Webinar Recap: Who Owns Third-Party Risk? … and other questions!

Imagine a financial services company that handles payment processing for a cancer center. At first glance, one might think that the financial services company only possesses the cancer center’s cardholder data. In reality, the company also possesses protected health information (PHI), because it is more than likely that individuals sending payment to the cancer center have cancer, which is personal health information, covered by HIPAA privacy rules.

In situations like this, organizations often struggle to answer the question “who owns third-party risk?”, according to Tom Garrubba, Senior Director of Shared Assessments. Garrubba recently presented the webinar “Who Owns Third-Party Risk? … and other questions!” in conjunction with LockPath.

According to Garrubba, third-party risk management must be owned by everyone in an organization. Often times, a business unit may fail to report on a new vendor or might purposefully keep the vendor off the procurement radar by falling just under a certain annual spend threshold. This is why risk managers, or rather, anyone tasked with third-party risk management, must think further than the vendor list provided by procurement.

Here are five strategies Garrubba provided for establishing a solid third-party risk management program:

  1. Develop and Maintain a Vendor Inventory
    • Garrubba said it’s important to identify vendors that may fly under procurement’s radar. When building the vendor inventory, consult with the following departments:
      • Procurement
      • Vendor Management
      • Accounts Payable
      • Other key business units
  2. Identify and Rank Key Data Attributes
    • Develop an exposure rating/ranking for all of your vendors. Key attributes include, but are not limited to:
      • What type of data are involved?
      • Where is the data being stored?
      • Where is the data being accessed?
      • How many records are impacted?
      • What is the contracted or annual spend with this vendor?
      • What is/are the process(es) they’re doing for us?
    • It’s important to note that regulators frown upon organizations building up a high quantity of assessments, but that are all administered to low-risk vendors. You’ll get a more favorable response when you start with assessing higher risk vendors.
  3. Identify and Risk-Rate Key Data
    • Identify not only personally identifiable information (PII), PHI and cardholder data, but also information that is valuable to the company and may be possessed by your vendors — confidential data, intellectual property and sensitive data (CIPS). CIPS may include:
      • Human resources data (executive compensation, etc.)
      • Financial data
      • Partner data
      • Customer data
      • Board data
      • Key process data (marketing strategies, etc.)
  4. Review the Scopes of Work
    • Any vendors that perform the following to your data should be assessed:
      • Collect
      • Destroy
      • Store
      • Transmit or transport
      • Interface
      • Process
      • Use
  5. Assess and Re-assess
    1. When do we assess and re-assess?
      • Assess when you are notified of:
        • A new vendor
        • An existing vendor with a modification of their current scope of work (example: going from possessing solely PII to PII and PHI)
        • An existing vendor with a new/different scope of work
      • Re-assess when you are notified of:
        • A scheduled point in time for the reassessment to begin, based on predetermined data (often helps you determine a new scope of work)
    2. What are we to assess?
      • Determine the scope of the assessment, based on:
        • Vendor risk rating
        • Standard corporate agreements
        • Type of services provided
        • Type of data
        • Periodic or event-triggered
      • Determine appropriate assessment questionnaire to be utilized (like the Shared Assessments’ SIG)
      • Provide instructions to the vendor
    3. Where do we assess them?
      • State-side:
        • Any place handling your sensitive information that if a breach occurs, it could incur significant or unnecessary costs to your organization
          Per discussion, schedule an onsite review as appropriate
      • Offshore
        • Any country; but certainly one that is not bound by a safe-harbor agreement.
        • Per discussion, schedule and onsite review as appropriate.

Related Articles