Prevalent - Third-Party Risk Management

💼 Organizational changes such as mergers, acquisitions, and divestitures introduce complexity and fragmentation into corporate structures. These transformations often involve onboarding and offboarding vast networks of third-party vendors, subcontractors, suppliers, and other parties, each bringing potential unknown risks that could adversely impact business operations. TPRM acts as a critical source of intelligence in these scenarios. A robust TPRM program helps identify and assess risks associated with third parties and implements strategies to mitigate those risks during transitional processes, safeguarding your organization's business operations. https://buff.ly/4d0H4ua Understanding the context of a business transition is key to addressing third-party risk appropriately and setting your team up for success. This enables teams to train for and anticipate different scenarios that may arise. It also provides insights amidst heightened uncertainty, helping teams understand potential impacts on operational processes. There are three universal best practices to consider when creating a TPRM process tailored to your team's needs. These recommendations serve as the foundation for managing and mitigating potential risks during all types of business transitions: 1. Establish key stakeholder relationships 🤝 2. Maintain a holistic view of third-party risk 🔭 3. Build an extended supply chain inventory 📇 A proactive approach helps spot potential risks and facilitates more effective management of future business transitions. This creates a more resilient supply chain capable of adapting to new business scenarios, ensuring your supply chain supports rather than hinders your strategic goals. #TPRM #VendorRisk #RiskManagement

Every mature TPRM program relies on risk assessment questionnaires to collect information on vendor controls and spotlight potential exposures. 📋 When building your TPRM program, one of the most significant decisions you'll make is determining which questionnaire(s) to use and when to use them. Third-party risk assessors and risk managers share the common goal of reducing risk – and that starts with information gathering. https://buff.ly/3WfDEwC Risk assessment questionnaires are a great way to get an inside-out, trust-based view of a vendor's security, privacy, and compliance controls. They address a plethora of TPRM concerns, such as: 🤨 Is risk control acceptable? 🪛 Does a risk need remediation? 🎚️ For an identified risk, is a compensating control in place? ⚡ In areas where there isn't a risk identified, what is the effectiveness of the control? While questionnaires are just a part of the third-party risk management equation, they're the best mechanism for getting a detailed, internal perspective of vendor risk. #TPRM #VendorRisk #RiskManagement

In response to increasing numbers of cyber-attacks, the EU parliament passed the Digital Operational Resilience Act to improve IT security and ensure financial institutions can operate during disruptions. With compliance expected by January 17, 2025, we examined the key articles in DORA Chapter V: Managing of ICT Third-Party Risk. Our comprehensive checklist provides guidance for understanding DORA articles call for third-party risk assessments, monitoring and other TPRM activities. It also maps key TPRM capabilities to applicable DORA principles and framework components. https://buff.ly/3WDImWk The DORA Third-Party Compliance Checklist is ideal for any security, compliance, or risk management professional in the financial sector who needs to ensure compliance with this critical piece of EU legislation. #TPRM #VendorRisk #RiskManagement #DORA

In response to increasing numbers of cyber-attacks, the EU parliament passed the Digital Operational Resilience Act to improve IT security and ensure financial institutions can operate during disruptions. With compliance expected by January 17, 2025, we examined the key articles in DORA Chapter V: Managing of ICT Third-Party Risk. Our comprehensive checklist provides guidance for understanding DORA articles call for third-party risk assessments, monitoring and other TPRM activities. It also maps key TPRM capabilities to applicable DORA principles and framework components. https://buff.ly/3WDImWk The DORA Third-Party Compliance Checklist is ideal for any security, compliance, or risk management professional in the financial sector who needs to ensure compliance with this critical piece of EU legislation. #TPRM #VendorRisk #RiskManagement #DORA

How well are you able to collaborate within your TPRM program? 🤔 Many organizations face scattered silos and decentralization of third-party risk activities, along with fragmented processes and a lack of a single source of truth, preventing sufficient risk remediation throughout the third-party lifecycle. With those barriers, how do you align multiple departments around unified TPRM processes? Join Bryan Littlefair, CEO of Cambridge Cyber Advisors and former CISO of Vodafone Group and Aviva, on August 7 as he explores how to improve cross-functional collaboration and enhance third-party risk management. https://buff.ly/4flBR1G In this webinar, Bryan will share: ⚡ Strategies to break down silos and centralize third-party risk activities ⚡ Methods to unify fragmented third-party risk processes ⚡ Ways to establish a single source of truth for third-party risk ⚡ Best practices for increasing visibility into third-party risk intelligence ⚡ Tips for aligning multiple departments around a single set of TPRM processes and data Enhanced cross-team collaboration means your organization will more effectively mitigate risks, make informed decisions at every stage of third-party relationships, and foster a stronger TPRM program. Register now! #TPRM #VendorRisk #RiskManagement

