Dive into the complexities and evolving landscape of third-party risk management with Branan Cooper, a seasoned professional with over three decades in financial services, in conversation with host Sean Martin. This episode explores strategies, regulatory landmarks, and the importance of a holistic approach to managing third-party risks, providing valuable insights for professionals across the business spectrum.
Guest: Branan Cooper, Financial Services exec
On LinkedIn | https://www.linkedin.com/in/brananc/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this episode of the Redefining Cybersecurity Podcast, hosted by Sean Martin, we dive into the intricate world of third-party risk management with the insightful Branan Cooper, boasting an impressive three-and-a-half decades of experience in financial services. Throughout this discussion, Cooper and Martin explore the evolution and critical aspects of managing third-party risk within businesses, emphasizing the ever-increasing interconnectivity and dependencies in the digital age.
Branan Cooper draws on his vast experience, touching on the regulatory milestones that have shaped third-party risk management practices, from early quality assurance efforts in the '90s to the recent comprehensive interagency guidance. Highlighting the intertwined nature of third-party risk with operational, cybersecurity, and compliance aspects, the episode sheds light on the need for a holistic approach encompassing due diligence, ongoing monitoring, and a lifecycle approach to vendor relationships.
Significantly, the conversation delves into practical strategies for mitigating third-party risk, the importance of fostering a culture of communication and collaboration across departments, and the pivotal role of documentation in managing and mitigating risks effectively.
Cooper also shares invaluable insights into the nuances of vendor relationships, from assessing and prioritizing risks to the crucial aspect of planning for potential exit strategies. This episode not only serves as a primer on the complexities of third-party risk management but also as a guide for navigating these challenges proactively, offering listeners actionable advice and best practices drawn from decades of experience.
Whether you're a business leader, IT professional, or risk management practitioner, this episode provides a wealth of knowledge on safeguarding your organization in a interconnected business ecosystem.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Third Party Risk Management 101 : Learning the Fundamentals of Third-Party Risk Management (venminder.com)
The interagency guidance on third party risk management : Federal Register :: Interagency Guidance on Third-Party Relationships: Risk Management
What is a third party?: What Is a Third Party? How Their Role Works and Examples (investopedia.com)
Why is third party risk management important?: Why is Third-Party Risk Management Important? | UpGuard
Although no longer in force, these pieces of guidance were so fundamental in defining industry terms and such watershed moments that they are valuable still as reference material, for terms and procedures commonly followed in TPRM:
FDIC financial institution letter 44 - 2008: FDIC: Inactive FIL-44-2008: Guidance for Managing Third-Party Risk
OCC Bulletin 2019 - 23: OCC+2013-29.pdf (sqspcdn.com)
Understanding UDAAP or UDAP The Differences Between UDAP & UDAAP | McCune Law Group (mccunewright.com)
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
From Regulations to Relationships: Navigating the Maze of Third-Party Risk Management | A Conversation with Branan Cooper | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Hello, everybody. You're very welcome to a new episode of redefining cyber security podcast here on the ITSP magazine podcast network. This is Sean Martin, your host, where I get to chat about all kinds of things, cyber security and operationalizing programs within the business and. When I say within, that's, uh, maybe not the right perspective, uh, because there's a lot of stuff around the business as well that makes it happen.
Obviously, it's all connected in some fashion, uh, but there's supply chain and, uh, bill of materials and certainly bespoke applications, commercial applications. A combination of all of that stuff and the common thread when, and perhaps, I don't know, even if you look at your own internal teams is third party risk.
What are the vectors into an organization, uh, that you have to pay attention to? And [00:01:00] perhaps, yes, uh, open source plays a role here as well if you're building your own stuff. So I guess at the end, it's all connected. Uh, and it's an area that I've spent quite a bit of time looking at and, uh, discussing. So I'm thrilled to dig in and get an update on where things kind of sit from my guest, Branan Cooper.
Thanks for being on.
Branan Cooper: Sure. Thanks for having me, Sean. I'm eager to talk about third party risk. It's obviously one of my favorite topics and certainly one, I agree, winds its way through pretty much any other discipline of risk management or IT cybersecurity. It has touch points with all of them.
Sean Martin: Exactly.
Exactly. And there's also another, another, uh, element there that is up for debate, which is third party because this is end parties, perhaps, uh, which I'm sure we'll touch on today, uh, before we get into it though, um, a few words about what you're up to and [00:02:00] why this is, uh, an area of, you said you like to talk about it.
Why, why is that?
Branan Cooper: So I've spent about 36 years in financial services altogether. Um, first three big banks and then more recently at a couple of the big third party service providers. Um, in that time, I've just gravitated more and more toward the risk management side of the business. Obviously, it's a hot topic, and it's one that you really can't manage your business without considering in terms of, uh, sort of how I come to this.
I really go all the way back to the mid nineties when we talked about third party risk management, really, in the context of Something like quality assurance when we were first beginning to outsource stuff and we realized there's this inherent need to understand who we're handing off our customers to and how we expect the customers to be handled that case.
