Third-party Risk: Lessons Learned During Global Pandemic

Introduction

January 17, 2022 | Author: Jasen Dill

On March 11, 2020, the World Health Organization declared the novel Coronavirus (COVID-19) a Global Pandemic forcing business enterprises to change their business operating model to overcome the hurdles and minimize the impact on their organization. One of the many hurdles that required the business’s attention and action was ensuring the viability of their Third-Party/Vendor ecosystem.

During these challenging times, it was not only organizations with a less-than-mature Third-Party Risk Management (TPRM) program that struggled to respond to the pandemic. Even organizations with more robust TPRM processes had to scramble as the situation demanded them to expand, enhance, modify, and improve their existing TPRM program.

Key Challenges

As the pandemic raged on, organizations successfully worked out with their vendors on reduced Service Levels and invoice processing requirements as good-faith agreements between strategic partners. However, they faced the challenge of meeting their compliance obligations and the need for protecting and safeguarding sensitive information from increasing cyber-attacks/data breaches.

Given that ISSA identified a 63% increase in cyber security attacks during the Pandemic in their report “The Impact of the COVID-19 Pandemic on Cybersecurity”¹, how do we ensure our business relies on continue to protect our data and our customer’s PII & NPPI?
FINRA issued Regulatory Notice 20-08, reminding member firms to consider Pandemic-related business continuity planning and additionally outlined the limits of their leniency on timely regulatory filings requiring the organization to ask: How can we ensure that our vendors continue to maintain compliance with applicable regulations?
Additionally, organizations were also faced with the question – How can we ensure our vendors are operationally and financially viable to continue to support our ongoing business operations?

Key Lessons Learned

As we leap into 2021 and the pandemic continues to challenge all of us on multiple levels, there are opportunities for business enterprises to use “2020-hindsight” to review the changes made, evaluate those changes, and incorporate them into the new standard processes.

At Templar Shield, we have been supporting our clients on their third-party risk management program journey. Our unique TPRM managed services model provided us an opportunity to work closely with our clients, helping them overcome the challenges posed by the COVID pandemic. We observed that the companies that we’re able to pivot quickly benefitted. Here are some of the key lessons learned.

Changed Third-Party Risk Landscape:

It’s not just internal employees who now work from home. Third-party vendors had to make the same adjustments our clients had to make. And with that, these ‘now remote’ vendor’s employees posed a new challenge. Third-party management programs were required to extend data protection across their enterprise and their vendor’s enterprise.

Program Maturity is the Key:

Organizations that had a matured TPRM program were able to leverage their experience and make swift adjustments.
Having a well-established TPRM program was key to making swift adjustments. On the contrary, the organizations with an undeveloped TPRM program needed more time and assistance.

Extended Program Coverage:

Third-Party Risk Management teams saw an increase in day-to-day responsibilities –

Due diligence reviews had to be extended mid-pandemic to cover situations such as “newly remote” employees/contractors and new VPN & video-conference vendors.
Vendors who were closing or unable to meet the organizations’ needs were being rolled off, and termination assessments, which have traditionally been reserved for the fully mature programs, became invaluable. Our use of the termination assessments ensured our client’s data was verifiably secured without incident.

Revised Assessment Methodology/Approach:

The standard vendor risk assessment questionnaires needed to be updated and enhanced to address the changing risk landscape.
Additionally, new documentation such as Return-to-Work and Shelter-In-Place policies needed to be drafted and reviewed.

Continuous Monitoring:

Continuous monitoring of the operational and financial viability of third parties was a feature that businesses could no longer “push to next quarter.”
Increased visibility into third-party risk needed to be prioritized to eliminate delays in resolving issues that could materialize.

Extended Support/Co-Services Model:

Organizations found themselves needing an extended support model to meet the sudden growth and demand for ad-hoc reviews due to unplanned situations such as the COVID pandemic.

This additional workload strained even the most seasoned organizations as companies scrambled for ways to pivot themselves to the “new norm.”

Conclusion

As we continue to maneuver through life, during a Pandemic or not, managing vendors will not become any less important ever.

What the pandemic has allowed us to do is apply the lessons we learned to mature third-party risk management programs and give our strategic partners the much-needed assistance to manage their third parties, keep data secure, and maintain regulatory compliance.

About Templar Shield

Templar Shield is a premier information security, risk, and compliance technology professional services firm. We provide various service options to meet our client’s specific needs, including advisory, integrated risk transformation consulting, operations, and technical solutions. We have partnered with over 100 Fortune 1000 companies and government entities to implement innovative integrated risk and compliance solutions across organizations.

Our Third-Party Risk Management Services & Solutions

At Templar Shield, we provide end-to-end services and solutions to meet your unique third-party risk management requirements. Our seasoned TRPM domain specialists and technology consultants can help you with –

TPRM current state maturity, strategy, and roadmap
TPRM solution development and deployment
TPRM Assessment Reviews

We leveraged years of rich experience gained from helping organizations build their TPRM programs and developed a unique TPRM managed services model allowing clients to choose from a selection of “a la carte services” to meet their program management requirements.

The TPRM managed services model allows you to spread the workload and segregate at any process step. This, in turn, allows you to focus on addressing bigger core issues and maturing the TPRM program.

About the Author

Jasen is a seasoned GRC Consultant with cross-sector/industry and multi-domain expertise in providing consulting and advisory services. Jasen’s experience includes a diverse portfolio of innovative technology implementations and program transformations to support his clients’ strategic priorities. In this capacity, Jasen leads TPRM Program Managed Services and helps clients design, architect, and implement solutions to automate their TPRM programs, especially on tools such as RSA Archer, ServiceNow, Lockpath, IBM OpenPages, BlackKite, Rapid Rating, RiskRecon, and the like.

He can be reached at jasen.dill@templarshield.com.

Templar Shield – OT Program Maturity Services & Solutions

admin September 28, 2023

Third-Party Risk Management Framework

Narasimha Kumar Dharanallur April 11, 2023

April 11, 2023 | Author: Narayanan Rajendran Today’s third parties require more access to data assets of organizations they do

Exploring Identity Threat Detection and Response (ITDR)

Narasimha Kumar Dharanallur February 24, 2023

February 24, 2023 | Author: David Perrin Incorporate ITDR into your organization’s Identity Governance and Administration (IGA) strategy for improved

Identity and Access Management Implementation – Best Practices To Avoid Failures

Narasimha Kumar Dharanallur February 16, 2023

January 11, 2023 | Author: Kanika Anand Identity management is key to ensure trust, privacy, and security as well as

Interested to Know How Can We Help?

Let’s work together!

Working with experienced professionals can make all the difference!

Contact Us

General Inquiries

1-619-344-2573
info@templarshield.com

Headquarters

350 10th Ave, Suite 1000
San Diego, CA 92101

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Performance

Analytics

Others