November 2020 Vendor Management News

Now that we are in the month of November and 2021 is right around the corner, make sure you're constantly staying updated on vendor management news. To catch up on what you might've missed, check out the expertly compiled list below.

Recently Added Articles as of November 26

Cybersecurity and consumer privacy are topics this week as data hacks affect both hospital systems and court operations alike and some hefty fines are levied against some big names who personal information accessed via third parties for their own profit... tsk, tsk. But, on the brightside, there seems to be some relief in sight for financial institutions. Read on for more juicy details in the headlines this week!

The hidden dangers of privacy laws: The new landscape of privacy law has completely changed how U.S. organizations handle consumer data; and recent laws such as the European Union’s General Data Protection Regulation, or GDPR, and the California Consumer Privacy Act, or CCPA, provide consumers more control over their data and require businesses to track and disclose how they handle personal information. But, there’s a hidden problem: privacy regulations are overlapping each other in a way that makes it hard to comply with one without opening up a whole other can of worms elsewhere... like with the FTC. The FTC is the most active and severe privacy regulator in the United States. The federal agency protects consumers against “unfair or deceptive practices” under section 5 of the Federal Trade Commission Act. So, bottom line is, you need to cover ALL your bases… the shiny, new ones and the old school rules too.

CFPB Finalizes Advisory Opinions Policy. The Consumer Financial Protection Bureau (Bureau) issued its final Advisory Opinions Policy (Policy) to publicly address regulatory uncertainty in the Bureau’s existing regulations and provide guidance to entities on outstanding regulatory uncertainty. Under the final Policy, entities seeking to comply with regulatory requirements can submit a request to the Bureau where uncertainty exists. Regulatory certainty promotes compliance if the law applies and avoids unnecessary compliance costs if the law does not.

OCC assesses penalty against JPMorgan: This week the Office of the Comptroller of the Currency (OCC) reassessed a $250 million civil money penalty against JPMorgan Chase Bank after the bank’s failure to maintain adequate internal controls and internal audit over its fiduciary business.  It was found the JPMorgan deficient and lacking a sufficient framework to avoid conflicts of interest, and so JPMorgan will have to cough it up to the U.S. Treasury.

Louisiana hospitals report breach: We’ve mentioned the vulnerability of hospital systems before, and here’s yet another reminder of how important cybersecurity really is. This time, the data of thousands of patients has been exposed after another attack targeted Louisiana State University medical centers. The type and amount of patient information compromised in the incident varied by location of care and each email message. LSU said that "a few" email messages "contained a patient’s bank account number and health information including a diagnosis." While LSU Health said they had strict policies in place at the time of attack, it unfortunately doesn’t change the fact the attack provided access to patients’ names, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, phone numbers, addresses and insurance identification numbers.

NYDFS issues new servicer vendor expectations: While originally proposed in 2019, the New York Department of Financial Services is finally updating some major changes to Part 419, which imposes significant vendor management expectations on financial services companies who service New York-based borrowers. The effective date was mid-June of this year, so servicers really need to get a move-on if they’re going to make sure their vendor management programs and processes meet NYDFS expectations.

Blackbaud hit with another lawsuit: Seems Blackbaud is in for some more heartache now that yet another class-action lawsuit has been filed against them following a ransomware attack that breached the data of more than 10 million individuals from well over 100 companies. In fact, in just the last few weeks, the number of healthcare entities affected by the incident has increased by a staggering number — at least 955,000. While several lawsuits are already in progress, this most recent one has only further underscored that this breach resulted in heightened fraud risk, and as such, seeks financial compensation for the time and funds individuals will need to spend to monitor and defend against further personal attacks.

GDPR fines Vodafone $14.5 million: Earlier this month, Vodafone, Italy’s multinational telecommunications company, was hit with a massive fine (the third largest handed down by the Italian Data Protection Authority this year) citing violations of the EU’s landmark privacy legislation — the General Data Protection Regulation. The penalty is the first Vodafone has faced in Italy but far from the first the company has had levied against it under the GDPR. This most recent investigation was triggered by reportedly “hundreds of complaints” of unwanted telephone calls received by Vodafone and its sales network to promote telephone services and internet. Vodafone cited “human error” as the cause; however, that did little to prevent the Italian data protection authority from slapping the company with a massive fine and prohibiting the company from any further processing of personal data acquired from third parties without acquiring “free, specific and informed consent.”