So a lot of what we did then in quality assurance really looks a lot like what we do in ongoing monitoring or due diligence in the third party space today. Today, I'm currently not working. I'm out dealing with a little medical [00:03:00] issue or a big medical issue, but even as I'm doing that, I think, if anything, I'm more engaged than ever because I've got the benefit of some extra time, and I've been involved with a lot of organizations talking about Where are we sitting?
Third party risk. There's been a lot of developments over the past couple of years. Um, not only interagency guidance, I'm sure we'll get to, but also, as we've seen things around E. S. G. G. D. P. R. and any other acronym you can name out there, Dora. Um, they all have third party implications on their face. You think, okay, yeah.
Sustainability that has nothing to do with third party. Well, yes, it does, because you're counting on your third parties to maintain the same standards you do at your financial institution, manufacturing firm, healthcare organization, whatever it might be.
Sean Martin: Yeah. And, uh, I'm thrilled to have you on. It's a, it's a pleasure to have you be, be part of this and I'm excited to dig into it.
Um, you, you said that things have changed quite a bit [00:04:00] in the. Past couple years. So I think you mentioned a couple just different ways of looking at it. Um, I come purely, not purely, but primarily from a cybersecurity perspective and risk management perspective, which connects I. T. and data and systems.
That's just 11 view. And of course, when you more mature organizations that sit in the financial sector, uh, often have a broader perspective. Can you touch on that and kind of how things have progressed over time? ESG is a good example of that.
Branan Cooper: Sure, absolutely. Let's kind of take a little history lesson first.
Maybe back in 2008, uh, the FDIC introduced what was known as FIL financial institution letter 44 of 2008. That really was the first time. Anybody in the financial service regulation sought to codify third party risk management as a term, and it laid out some very ambitious milestones or very ambitious parameters what they're looking for [00:05:00] in selecting a new third party, doing the appropriate due diligence, doing the appropriate level of risk assessment.
Conducting ongoing monitoring, having contract standards, and also keeping your board informed and having the right reporting around all that. So that was really kind of the first stroke that caught everybody's attention and said, wow, we need to be doing something more on third party risk than we're doing today, flash forward a few years.
And as we're going through, obviously the financial crisis as well. And the creation of the CFPB. All of a sudden, broader powers are coming into play. The Consumer Financial Protection Bureau has authority over what's called udap or Unfair Deceptive or Abusive acts or practices, which really says anything that could cause a consumer harm.
That's been around for a long time with one less A, the abusive standard didn't exist, but it always belonged to the Federal Trade Commission, the FTC under Section five, I believe it was, of the FTC Act, with the CFPB coming into existence. They said, we really need to look at things [00:06:00] that could cause confusion for the consumer or could cause outright harm.
You know, they're unable to cancel a product and more fees are piling on. So that became one of their broad swords for enforcement actions. And as we began to see those enforcement actions. We realized that a lot of those were rooted in third party risk management. So, for example, a financial institution might outsource their marketing to a third party, somebody they've contracted with to do third party risk networks, to do marketing activities.
That marketing firm has access to the customer's data, first of all, which obviously would concern us from a cybersecurity standpoint and a privacy standpoint. Second, it may have some control over what is marketed to the customers. And the timing and frequency of that. So you can imagine if you're not in a close eye on that, sometimes marketing firms, either intentionally or unintentionally may take the customer's data down paths you never wanted to go to.
You touched on fourth parties, and you're right, the party never ends in this [00:07:00] realm of the world. Uh, we'll come back to that later, I'm sure, but as you imagine with a marketing firm, as they reach out for data sources and that sort of thing, fourth parties quickly come into the equation. Going back to our history lesson for a moment, let's move forward from the, you know, 2008 to 2010 timeframe, on forward to 2013.
And at that time, the OCC, or the Office of the Comptroller of the Currency, Which controls the national banks issued out what was called O. C. C. Bulletin 29 of 2013 that really galvanized third party risk management. I'll give you a quick story on this one. We're right in the middle of our exam at the bank that I was working for at the time when this came out, came out on the day before Halloween.
Perfect timing for something like this. Talk about something scary, scary new regulation coming up Halloween. Perfect for me, right in the middle of my exam. Even better. You know, it's just great timing. Our F. T. I. C. Examiner came in. And sat down with me and wanted to understand my take on this brand new guidance that had just come out.[00:08:00]
Of course, I'm saying, why does an FDIC regulator care about OCC guidance? And it's because they, just like we look at our competitors, they look at each other as competitors a little bit. They also share best demonstrated practices at the FFIEC, the federal financial institutions examination. So what is a gold standard for a national bank who's under the OCC purview?
Should be taken into account when you're writing a policy or a program, uh, for, you know, any other financial institutions out there, this one really set a lot of standards, not only in terms of board and senior management involvement, which I think woke up a lot of boards to say, wow, we got to pay attention to this.
