In April 2023, Harvard Pilgrim Healthcare, a large Massachusetts-based health insurance provider, disclosed that they were the subject of a ransomware attack. Over 2.5 million patient records were exfiltrated from their systems. During this time, patients were not able to be seen in some clinics because their insurance information could not be verified. Eventually, HPHC was able to bring back their systems, but they had to provide credit monitoring and identity theft protection services to safeguard individuals impacted by the incident.
A few months later, Progress Software, the publisher of the MOVEit application, announced they were the subject of a ransomware attack. Implications were far-reaching across multiple industries, including government agencies. Users of MOVEit utilize the file transfer utility to move large amounts of data containing sensitive information. Even though the ransomware gang Clop stated they did not want to disclose the data, the action caused companies to scramble to understand how the event affected them and their third parties.
These are just 2 examples of the hundreds of thousands of cyberattacks that occur each year. The fallout from these attacks will cost businesses over $10 trillion just this year.
It goes without saying that security officers must keep up with the vulnerabilities and threats that emerge every day. But what about vendor managers? How does it affect them?
Vendor managers know that they cannot prevent cyberattacks at their third parties. What vendor managers need to do, more than ever, is to know their third parties. New threats emerge all the time, maybe even faster today than five years ago. As a vendor manager do you know how well your third parties are protecting the safety and privacy of the data you entrust them to store, process, and transmit? Do you know where the data lives? Are the controls the third party has in place effective?
For some, vendor management has always been thought of as a “check the box” activity. In other words, collect the due diligence, file it away, check the box that you did it, and hope no one asks about it during an exam or audit. Organizations that think that way will not be prepared for the next cyberattack, which is just over the horizon.
In response to the rising threat of cyberattacks, the Federal Reserve Board (FRB) along with the Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) released updated third-party risk management guidance in June 2023. Although this guidance applies to financial institutions, it really applies to anyone who manages third-party relationships whether they are regulated or not.
Any guidance issued by these agencies can be dry reading, so I’ve highlighted some of the key points for the guidance in this article.
Risk-Based Approach to Third-Party Management
This concept is not new. I’ve always advised clients to look at the mix of third parties by risk and base their due diligence procedures on the level of risk. If the organization has limited resources to manage their third parties, focus on the high-risk third parties at a minimum. The FRB recognizes that and has streamlined the guidance in some areas to reflect that. They also stress that the long lists of items to consider for due diligence, contracts, and risk are illustrative and not prescriptive. In other words, use your best judgement and don’t feel you have to perform exhausting reviews on every third party in your organization.
Fintech Challenges
A fintech is a company that uses technology to modify, enhance or automate financial services. Organizations in the financial industry use fintechs to perform many key functions such as core banking activities. Although fintechs have been around for a long time, start-up fintechs pose a challenge to traditional vendor managers at financial institutions.
If you collect due diligence information from an established fintech today, you can expect a well-defined package complete with a SOC 2, financials, cyber security policies, etc. However, start-ups typically will not have this documentation for the first 18-24 months of their existence. These companies are focused on getting their product to market, building their expertise, and trying to make a profit. Hiring an auditor to produce a SOC 2 isn’t a top priority.
The guidance recognizes that issue and although they did not specifically revise the guidance, the agencies noted in their summary that organizations should work closely with these types of fintechs to understand the threats and controls to ensure data is safe. Organizations should be flexible in their approach and partner with the fintech to resolve any concerns.
Foreign Third Parties
In the global economy it’s almost impossible to only do business with US-based companies. Even third parties that you think are local may be owned and headquartered outside the US. When evaluating new third parties or reviewing existing relationships, ask the following questions:
- Where is my data hosted? If outside the US, are you comfortable the third party has the proper controls to ensure the safety and privacy of sensitive information?
- Is the country stable enough to provide uninterrupted services?
- Which choice-of-law and jurisdictional provisions that provide adjudication of contract disputes are in effect? Don’t always assume that U.S. laws prevail. Review the contract and seek legal advice on the enforceability of the contract.
Subcontractors
Agencies have been stressing the need to evaluate the risk and controls of subcontractors of third-party relationships. It is not an easy task, and based on the feedback the agency received, they are now advising to evaluate based on the risk of the third party. High-risk third parties should list the critical subcontractors (also known as fourth parties) and provide either a SOC 2 or a memo stating they have reviewed the SOC 2 and any concerns they had.
Due Diligence and Collaborative Arrangements
During the comment period for the proposed guidance, the agencies received a lot of feedback regarding the burden of conducting due diligence. The agencies stressed that due diligence can be conducted based on the level of risk as I noted earlier in this article. However, a new concept was introduced – collaboration with other organizations in the banking industry that share the same third party.
This is an interesting concept and one that may be fraught with resistance from the vendors due to regulations, including antitrust laws. A quick glance at any SOC 2 report usually carries a stern warning about not sharing the information. The agencies revised the guidance to acknowledge such collaboration can be done, but with a cautious tone. Ultimately it is the responsibility of the organization to draw their own conclusions from the due diligence information provided through collaboration.
We will have to see how this plays out in the real world.
Final Thoughts
My overall assessment is that the guidance was updated to reflect our new reality and to recognize that not everyone has the capacity to perform exhausting due diligence. There were no earth shattering changes so if you have a solid program, the updated guidance should reinforce what you are doing now. Vendor management does not need to be complicated, but it needs to be performed regardless the industry.