Patch pending for critical VMware Zero-Day bug: The U.S. Cybersecurity and Infrastructure Security Agency sent out a warning this week about a zero-day bug affecting six VMware products, including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager. While they did not indicate if they were under an active attack, the bug has a CVSS severity rating of 9.1 out of 10. Sounds like it’s time to call the exterminator.

ABA welcomes temporary auditing relief: In a letter to the FDIC, the American Bankers Association welcomed a bit of relief when it received an interim final rule granting a temporary grace period around auditing, internal control and audit committee requirements due to an influx of deposits from the coronavirus pandemic. The rule will freeze asset levels to those recorded as of Dec. 31, 2019, for purposes of determining banks’ obligations.

Cyberattack affects Arizona courts: The bad guys strike again. This time, a ransomware attack on a hosting provider vendor interrupted the Arizona state court system’s webpage for most of this week. The court system sent out a brief notice addressing the attack on the judicial branch’s azcourts.gov homepage, which was sort of a shadow of its former self due to the hack. The court system’s spokesman told the Arizona Republic that the damage appears to be limited to information connected with the azcourts.gov website and does not affect individual court or clerk’s offices. Here’s to small mercies!

Best practices for data destruction: Aside from our time, data is perhaps our most valuable asset, which also makes it a liability. Once, in a not-so-distance past, sensitive data was simply taken to the shredder. But, now that so much of our critical information lives in a digital container, what’s the best way to do that? George Platsis of Security Intelligence suggests a few things. First, encryption (which isn’t necessarily data destruction, but it’s a strong fail-safe); second, overwriting, which helps make access extremely difficult should digital information somehow become resurrected; three, degaussing, which physically destroys magnetic data containers; and finally, physical obliteration… we’re talking Texas Chainsaw Massacre methods: incineration, embossing/knurling, shredding, chopping, pulverizing and wet pulping (yes, you read that right.) Lastly, make sure to purge the cloud and get proof of destruction. Read on for more in-depth, data destruction how-to.

Third-party risk management best practices for pharma: As most of us are already painfully aware of, data breaches are nasty and expensive for businesses. And, pharmaceutical breaches are no exception. In fact, a data breach in the pharmaceutical industry can cost companies upwards of $5 million and costs can rise significantly if a third-party vendor or supplier is the cause of a data breach. This is why organizations must ensure the third parties that exist within their supply chain remain secure. Due to the high value of the intellectual property they contain, pharmaceutical companies are pretty handsome targets for cybercriminals. In fact, according to a study conducted by Deloitte, the pharmaceutical industry has become the number one target of cybercriminals at a global level, especially in relation to IP theft.

The revenue leak banks won’t acknowledge: Digital transformation has been big the past couple of years. In fact, banks are spending billions to launch digital initiatives, which, hey, most would agree money spent on long-term improvement is worth it. But the problem is… a lot of these programs aren’t getting off the ground. According to the International Data Center, in 2018 alone, an estimated $1.3 trillion was spent on large-scale digital transformation projects across all industries. But, almost 70% of those efforts failed to achieve their objectives. For you number people out there, that’s more than $900 billion down the drain. Seems more like a hemorrhage than a leak if you ask us. The culprits? High-turnover rate, implementation resources, and lack of top-down alignment.

Recently Added Articles as of November 19

Privacy and security still top the charts in the news this week, as Zoom unveils some brand-new security features while another big-name in tech drops the ball.  Who? Well, we don't want to spoil all the fun, but let's just say the latest from our mystery offender is "ripe with concern." Meanwhile,  our northern cousin recently announced a brand-new national privacy bill with some hefty financial consequences attached while our own CFPB settles in for a long fight on a consumer data-sharing rule. There's more headlines awaiting! Read on for more. 

Big Sur macOS apps bypass security: Looks like Apple is in some hot water for a new feature in macOS Big Sur which allows many of its own applications to bypass firewalls and VPNs. If you’re wondering what the big deal is, it’s that this potentially allows malware to exploit the same access issue and ultimately provide unauthorized entry to sensitive data stored on users' systems and potentially transmitting them to remote servers. Worse, even with the November 12^th update the issue has been left untouched, concerning security researchers, who say the situation is “ripe for abuse.” Apple has yet to comment.