And then second, it really laid out this life cycle approach to third party risk management. If you were to look at the, uh, at the bulletin itself, it has this famous wheel inside of a triangle, uh, that we all think about in the industry. And what that really implies is you've got this ongoing commitment to third party risk management.[00:09:00]
It's not a one and done activity. It's not like you're doing due diligence at the beginning of the relationship and then never worrying about it again. It gives you this commitment that you need to keep refreshing that due diligence. From time to time, it also emphasized a need for a risk based approach to third party risk management.
And what that means is not all third parties are created equal. I don't need to take the same level of interrogation of my landscaping person as I do of my core processor as the probably easiest, most hyperbolic example. But you do want to make sure you are asking appropriate questions depending on the level of risk.
And if you discover something. It is introducing more risks than you first realized. That's when you really want to dig into things, make sure that your, your interests are protected. Now, all of the regulators sort of came into the same fold at that point, but they were all using different language and that became problematic over the years.
As you might imagine, if you have somebody who's answering [00:10:00] to a couple of different regulators, You're having to speak a couple of different regulatory languages. I know for me, in trying to sit in front of examiners, I'm always having to think, okay, is a service provider, is a vendor, is a third party?
With whom am I speaking right now? Uh, or with whom am I speaking? What am I speaking about? Last year, fortunately, after inviting a lot of commentary, they issued out the interagency guidance in July, which really got everybody on the same level playing field of, here are the expectations. For the OCC banks, it was no big deal because pretty much they just forklifted all the other regulations to look a lot like the OCC standards.
It did introduce a few new nuances that those of us who are really deep in the weeds of third party, uh, can get ourselves concerned with. But for the day to day practitioner, what you need to know is now we're sort of all on the same level playing field and we're all expected to do the same things.
When it comes to third party risk, it's not an exhaustive read by any stretch of the imagination. It doesn't [00:11:00] even, you know, really require you to have done third party risk for a long time. So it's pretty good idea to go in and make sure you're familiar with it, at least at the surface level. Uh, one way I do that, and one thing I talk a lot about when I'm doing webinars or when I'm teaching sessions, is there's a great way of, instead of trying to dive into the third party document, but another piece that might come out that's 900 pages long.
Wait for the legal analysis to come out and then go read what the law firms have interpreted as the hot points and say, okay, where does that affect my business and where it does, obviously you need to drill a little deeper, but you don't have to waste your time trying to wade through all the details.
So what I would tell you, I think out of out of all of this is we're all finally at a place where we think we understand what we need to do from a third party risk perspective. I do anticipate that some of the smaller banks and credit unions are going to have a real wake up call. When it comes exam time, because naturally as a compliance officer, I wasn't paying as [00:12:00] much attention to third party risk as I was to ECOA, the Equal Credit Opportunity Act, which most people know as Reg B.
I wouldn't pay as much attention to it, but now it's going to come up in your exams because all of them are saying this is a priority for us. And again, as you were touching on earlier, since it winds its way through all practical aspects of the business, it's something that we all need to be attuned to because third party risk comes up and bites us, uh, at every turn.
Sean Martin: And I want to, I want to get in here with, uh, the concept of. I mean, there's a ton of stuff rolling in my head just from, from years of looking at this. Where do you start? How often do you do it? How do you prioritize? It's time to circle back again. Yeah, you haven't reached the end. Start, it's time to start again.
Um, so you mentioned something interesting looking at the analysis, uh, from a legal firm. To determine the impact of business [00:13:00] and I don't know if I know of any organization that that does that as a first step of a program to really connect it back to what's important. So maybe that connected to kind of defining scope of what's important.
Branan Cooper: Absolutely. So first, I would really start and you think about some of the milestones of a successful program. And really, what are the desired outcomes? First, what am I trying to accomplish here? And that's what you want to lay out first, just at a very broad level, you know, high level. What do I need to do?
And obviously, one of them is address regulatory concerns. Two is to protect the consumer and ensure there's no harm to the consumer or to my own organization. And typically the way you do that is in the form of a policy statement. It really says the intention of the board is to comply with the following federal regulations.
And then you kind of lay out in broad strokes what you're hoping to do. That really is sort of the tone from the top that you're hoping to set. You want to make sure it's in compliance. With the [00:14:00] regulatory standards. And again, I think if you turn and look at some of the legal guidance that's out there and whether you look, and I will name a couple names here, like Ballard Spahr or Wilmer Hale or Brian Cave, those tip J.
D. Supra, those come out with some terrific analysis very, very quickly after any sort of regulation is passed. And it only takes you five minutes really to read the. Uh, the legal analysis of it in a lot of cases, but it will cause it will give you a pause to say, wow, I had not thought of that in particular.
Let me see what the regulation really says about that. And then once you have that, you need to lay out what are the scope of the third parties that we're going to cover? Who are they? One best practice I would share with you right off the bat is don't want to not only define who's in, but also who is out.
For example, who's going to be out? I probably don't need to do third party risk management on the power company as an example. Now, sure. From an ongoing monitoring from business continuity perspective, of course, I want to make sure I've got them [00:15:00] provided for, but from a true third party risk perspective.
