a solution what is the residual risk and how do you quantify the risk reduction of implementing a GRC-related solution. Quantification and visualization. Organizations of all sizes want better risk visualization and intuitive dashboards for all levels of the organization. There is a growing demand for risk quantification in the mid to large organizations. Particularly in Europe there is a lot of demand for monte carlo analysis and bow-tie risk analysis I am seeing in RFPs, particularly in the DACH region of Europe. Accountability. Tied to many of the points above is the requirement for the solution to help risk and compliance professionals to have the business accountable for risk. The second and third-line are not risk owners but risk facilitators and we need intuitive and engaging solutions that help risk owners in the business understand risk in their context. Objective driven. I am seeing a lot of demand, particularly in UK/Europe, for a business focus to GRC that starts with objectives and not risk. ISO 31000 states that risk is the effect of uncertainty on objectives. Risk needs context and that is the organization's objectives: entity, division, department, process, project, product, service, asset, and relationship level objectives. This also applies to ESG. ESG done right starts with objectives and NOT ESG risks.   

  • View profile for Brian Blakley

    Information Security & Data Privacy Leadership - CISSP, FIP, CIPP/US, CIPP/E, CIPM, CISM, CISA, CRISC, CMMC-CCP & CCA, Certified CISO

    12,386 followers

    Whether your organization is big or small, or somewhere in between… From my experience - most 3rd party risk assessments miss this key component… What’s missed? Well…Does the assessment – ...omit a bunch of superfluous questions? Nope! They’re all there! ...not include an overly burdensome Excel spreadsheet with multiple tabs? Nope! And they’re color coded too! ...forget to reference non-applicable frameworks? Nope! All the frameworks are there comingled and conflated! ...not care that I have compliance documents that answer all their questions and include a 3rd party audit? Nope! A very comprehensive list of questions is required regardless! ->Then what’s missed? Most 3rd party risk assessments focus exclusively on the vendor or supplier. They miss - the use case. They miss - the product or service being consumed. When a 3rd party risk assessment is performed, you must assess the supplier AND the use case. So - that means you want to understand the supplier’s org controls AND the controls in place specific to what you are buying. You assess the supplier AND the use case combined. Understand how the data flows to and from that supplier based on the use case. Determine the controls the supplier and you are responsible for implementing to maintain security. Also, the supplier may have multiple offerings and you want to avoid broadly “approving” a supplier when the risk varies across an array of products or services being consumed. Use case + supplier = prudent and practical 3rd party risk assessment. #ciso #riskmanagement #security #compliance