Five TPRM Trends to Watch for the Second Half of 2022
As originally appeared at Fintech Nexus News
Geopolitical unrest, extreme weather events, inflation and the global energy crisis…there is growing recognition that we have entered a new phase of risk, a post-lockdown era in which there will be no more black swansbecause black swans are everywhere – the unexpected is now the expected. In response to this increasingly complex risk environment, the financial services industry’s approach to third-party risk management (TPRM) is changing. Here are five notable TPRM trends happening now:
ESG (Environmental/Social/Governance) is an increasingly important part of TPRM
Environmental, social, and governance (ESG) and its role in third-party risk management is finally getting its due, thanks to customers driving the trend. ESG is not just about compliance, it is also about being competitive. Consumers are choosing which companies to purchase from based on the values they represent. There is also growing recognition that diversity is an indicator of a team’s ability to handle crisis and risk-related events.
At the same time, global ESG policies are evolving rapidly, with Europe leading the way by putting a regime for sustainable finance at the forefront of its agenda. The U.S. is also taking its own steps towards setting ESG priorities, with the SEC recently issuing regulations for companies to make climate-related disclosures. With global attention now focused on ESG issues, it is more important than ever that organizations understand their vendors’ practices.
Ransomware attacks will continue to rise
Ransomware attacksrepresent the most potent cyber threat of the future. Key third parties will continue to get hacked, as well as your own organizations. There was a 300% increase in supply chain attacks in 2021, specifically, ransomware attacks increased by over 140% in Q3 of 2021 alone, and the research firm Forrester projects that 60% of this year’s security events will stem from third parties.
Immediate notification is critical: one must ask how long it takes for a third party to learn of a breach because a vendor might be compromised for weeks or even months before anyone knows it (one example is the recent Okta attack). The SEC is proposing 48 hours of incident reporting, while the FDIC and OCC require 36 hours. Banks and other companies must keep up with these regulatory requirements and ensure that their third parties are as well.
Compounding the challenge for TPRM practitioners is the fact that cybersecurity insurance, which is the last resort of mitigation to cover a company’s bottom line, is becoming too expensive to purchase, so a mature cyber program needs to be in place. Nonetheless, ransomware attacks can be avoided if the proper controls and training are put in place, and effective resiliency programs can keep an organization safe.
Operational resiliency is critical
Supply chain disruptions are impossible to predict, butorganizations can protect against downside risks by increasing their visibility into their supply chain. The first place to start is by understanding third parties’ business continuity programs. Vendors often have minimal formal resiliency or business continuity management programs in place, focusing solely on IT disaster recovery and life safety. One way to assess a vendor’s resiliency is to look at past experience, which reveals much about the ability to maintain continuity of service. Another important step to take is to enhance ongoing third-party monitoring capabilities to ensure that there is immediate visibility into any risk development (especially concentration risk).
The COVID pandemic has proven to be a valuable test of operational resilience, and so far, financial institutions have passed it. Banks have remained operational throughout the pandemic, but today they face aftershocks that they must deal with. For example, TPRM staffing is a problem and it’s getting worse; it’s harder than ever to find TPRM talent. On top of that, the post-Covid economy and the war in Ukraine are driving up inflation, which is making TPRM operations more expensive.
Cloud vendors require special attention
Cloud vendors have become a major focus of financial industry regulators in the U.S., Europe and Asia PAC. Contrary to what one might think, cloud environments are often more secure than older, alternative solutions, and they are generally much more resilient. However, it’s challenging to migrate on-premises solution contracts to the cloud because it’s much harder to agree on the limitation of liability, ownership issues, and technical challenges. The regulations are not clear yet on this front, and it is critical to have the right team to assess cloud third parties.
Since cloud vendors have become mission-critical elements of the supply chain, it’s key to have the right controls in place. More sensitive types of information or data might require better controls around access or encryption. Information and data that is critical for business purposes might require that the provider can exhibit heightened levels of resiliency after an outage. It’s also important to understand what data might be flowing to 4th parties or can be accessed through open code to form the basic risk rating for that vendor.
Artificial Intelligence (AI) is the future
There is widespread agreement that AI is the future of TPRM. Where AI is specifically needed is to fill the gap between the organization’s annual budget and the ever-growing number of third-party vendors they rely on and the ever-increasing risk environment. TPRM remains seriously understaffed and underfunded in most organizations and involves the accumulation of unstructured data documents and evidence from multiple platforms and sources, and the correlation of this data. AI-based solutions can help by automating these enormous tasks, replacing the repetitive and administrative manual work associated with risk management, freeing up practitioners to engage in more high-value work and enabling the program to scale.
There is no question that the pace and impact of risk facing today’s companies is unprecedented and unrelenting. This means we need to rethink how we approach TPRM and implement new strategies and technologies that will enable us to intelligently manage risk, compliance, performance and vulnerabilities. The tools and tactics are out there, and they have been tried and tested in other industries: they now need to be adopted for TPRM.