Even if I were to find something in the due diligence or in the risk assessment, I'm probably not going to meaningfully be able to do something about it. I have seen organizations who've attempted to even classify the postal service, since we all rely on them. So from a third party perspective, but again, you're not exactly going to knock on the door of your post office and say, Hey, I found this.
I have this question about how you manage this, this or that. Good luck with that answer. Um, so again, be very careful about who's out of the program, but then focus once you have it on who's in the program, a good way to test that is to go to your accounts, payable accounts, payable department once a year or twice a year, if you have the resources and compare who the big payments are going to versus who you have in your third party inventory, I guarantee you the first time you do it, you're going to come up with a lot of surprises in parallel to that, you should be reaching out to your business unit managers.
Business unit manager, great acronym, B. U. M. You reach out to [00:16:00] the B. U. M. s and you say, Who do you consider to be a third party? And again, match that back to the account payable inventory. You're going to find discrepancies. And that's where you need to spend a little bit of time to say, Truly, is this organization what we would consider a third party?
Are we outsourcing a product or service that they're doing on behalf of our organization for us? In some cases, you're gonna be able to quickly discount them and say Staples office five. Don't worry about the post office. You know, we're not going to concern ourselves. They're taking the very risk based approach.
We don't care that much. If you know, if post office goes away, we all have problems. So it's a systemic issue. If Staples goes away, we go to office depot. I mean, there are ways of covering those where you really want to focus your time is on the ones that pose a real risk. Go ahead, Sean.
Sean Martin: Yeah, no, I on that point there.
Um, some. Mm hmm. Some you can't make an alternate decision on, others you can. Is that one of the objectives of the program, [00:17:00] to say, this is the role they play, this is the risk they bring, we either mitigate it, or we find an alternative, or we change the business to not include that, at the risk of impacting the business in these ways?
Is that an objective of a program or is it purely to accept the risk and not, not look for alternative?
Branan Cooper: No, no, you're absolutely, you definitely want to assess the risk and then, uh, try to identify ways to mitigate that risk or, you know, find an alternative. So if I'm assessing the risk, I really want to go through a very detailed analysis of what sort of risk am I talking about here?
Is it an operational risk where if they fail, we're in trouble and we have to stand in for a while? Is that a credit risk where if our policies have changed, we need to make sure that they're up to speed on those and are changing the programmer or whatever accordingly? You know, what is the risk? [00:18:00] Assess it, rate it.
And then once you've rated that risk and identified what it is, then you can go in and determine the mitigating factors and mitigating controls as we would call them. And once we've assigned those controls, you need to figure out how effective they are. So at the beginning, you've got this inherent risk, sort of that risk.
It hits you in the face the first time you're working with the organization. You've done a great job of assessing it. You've assigned these appropriate controls. You've deemed them to be effective. What's your residual risk? What is that level of risk that you're that you're left with and sometimes you're going to have a high risk organization No matter what you no matter what you think of them a core processor For example, no matter how well you control it at the end of the day since that's your lifeblood If you're a financial institution or your key supplier if you're in the manufacturing business, you need to figure out an alternative So what I would say there is even a two step approach.
One, identify who else out there and start doing some of the preliminary due diligence so that you have the bullpen ready should you need to [00:19:00] move. And second, with your critical third party, make sure you're negotiating an exit strategy at the time of the contract. It doesn't need to be confrontational, but I liken it to the same way that, you know, when you hop on an airplane, you don't want to think about worst case scenario, but you do want to know where the exit is just in case.
Same thing is true here in third party risk management. As you go into that relationship, you want to think about what happens if things go screwy. You know, do we have the right to break the contract? Do we have to wait till it's up for renewal? Or, oh my gosh, does it auto renew? And then we're really stuck.
So you really want to give a lot of time and consideration to it. Back to your point, Sean. It is all about identifying that risk up front. assigning the appropriate mitigants and then being able to execute on those mitigants when needed, even if it leads to an exit of the relationship.
Sean Martin: So who's involved in process?
Um, [00:20:00] maybe the, yeah, I'm trying to think of the, so there's the big program and then there's these individual, this business is impacted. I don't know. And we have to do something about it. Who's involved in those? Processes typically.
Branan Cooper: Sure. So first of
Sean Martin: all, purchasing, whatever.
Branan Cooper: Great question. Um, it really depends on the relationship, obviously, but at the front line, it's gonna be the business unit manager as a third party risk manager, no matter how good I am, or even as a compliance officer, no matter how good I am, if the business unit manager isn't involved, nothing happens because they're the one who has the day to day relationship.
But that relationship goes two ways. That business unit manager needs to come back to me and say, I'm seeing this and it just doesn't seem right. Or I'm hearing this, you know, what do we do about it? And at that point you involve a variety of people. If, if it really is getting serious, usually you're going to have to involve your legal team to look back at the contract.
You're going to probably want to involve your compliance officer. If there's any chance [00:21:00] that it's touching on one of the. Consumer protection regulations. You certainly want to involve your I. T. Department from the standpoint of what happens to the data after the relationship ends or heaven forbid, if this is a true risk of a data breach of some sort, what do we do right now to make sure it doesn't happen?