CIOs need to be aware of operational risks, especially considering that security and data governance is a growing challenge. In fact, 61% of companies reported a third-party data breach or security incident, a 49% increase over the last year. CIO Online spoke with several experts, including Prevalent's Brad Hibbert, about the IT risks that CIOs need to be worried about. See what Brad had to say about third-party risks! https://lnkd.in/d4sjebr2 #TPRM #VendorRisk #RiskManagement #Cybersecurity

The CCPA – and CPRA – have four key TPRM requirements that apply to vendors handling data on California residents. The CCPA requires companies to inform California residents about data being collected prior to collecting the data. It allows consumers to access all personal data held by a company and receive information about individuals or organizations with whom that data has been shared. It also allows consumers to opt-out and prevent their personal data from being sold or shared with a third party. Specific to TPRM, Section 1798.100 of the CCPA states that a business that collects a consumer's personal information and sells or shares it with a third party must enter into an agreement with that third party that "obligates the third party, service provider, or contractor to comply" with the CCPA's privacy regulations. Organizations should, therefore, ensure that their third-party partners and service providers are well-prepared to protect consumer information. https://buff.ly/3WIQSnf The first step in any security program is identifying and prioritizing existing risks via a thorough security assessment. CCPA Section 1798.185 (15) speaks to, "requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security" to conduct annual cybersecurity audits and submit to the California Privacy Protection Agency a risk assessment. While the CCPA is technically California state law, its reach is felt far beyond the borders of the Golden State. CCPA oversight is not limited to businesses headquartered in California or even businesses physically operating in California – the CCPA applies to consumer data collected from any resident of California. Given that California is home to about 40 million people and would be the 5th largest economy in the world if it were its own country, the odds are good that if your business is collecting consumer data, you have collected the data of a California resident. In fact, many businesses opt to treat every consumer as if they were a California resident, and therefore prepare for CCPA compliance across their businesses. #TPRM #VendorRisk #RiskManagement #CCPA

How can you ensure your TPRM efforts are in sync with your organization's GRC program for a complete picture of your risks? In this on-demand webinar, Michael Rasmussen, The GRC Pundit & Analyst at GRC 20/20 Research, discusses how you can reunite GRC and TPRM to identify, monitor, and mitigate risk throughout your extended enterprise. https://buff.ly/3WvjZJp #TPRM #VendorRisk #RiskManagement #GRC

⚠️ In the early hours of Friday, July 19, an update to the CrowdStrike Falcon Sensor product triggered a worldwide outage on Windows machines. The incident was not a cyberattack or malicious in any way. It was faulty code in a regular product update. This is a perfect example of why you need to continually assess the business resilience practices of your third parties and understand the third-party risk exposure in your vendor universe when widespread outages like this one occur. CrowdStrike regularly publishes content updates to its Falcon Sensor products to ensure that they're protecting against the newest cyberattacks. All reports point to the update being part of that deployment cycle. The update, however, included some faulty code that triggered the dreaded Blue Screen of Death on Windows machines. Affected equipment suddenly displayed the dreaded "Blue Screen of Death," grinding thousands of companies to a halt worldwide and disrupting operations at banks, airlines, hospitals, and other organizations. Regardless of the cause, a high-impact incident is the wrong time to ensure you have a third-party incident response plan. https://buff.ly/3WbAppV Instead, start preparing for the next incident by implementing a proactive approach now. Start with these 4 best practices: 1. Develop a centralized inventory of all third parties 📇 2. Build a map of third parties to determine technology concentration risk 🗺️ 3. Assess third parties' business resilience and continuity plans 📋 4. Continuously monitor impacted vendors and suppliers for issues 📡 The CrowdStrike issue was thankfully not from a malicious source, but risk monitoring remains a key component in understanding your exposure to a third-party incident. However, over the next few weeks, companies affected by the CrowdStrike outage will likely spend significant time recovering their systems. Vendors, large and small, will contend with the business slowdown and potentially bring many thousands of end-user machines back into service.  #TPRM #VendorRisk #RiskManagement #Cybersecurity

Forty-nine percent of companies experienced a significant third-party data breach in the last 12 months, according to the Prevalent 2024 TPRM Study. ⚠️ As third-party risks become more complex, information security teams increasingly take the lead in TPRM efforts. Achieving a mature TPRM program is essential to staying ahead of these challenges, but the path to maturity can seem overwhelming. Join TPRM and compliance expert Alastair Parr in this comprehensive webinar on July 31, where he'll explain and simplify the process of maturing your TPRM program. https://buff.ly/4684Lyg In this webinar, you'll learn: ⚡ The various types of third-party risks addressed by a mature TPRM program ⚡ How to use the Capability Maturity Model to define and achieve TPRM maturity ⚡ The 5 essential pillars for a successful TPRM program The different levels of TPRM maturity ⚡ Key steps to elevate your program to the next level By enhancing your TPRM program maturity, your organization will more effectively mitigate risks and make informed decisions at every stage of third-party relationships. Register, and you'll also gain instant access to our white paper, Improving Third-Party Risk Management Program Maturity: How to Use the Capability Maturity Model! #TPRM #VendorRisk #RiskManagement