As risks increase, so do internal controls: It would be the understatement of the year to say 2020 was a doozy for risk. In response to a recent Deloitte poll, 77.6% of responders said they plan to strengthen resilience for internal controls this year. "Focusing too many resources on 'firefighting' is not a sustainable approach to risk management," said Trina Huelsman, a Deloitte Risk & Financial Advisory accounting and internal controls practice leader and partner, Deloitte & Touche LLP. "Instead, leading organizations are shifting to a more resilient posture that balances monitoring and management of short-term risks with a longer-term, tech-enabled approach to proactively identify emerging risks and get ahead of key strategic business and IT initiatives." So, what do you think… is there an internal controls audit on your list of to-dos for next year?

DHS cybersecurity director canned. It seems President Trump recently fired Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), after Krebs disagreed with claims that the U.S. 2020 Presidential Election was insecure and fraudulent. Despite his removal, Krebs both acknowledged his termination and avowed his continued commitment to election security, upholding the belief that the 2020 election was the most secure in history. Krebs also co-created the  CISA Rumor Control site to help eradicate election-related conspiracy theories and misinformation.

CFPB halts enforcement shakeup: After the recent Presidential election, the CFPB circulated an internal email calling for a halt around a reorganization which would have stripped the Office of Enforcement’s autonomy to open investigations and issue civil investigative demands. The reorg had planned to create a new Office of SEFL Policy and Strategy, headed by Peggy Twohig, which would be crowned with the decision-making poer when to open enforcement investigations and whether potential violations uncovered during examinations would be transferred to enforcement attorneys. I suppose we will just have to see what happens next…

Zoom announces enhanced security features: The video conferencing giant Zoom was definitely in the right place at the right time for the pandemic-fueled, work-from-home boom… but it’s not been without its issues. Hackers found a way to Zoom bomb meetings, and no, we don’t mean a sweaty, salsa-infused exercise class. By Zoom bomb, we mean nefarious lurking with the potential of gathering critical information. But now, Zoom is unveiling some new security enhancements which allow users to “Suspend Participant Activities,” to automatically boot any worrisome attendees AND meeting participants also can report a disruptive user directly from the Zoom client by clicking the top-left Security badge… all so you can get back to zumba-ing on Zoom in peace.

Canadian national privacy bill sees big fines: This Tuesday, the Canadian government proposed some new legislation which will make some waves in the country’s privacy framework. The bill, titled C-11, was introduced by Minister of Information Science and Economic Development Navdeep Bains, will introduce some pretty hefty fines for organizations who don’t toe the consumer privacy lines. The new framework proposed by the bill modernizes consent rules, requires data portability and provides users with a means to "control their online identity" and allow individuals "to request that organizations dispose of personal information. In many cases, it will permit individuals to withdraw consent for the use of their information, and (you might want to grab your privacy dictionaries for this bit) the bill also addresses algorithmic transparency and includes deidentification rules. Long story short, Canadian organizations better be ready to pay the piper (up to 5% of revenue) if they don’t follow the rules.

Why third-party risk management matters to compliance: Most companies attach a significant level of importance to due diligence programs, but they typically only make up a small part of risk management plans. However, the main goal of third-party risk management is to gather all the necessary information on a vendor in order to achieve the highest level of control over the relationship, and ultimately, mitigate any potential threats that could stem from the relationship. By managing third-party risk well, you can accomplish two things: protecting your organization, but also maintaining the necessary levels of compliance. Truly, one really can’t function (at least not well anyways) without the other.

CFPB sets stage for long fight on data-sharing rule: The Consumer Financial Protection Bureau has spent quite a bit of time around some pretty entrenched, long-running policy battles. Some of which include: regulating payday lenders and proper mortgage underwriting. However, analysts are predicting that a brand new, still-percolating ruling could soon dominate the agenda. The rule would establish guidelines around how much control consumers have over their own financial data and will tackle one of the prickliest issues affecting banks: fintechs and data aggregators. 