And then, hopefully, you've got some sort of governance structure. sitting over all of this that says, as the third party risk manager, I'm typically going to be reporting either to the audit committee of the board or maybe directly to the board or to the CEO. But I need an escalation path to go and say, Houston, we have a problem and be able to know that they're going to have my back and act on it.
I've seen organizations and I've been in an organization where they gave that lip service and that's dangerous. They'll listen to my presentation all day long during their, my required monthly meeting with them. But as soon as I'm out the door, it's like, who the heck was that? What was he talking about?
That's a problem. You need to know that if you go in there and say, I have a legitimate issue that they're going to back you on and they're going to [00:22:00] help you get what you need to resolve that problem. If you don't have that, you're swimming upstream the entire time. But again, it really starts from the top and saying, you know, we, we expect this of our Third party risk program.
I'm empowering this particular person or this particular area to manage third party risk, and then it gets delegated out through the appropriate subject matter experts being the compliance officer or legal or whomever, and also through the business unit manager to actually execute whatever the third party risk manager says.
So long way of saying all the levels are involved at some point, but once there is an issue, you need to scream loud and one thing that I've seen that is a real stumbling block. There's a lot of times you saw the issue, but either you didn't react to it, you swept it under the rug, heaven forbid, or you didn't document it properly, whatever you do, document it.
We have this old saying in the audit and compliance world, if it didn't document it, it didn't happen. And, you know, I've gone in many, many times and heard [00:23:00] people say, well, yeah, I talked to them about this and they agreed they were going to give us this tomorrow. Uh, okay, well, let me see the email. Let me see the memo you sent them.
Let me see record of the conversation. I didn't write anything down. Again, in this business, you really want to make sure everything is buttoned up, particularly in today's environment where things tend to get escalated and you want evidence of something, some evidence of, of, you know, who knew about the issue and when and how was it handled?
Sean Martin: Excellent points.
Branan Cooper: Let, let's talk about a couple of the challenges that we just started to touch on a little bit that, that really need to be nailed down fairly early on and how you define your policy and your program.
The policy again, is that board level. The program documents much more expansive and sort of a cookbook of what you expect of the senior management and the business units to do it, but you really want to make sure you have clearly defined. I'm going to give you a couple of common challenges. There are things that I've stubbed my toe on a couple of times.
By talking about it, maybe you won't do [00:24:00] the same stupid thing that I've done. First, again, it's this work product that's not consistent with what the plan is. Sounds great on paper, but when you look at what you're actually producing from a documentation standpoint, the two look like, you know, English and Latin.
I mean, little variations on the same language. Second is the first time you hear about a new third party is when there's a problem. And I've been in that position several times where I'm in front of risk committee. And a business unit is bringing up, Oh, we just had this horrible data breach with X, Y, Z vendor.
And I'm going, Oh my gosh, this is the first time I've ever heard of that vendor. And of course the audit officer swings toward me and looks and says. So tell me, Branan, what are you doing about XYZ company? And I'm going, I don't know, because I've never heard of them saying it. Hopefully much more professionally than that.
And then running out of the room to throw up in some cases. I think it gets that scary. Next is a program that's not scalable, meaning you've got this great idea. And again, I've been very guilty of this. Where you create this grandiose plan that [00:25:00] works great when you're a 2 billion institution. When you're at a 25 billion institution, if you haven't kept it updated and robust, and relevant to the current regulations, you're going to be in trouble.
So again, you really need to make sure your program is scalable. And I have made that problem happen many times. Then you'll have those uncooperative vendors, the ones who truly will not share any information with you. You see this with the core processors in some cases, although I got a hand to him, they've gotten a lot better about it, but they know they're the 800 pound gorilla and they can say my way or the highway and you're kind of forced to accept whatever they give you again.
I think they've gotten better mainly because they've gotten pressure also from the regulators. They've gotten their own enforcement actions in a couple of cases. Or matters requiring attention that they have to, uh, satisfy. So I think they've gotten the wake up call there all the way down the line.
You're going to have relationships where the vendor is not willing to give you the information. I parted ways with several [00:26:00] vendors over the years. Who simply said, we don't have this, or we're not willing to get it. I had a great outsourced call center that I absolutely loved their performance, but they wouldn't give me access to like their data information security policies.
They wouldn't give me records of, you know, what, what testing they do on a regular basis, what they do around, you know, patching cadence, those sorts of things, things that I just fundamentally need to know that I need to make a change, or if we become aware of a problem, how quickly is it going into place and can we.
Tests that's happened. They weren't willing. So I had to go to my risk committee and say, look, guys, you know, this is an unacceptable level of risk. If the business unit wants to sign off on it. You know, I can't say no, but I really don't think it'd be in our best interest. Fortunately, in that particular case, they said, Absolutely.
We don't want to be doing business with them and another one that you'll find. And I think this is gonna get a lot easier with some of the recent securities and Exchange Commission and the Treasury Department's, um, uh, regulations around beneficial ownership, not knowing who's in charge of [00:27:00] organization you're doing business with again.
Now we require people to disclose all the way down to 10 percent ownership. Who's involved in your organization? Who are the key, you know, executive members of the leadership team? Who are the actual owners of the corporation? You want to know that, so you make sure you're not suddenly involved with a foreign entity you weren't aware of.
All of a sudden, you're going to have OFAC problems if that's the case, or all of a sudden you're going to be running afoul of all sorts of treasury regulations. So you want to make sure that you stay abreast of those. That's easy to do at the start. It's very difficult to do on an ongoing basis, unless you use one of those big monitoring tools like LexisNexis or something like that, where you can constantly refresh your data.
But that brings me back to a point you had mentioned earlier, Sean, you need to keep things updated. So if you're high risk groups, you probably want to be looking at them at least on an annual basis, perhaps even more frequently, depending for your medium risk third parties. Maybe you look at them once every two years, once every three years.
Again, codify it in your [00:28:00] policy or your program however you want to. And then for your low risk ones, you maybe want to look at them six months before the contract renews, just to make sure nothing has gone haywire. But with all that said, now that we have the sophisticated monitoring that you can do, I would be out there looking for them on a regular basis to make sure they're not appearing in the headlines.
For example, the target breach, as we all know, was caused by somebody compromising, uh, the credentials of an HVAC contractor. So this HVAC company that we never really thought about, didn't even know existed, all of a sudden caused one of the most notorious data breaches of all times. So again, that, I think, gave a lot of the impetus to some of the revisions that were made in third party risk management, and really forced us to go down that rabbit hole that you were talking about of nth party management.
You know, you got to really keep following your customer data as far as you possibly can, wherever there's an exposure point. Sometimes it's going to take you to just the third party, but often it's going to take you to that fourth party or fifth party. And let me give you [00:29:00] one other one that most people don't think about that, uh, a lot of people leave out of their programs and that's people who have unfettered access to your, uh, facility after hours.
So whether it's the cleaning crew or your landlord or whomever else it may be, if they're going to be coming in there after hours, that leads to think about, okay, what are their hiring practices? What are their information security practices? And I know you're going to get laughed out of the room. The first time you ask that question.
But all that needs to happen is for somebody to go dumpster diving, as we used to call it, and grabbing customer information out of your waste can because you didn't have a good internal shred policy. And they exacerbated that problem by stealing it and doing something. In the case of foreign entities, that meant I went to a lot of places and went and did a lot of clean desk audits to make sure that U.
S. customer data was not walking out the door. We required a lot of our foreign entities to have a clean desk policy. Just right out of the gate price of doing business with us, because again, if you can do [00:30:00] anything to truncate the U. S. customer data, while it's still on shore, the better off you are.
Obviously, in today's world, we're pretty much everything gets outsourced to a variety of overseas partners. It's not as easy to do that, but if you put the right standards in place and have ways of sampling or identifying or testing into it, you're gonna be a lot better off than just kind of leaving it a chance.
I'm waiting for the problem to happen.
Sean Martin: So I remembered my, my point that I want to make, and you're, you're making a lot of, a lot of supporting points, but I want to dig in deeper. A lot of times, it's funny. I couldn't think of it a lot of times on the show. I talk about, um, moving stuff from right of boom to the left of.
Left to boom. And to me in this instance, it's not just, Hey, we signed an agreement or we're, we're days away from completing this agreement with a new, new provider, a new, new vendor, um, how do we, how do we ensure that they meet [00:31:00] the level of posture that we expect in the program and operations, whatever else that we want them to have, my view is that security has a role to say, let's help the business actually define.
What they're trying to accomplish where whereby there's a different vendor, maybe a different workflow, maybe, maybe this warrants a little build by partner, uh, thing where it may make better sense to build this. thing that we need. I don't know. Um, have you had any experience in that? And is that just a moonshot?
It's not all this guy or any stories to share there?
Branan Cooper: Sure. Absolutely. A couple of different things I would, I would offer up on that one, as far as, you know, making sure that you've evaluated whether it should be done in house or outsourced. That's absolutely fundamental to everything we talked about in third party risk management.
And it's a question I frequently asked, wouldn't we be better [00:32:00] off keeping this in house? And particularly during the pandemic, we asked ourselves that a lot because all of a sudden, overnight, we're sending out this data and all these different directions to all these people who are working remotely. So I want to control as much in house as I possibly can still at that point, you know, anything I can hang on to the old way of doing things I want to do, um, but realizing you have to outsource more and more, you do need to think about it is the right thing to do.
This goes back even, you know, 20 years ago when my first bank that I worked for, one of the largest projects I ever worked on and actually helped me gravitate toward the risk management side of the spectrum was I was managing a huge, huge, um, I would call them a lending platform that had done just a great job of building out this very robust set of capabilities that we as a big bank thought, Hey, we can do this better by building it in house.