Why risk and compliance need to align: The Committee of Sponsoring Organizations of the Treadway Commission issued voluntary guidance Tuesday to help boards, executives and lower-level managers better identify, monitor and mitigate compliance risks. “You need to integrate those together,” COSO Chairman Paul Sobel said. “Make sure that they’re being managed jointly or at least integrated so that they’re not duplicating efforts.” The thesis here is that by breaking down silos, risk and compliance can work together so companies are able to identify risky scenarios faster and tackle them more efficiently; while compliance can begin playing a bigger role in legal and regulatory issues.

Recently Added Articles as of November 12

Security concerns are the chart toppers this week, with some pretty  big  settlements and some pretty big names in the headlines. From consumer privacy to surges in malware and some brand, spanking new reports on risks in the banking world, you're not gonna wanna miss all the good stuff in this week's round up.

Hidden malware surges amid pandemic: While hackers hiding malware inside encrypted traffic is definitely not “news” anymore, what is noteworthy is the sheer rise in its occurrence as more and more workers slog on in their newly minted home offices. Researchers from Zscaler took a look at “attack data” which they gathered from their cloud security platform between January and September this year. They discovered a mind-boggling 260% increase over 2019 in the number of encrypted attacks that it handles per month. While many organizations routinely encrypt traffic as part of their security best practices, fewer are taking the time to analyze potential threats. The bottom line: encrypted doesn’t necessarily mean safe, and attackers will do just about anything to get to your critical data. Now, more than ever, cybersecurity efforts must be prioritized. 

EU files antitrust charges against Amazon: This week, European Union regulators have filed some pretty hefty antitrust charges against Amazon. The charge? Apparently, the EU is accusing the colossal e-commerce enterprise of using consumer data to gain an unfair advantage over merchants using its platform. The commission’s chief issues are Amazon’s systematic use of non-public business data, which it has expertly leveraged for total and utter dominance in both France and Germany’s e-commerce markets as well as how it handles its dual role as both a marketplace and retailer. Amazon faces a possible fine of up to 10% of its annual worldwide revenue, which could amount to billions of dollars. So far, the company has rejected the accusations.

FTC settles with Zoom over security issues: The U.S. Federal Trade Commission is requiring video conferencing giant Zoom to clean up its act as part of a settlement of allegations that the company engaged in a series of deceptive and unfair practices, which ultimately put its users' security at risk. Zoom now has 60 days to both implement and maintain a comprehensive security program. The FTC found that Zoom failed to maintain a high level of cybersecurity and misled its customers around its encryption levels provided for meetings, saying it was AES 256 when it was actually AES 128. Tsk, tsk. Although no financial penalties were issued with the settlement, the FTC says any future violations could cost Zoom up to $43,280 for each one.

Fed analyzes COVID-related banking risks in new report: In its Supervision and Regulation Report, released just this month, the Fed reviewed how its conducting its monitoring and examination activities to better understand how large financial institutions have adapted their controls and operational risk management in light of the COVID-19 event. It seems, as a whole, large firms have been pretty resilient and have transitioned well to remote work, rapidly modifying processes to shore up cybersecurity vulnerabilities and prevent ransomware attacks.  

OCC reports on key risk in federal banking system: In its Semiannual Risk Perspective for Fall 2020 report, the Office of the Comptroller of the Currency reported around some of the major issues facing the federal banking system. The report also focused on the effects of the COVID-19 pandemic on the federal banking industry. Some of the highlights in the report include the rise of credit risk due to the economic downturn, the emerging issue of strategic risk, elevated operational risk due to altered and remote work environments as well as rising compliance risk in response to rapidly shifting requirements. The report also highlights emerging trends in payment products and services as a special topic in emerging risks.

Planning for the CA Privacy Rights Act: Okay… the California Privacy Rights Acts (CPRA) has been approved. So, now what? What does it actually mean for our organizations? While there is no “one-size-fits-all” compliance plan, there are steps businesses handling information related to California residents, households or devices can take to help ensure compliance. Some of these measures include expressly confirming data retention, reviewing the use of sensitive information, reviewing initial notices, updating homepage links, revisiting data sharing with digital market providers, updating or creating rights-response procedures as well as vendor and customer contracts. 

NIST overhauls security controls in favor of VDP: In 2005, The National Institute of Standards of Technology Privacy Controls for Information Systems and Organizations (NIST) was created, and clearly it was way overdue for some spring cleaning, and so an updated publication was released around security and privacy best practices. As a companion to this revision, NIST released SP 800-53B, which presents best practices for organizations looking to mitigate their risk. According to these guidelines, every organization must implement a Vulnerability Disclosure Policy (or VDP) regardless of their expected level of risk. Because here’s the thing, this is the first step in helping protect your company from an attack or premature vulnerability release to the public. It's a best practice and a regulatory expectation. Read on to learn more about how to implement a VDP within your own organization.

How agencies can better manage third-party risk in time of crisis: Third-party risk management is tough, and it can be particularly difficult for government. The problem is volume; there are just too many third parties to manage. And now, with the restrictions due to COVID-19, many third parties aren’t even working on the same network anymore. So, what to do?  “This is really where technology comes into play,” said Chris Murphey, senior product manager at Galvanize. “The only scalable way to truly cover and monitor all the third parties that you outsource to—or rely on to provide your services outward—is to scale with technology.” But that’s not the only thing. Agencies need to find vendors who are in it for the long-haul, are seasoned and know that not every agency will require unique handling.  

Recently Added Articles as of November 5

It's a brand new month, but some of the same concerns prevail... especially when it comes to data security. This week, we explore more devious data-thieving tactics and delve even further into the value of cybersecurity and good cyber hygiene, while the second largest privacy fine in British history is slapped onto yet another corporate giant. Want to know who? Read on for that and more!

Beware of sneaky new phishing schemes: The tricksters are at it again. This time with a creative Office 365 phishing campaign which uses inverted background images to avoid detection. These cloned backdrops are commonly used as part of phishing attempts to copy legitimate login pages as closely as possible to trick users into entering their credentials into a very convincing, yet fake, login form. Other phishing campaigns targeting Office 365 users have also used innovative techniques such as testing the stolen login in real-time, abusing Google Ads to bypass secure email gateways, as well as Google Cloud Services, Microsoft Azure, Microsoft Dynamics and IBM Cloud to host the phishing landing pages. Moral of the story: user beware. Cross your t’s, dot your i’s and when in doubt, log OUT. 

Proving the value of cybersecurity: In our increasingly sensitive world, CISOs and CFOs must work in unity to understand how effective their threat management protocols are, and how to prove the dollars are worth it. So, how can this be done? First, it’s important to focus on the most pressing threats and consider which industries and areas are most consistently attacked. Second, it’s necessary to measure security performance against relevant threats. Third, it’s critical to improve performance and evaluate gaps. Fourth, justification around security spending must be drawn up. And finally, fifth, changes in IT must be constantly monitored. The above, and a little elbow grease, can help provide both information and the outcomes needed to maintain a safe and ultimately, viable business.

Cyber advisers warn hospitals: The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation and Department of Health and Human Services have joined forces to help warn hospitals and other health care providers increasing cybersecurity threats targeting the industry. Within a 24-hour period, at least six U.S. hospitals were victimized using malicious trickbots and ransomware which allowed hackers to gain access to data. With the rapid increase in coronavirus-related hospitalizations, disruptions to service due to data security continue to raise more serious concerns, and healthcare providers should be more vigilant than ever about their cybersecurity practices.

CA brings licensing oversight to consumer debt collectors: The Debt Collection Licensing Act (DCLA), California Gov. Gavin Newsom signed at the end of September, will finally take effect on January 1, 2022. However, proposed regulations will begin to roll out soon. The Act is one of several new consumer protection bills recently enacted in California, including the state’s “mini-CFPB,” otherwise known as the California Consumer Financial Protection Law. As the name makes clear, the DCLA provides for the licensure, regulation and oversight of entities seeking to collect consumer debts from California residents. Under the DCLA, debt collectors located in California and debt collectors outside of California seeking to collect debts within the state, regardless of office location, will be required to obtain a license. BUT, there are some exceptions. Read on to learn exactly what those include!

CFPB Supervision and Examination Manual: With the CFPB expanding their powers and their supervisory and examination capabilities, the segments of the FI that are going to be regulated by the CFPB need to begin prepping. So, reminder, the Supervision and Examination Manual is our guide for examiners to use in overseeing companies that provide consumer financial products or services. The manual describes how we supervise and examine these companies and gives our examiners direction on how to assess compliance with federal consumer financial laws. Have questions about the manual? There’s a place for ‘em… simply email to supervision@consumerfinance.gov. 