Well, guess what? That nimble little people. Lender out here was able to run circles around us every time we would introduce this new feature a new product. They're like, Hey, we're one [00:33:00] step beyond that. Look at what we're doing now. So it made sense for us to outsource more and more of it became a real push and pull tug of war between the I.
T. Department who loved this new thing. We're building in house, Versus the marketing folks who want to take advantage of every little bell and whistle they had. So you've got to have a committee that gets together and talks about that sort of stuff. At my prior bank, we had this thing called initial risk committee, where we sat down on a weekly basis, and we would tee up topics just like that.
Let's talk about this new technology out there. If we have somebody coming to the table tomorrow, offering us something like this. What do we want to know about them? What would we expect them to have from a risk management standpoint? What sort of compliance rigor or what sort of documentation? And let's do that way upstream of ever getting into that line of business.
Again, the reason being that if I can identify some of those standards up front, I know that the business unit manager or the IT manager in going out and talking to a potential third party is going to know what questions to ask. Know [00:34:00] what I'm going to be looking for from a third party standpoint, more importantly, if we're going out with an RFP and going to, you know, half dozen different people and saying, give me your best ideas, you're going to get a lot of stuff back and you've got to have an easy way of comparing it.
And if you've gone ahead and bucketed that on the front end, and then kind of go in and set up what I always call a scorecard approach and say, okay, who looks the best of all of these? And again, in the background, still, are we going to still plan on being able to do this in the house? Or if they fail, are we prepared to do it in house?
Again, a big consideration there. But if you put those guardrails in place up front, it becomes a lot easier. Again, the biggest horror story that I can have is finding out about a new third party right as we're getting ready to sign them. And I've had that happen where you walk into risk committee and the marketing manager slides it across the table and says, Hey, we're signing these guys tomorrow.
What can you find out about them for me? Okay, well, uh, you know, so we set a standard out there. We wanted 90 days advance notice. Of a new third party. Was that always reasonable? [00:35:00] No, but for the majority of relationships, particularly the more critical ones, it's going to take you that long to negotiate the contract anyway, so let's go ahead and build that 90 day standard in there.
Does it create some wasted time on my side from a third party standpoint? Yeah, but I'd rather waste that time now than be answering the questions on the back end of why didn't we know about this going into this relationship? So did we always adhere to it? We weren't perfect, but we really got a lot better at it.
Um, and I got a lot less of those late night calls from business manager going. Uh, I know I should have told you about this when we're going to risk committee tomorrow with this, and we're hoping you'll support it. Oh, I've never heard of them. Who are they? Where are they? What are we? What sort of, you know, due diligence have we done on them?
None. Okay, this can be a fun meeting tomorrow. Another sleepless night. Reach for the ambient. Um, so, you know, there are some real hard stories, but the more you can do to be defined about it up front, the better off. Another real key takeaway for all of this, I think, is educate as many people as you can.
With the board, it's [00:36:00] tough because you're only going to get 15 minutes, if you're lucky, once a quarter to talk to them, but I put it on that same education schedule as I did Truth in Lending or Equal Credit Opportunity Act, where we're going to require them to go either complete a self paced module or sit through education with us once a year.
I got invited six years ago out of South Dakota. I got invited in February, which I got to tell you, the best time to visit South Dakota is not February. One of my companies had a Subsidiary there. And, uh, I was out there frequently and I learned to try to avoid the winter months out there. Well, lo and behold, I get hired as a contractor to come out and teach third party risk management at a particular company in South Dakota.
Nice February weather, just loved it. In any case, uh, once I was there, once I was warmed up and not talking like I was still frozen, I discovered that in the audience was the president of the bank. So they clearly got the message. That bank clearly got the message. They needed to be front and center on third party issues.
So you better believe that [00:37:00] everybody and their brother, from the business unit, from compliance, from information technology, information security, everybody was at the table and paying attention. Uh, to my education session, some of the webinars we've done out there, they use as training materials at various banks and credit unions, and I think that helps and other organizations.
Well, health care insurance. Other financial service entities. Um, so again, I think the more that you can do to educate everybody of what the role in the process is, the less likely you are to come up and find out that you have an error. The problem also is sometimes again, as a junior business manager, I'm sure I must have inadvertently made this mistake, but seeing something and not doing something about it is a common flaw.
I don't think anybody goes in meaning to do that or sweep something under the rug. But they just don't recognize the red flag when they see it. Or they take that kind of checklist mentality. Okay, great. I finally got their business continuity planning. Shove that in the shared drive file, check it off the list and we're good to go.
Nobody's looked at it. Nobody's seen [00:38:00] it until something happens. And then you're digging back and you go, wow, we had the smoking gun all along and we could have prevented this whole problem if we'd only addressed it earlier on. So that's a lot of how I see ways of proactively, you know, transferring the risk or anticipating the risk and then being able to mitigate it on the front end rather than having this.
You know, retroactive approach to things where you're in trouble.