Marriott hit with $24 million privacy fine: Hotel giant Marriot was slapped with the second largest privacy fine in British history this month after failing to mitigate a whale of a data breach, resulting in the exposure of names, mailing addresses, phone numbers, email addresses, passport numbers and, in some cases, encrypted payment card information. The breach also violated the EU's General Data Protection Regulation. Marriott estimates that the breach exposed personal information for approximately 339 million customers worldwide but cannot confirm a total. After an investigation it was found that Marriot failed to put appropriate technical and organizational measures to place to avoid this type of attack. Marriot issued a heartfelt apology and did not contest the final fine. 

SEC Chair warns all-time high rate of cybersecurity threats: Securities and Exchange Commission Chairman Jay Clayton is telling corporate America it needs to ramp up its vigilance around security. “Cyber risks have not gone away with the unfortunate, unforeseen risks we’ve faced with COVID and other uncertainties in our economy,” he said. “They’re still there, and they’re there more than ever. In October, the Cybersecurity and Infrastructure Security Agency (a component of Homeland Security) put out 30 cyber alerts which ranged in industry type and business size, according to Clayton. Two of the largest threats are ransomware and credential compromise, which by either force or trickery have resulted in the frightening loss of critical data. Clayton’s advice? Make like a pumpkin and PATCH. Updating even commonly used software systems, saying that many require constant patching. “People need to continue to patch. I can’t emphasize enough that cyber hygiene helps us all,” he said. 

Bureau issues FDCPA rule: The CFPB has issued a final rule to both restate and help clear up details around prohibitions on harassment and abuse, false or misleading representations as well as unfair practices by debt collectors when collecting consumer debt. Specifically, this rule focuses on debt collection communications and is tended to provide more consumer control around debt collector communication practices around personal debt. The rule also clarifies how the protections of the Fair Debt Collection Practices Act apply to newer communication technologies, such as email and text messages. This has become particularly important as Americans struggle to pay their mortgages and other outstanding debt due to the financial hardships caused by the pandemic. 

Agencies release paper on operational resilience: Federal bank regulatory agencies released a paper outlining sound practices, grounded in risk-managed and designed to help large banks increase operational resilience. Examples of risks to operational resilience include cyberattacks, natural disasters and pandemics... all pretty pertinent, especially in today’s climate.

Agencies propose regulation on the role of supervisory guidance: This week, five federal financial regulatory agencies today open up a proposal, which outlined and confirmed the agencies’ use of supervisory guidance for regulated institutions, for general comment. This proposal aims to clarify the differences between regulations and guidance. Unlike a law or regulation, supervisory guidance doesn't have the same force (or effect) as law. Additionally, supervisory guidance does not take enforcement actions or issue criticisms based on non-compliance with supervisory guidance. Instead, it summarizes supervisory expectations and priorities and pretty much says, “hey, as in expert in this area, I’d really recommend X,Y,Z.”

CFPB issues final rule around information regulation: This week, the Consumer Financial Protection Bureau (CFPB) issued a final rule which amended its Disclosure of Records and Information Regulation. What did it do exactly? Quite a few things, actually! The highlights include: improving clarity and transparency by revising the rules related to the Bureau’s information practices; improving Bureau relationships with agency partners and others, increasing clarity and eliminating unnecessary hurdles to collaboration; improving the Bureau’s ability to protect its confidential information and, providing guidance to industry stakeholders on how the Bureau interprets its own rules. Not too shabby! 

Cohen may be wrong about community banking: Former Goldman Sachs executive Gary Cohn's recent assessment of the community banking industry proves that Wall Street has very little understanding of what’s actually happening on Main Street. Contrary Cohn’s take as a former National Economic Council official; it seems the challenges we have faced in the wake of COVID-19 have only elevated the position of community banks. In fact, paired with tech innovation, it seems banking rooted in community relationships have come out on top, particularly under the Paycheck Protection Program. Data shows that community banks made nearly $2.8 million in PPP loans (more than half of the program’s total loans), helping to save millions of jobs. So, take that Cohen. It seems community banks may truly be the unsung hero of our current financial crisis.

Before the end of the year, take a few minutes to evaluate how your peers are managing third-party risk. Download the whitepaper.