Sean Martin: Yeah. And you, you gave a couple of good points earlier that, uh, I'll suggest people go back and listen to early earlier in the session, uh, where you talked about connecting with the accounts payable, looking at your list of vendors, that kind of thing.
Some really good points there. I want, I want to close with. Other things CISOs can do to spot that one or two huge red flag that they may not be looking for, right, or may not spot it as being red, it might look Uh, not look like a fly at [00:39:00] all. So, uh, let's close with that. What, uh, what would you give advice?
Uh, CSOs for to spot
Branan Cooper: the same thing that I, that I routinely did in my last bank. And that was having very good working relationship with the third party's information between information security and third party risk management and business continuity, if it's not already part of the it discipline that's there.
I think that's incredibly important. I think a lot of times. We all tend to operate in silos. I mean, I get into my schedule and I know what I'm doing. If anything interrupts it, I'm kind of thrown off for a while. Same thing's true in business. I mean, you're used to kind of your day doing like this. So if you make it a practice where you're constantly talking to the, to the other folks and asking, what are you seeing?
What's important? What's a hot topic? What's common failure point? That makes it a lot easier when something does happen or with something doesn't quite look right. You know, there's an easy way to escalate and it doesn't seem scary. You know, I'm not going to get hauled in front of the, uh, board for this one little problem.
And sort of also knowing where the [00:40:00] red lines are, you know, if I can't get this from a vendor, is it a big issue? You know, come talk to me ahead of time. That way we can talk about, you know, what are alternatives? Okay, they won't give us their, you know, Their data diagram. Okay, well, no surprise there. That's, you know, kind of the keys to the kingdom type thing, but let's see some results of testing.
They've done internal testing or better yet, some sort of independent outside observer that's come in and test them, you know, in the case of PCI payment card industry, PCI compliance, you're going to have a QSA who's gone in there and looked at them to certify them to say they're good at what they're doing.
That's perfectly acceptable to me in terms of saying, you know, do they have the right rigor in place? No, that's that's great. If they've got, uh, the good old SSA reports, those, those are terrific as well. I mean, and again, they're, they're evolutionary parts of it. The other part I would tell you is educate us.
I mean, those of us who are in third party risk management or in compliance. We don't have a clue about IT. You saw that when I'm trying to set up this session. I don't have the first thing [00:41:00] in, in terms of technical knowledge. I am a Luddite. I live here in Amish country, practically, you know, literally right down the road from us.
Um, so I'm in trouble when it comes to IT stuff. So tell us what we need to know. Tell us enough. Ask the right questions so that when we're talking to a third party, we can help it. We can help cybersecurity get the information they need and not sound like an idiot in the process of doing it. I'm good enough doing that anyway.
So those are the kind of common tools. I do think it goes all back to a couple of key things, though. It's documentation from start to finish. It's keeping your board involved and having everybody in the organization know what their role is and being willing to communicate in both directions. Celebrate the successes as you go along because there are plenty of them where we've avoided a costly contract problem.
We've identified something that could have turned into a regulatory problem. I've had a lot of those on my side. Learn from the mistakes, you know, read what happens either to your own organization [00:42:00] or enforcement actions that are out there and be willing to take action based on those things. And then communicate, just simply communicate, talk to the people around you.
What are you seeing and hearing? What are you doing or what are you seeing out there in the industry even, that may be a concern for us tomorrow? And if you do all that, third party risk management doesn't become easy, but at least it becomes a lot less scary on a day to day basis. Also, I would finally be remiss if I didn't think about this one, and that is kind of that worst case scenario you mentioned earlier.
What if we do have to exit this relationship? Or what if there is a breach? What is the communication strategy within my organization? Who needs to know, and when, and who gets to make decisions in all of this? In a lot of cases, that may be me going to the president of the organization and saying, here's the problem, here's what we've done to attempt to mitigate it.
It's still too high of a risk to, uh, to, you know, uh, to accept. So, how do we move along from this relationship? It's going to be painful. There are going to be times you get to [00:43:00] be the bad guy, but at the end of the day, it's the right thing to do for you. It's the right thing to do for the organization.
It's the right thing to do for the consumer. And that's what the regulators are expecting.
Sean Martin: Yeah. I've, uh, I've spoken to some CISOs, they actually do their IR. with some of their core vendors as well. Just to know, uh, what that it's going to look like. You can't say, well, that's them when something, something big is happening.
Well, Branan, it's, uh, it's a pleasure chatting with you. It's great to get your perspective, uh, on this topic. Um, Yeah, definitely a different view than I've had. I'm much, much more on the operational end of things and, and looking at spreadsheets and tools and things like that. So to have this view is, is fantastic.
So I really appreciate that. And, uh, perhaps there's some resources you'll want to share with folks. And of course, anybody [00:44:00] listening, encourage you to, Check in with Branan, uh, as you can. And of course, always here to talk about third party risks. So you're welcome back anytime, Branan and, and, uh, hope everybody enjoyed this.
Please be sure to share, subscribe and, uh, stay tuned. Thanks, Branan. Talk to you soon.
Branan Cooper: Thanks very much. Appreciate the time.