Third-Party Risk Management Takeaways From 2023

Podcast Transcript

Hi, this is Hilary from Venminder. As we will soon kick off a brand-new year, it's the perfect time to take a moment and look back on the past, while also making some key decisions for the future – especially when it comes to your third-party risk management program. 

Here at Venminder, our team of certified industry experts help organizations of all sizes and from all industries manage third-party risks effectively.

Well, 2023 has been a year full of challenges when it came to managing third-party risks. We saw big data breaches, major regulatory changes, a few bank failures, rising geopolitical tensions, and increased concerns over artificial intelligence, or AI. 

So, let’s take a look at several key takeaways from this year:

1. The first takeaway from 2023 was that massive MOVEit data breach. It serves as an uncomfortable reminder that as technology evolves, so do the tactics of cybercriminals. When it comes to cybersecurity, there's never a minute to rest on your laurels. Attacks and breaches are getting bigger and targeting more industries than ever before.  
   
   As a next step, organizations must make vendor cybersecurity and data protection a priority by conducting regular risk assessments, thorough due diligence, and monitoring ongoing risk constantly and consistently. To bolster monitoring capabilities, organizations should consider professional risk intelligence and alert services that can provide real-time data regarding vendor cybersecurity profiles, data breaches, and more.
   
   
2. The second takeaway from 2023 is the evolving regulatory landscape for managing third parties. With data breaches becoming a common occurrence, major regulators such as the SEC, the FTC, and the NCUA implemented new requirements and guidance around data breach notifications and the need for security programs with administrative, technical, and physical safeguards to protect customer information.
   
   Even more notably, the long-awaited Interagency Guidance on Third Party Relationships was released and became effective immediately. This sent ripples through the financial services industry as it harmonized the regulatory requirements between the OCC, FDIC, and the Fed. It expanded the definition of “third party” to include all business relationships. 
   
   So, what does that mean for the industry? Well, it’s no longer enough to identify, assess, manage, and monitor the risks of what we think of as typical vendors. Now all business relationships, including partnerships, fintech companies, and even subsidiaries, are in scope. Third-party risk management just got a lot bigger for financial institutions.
   
   Though it may mean more work in the short term, expanding the scope for third-party risk management may be a better idea than you might think. For instance, many organizations haven’t previously included their banking partners and financial services providers in their scope, but that can lead to negative consequences. 
   
   
3. This was proven in our third takeaway with the failure of three regional banks: Signature Bank, Silicon Valley Bank, and First Republic Bank. It’s always a good idea to at least consider expanding your third-party risk management scope to include all high-risk or critical business relationships, including your banks.
   
   
4. The fourth takeaway concerns the geopolitical risks many organizations faced. With the ongoing conflict between Russia and Ukraine, as well as recent events in Israel and Palestine, these all illustrate the global repercussions of violent conflicts. Even more, fluctuating energy prices and weather events also adversely affected many supply chains. So, even if your organization isn’t directly involved in business activities in a foreign country, you can still be exposed to risks through fourth and nth parties in your vendors’ supply chains.
   
   
5. Finally, the fifth takeaway from 2023 is the concerns over AI that took center stage as many organizations are using or beginning to implement AI solutions. As impressive as the technology can be, it’s important to keep in mind that AI is not without significant risks, especially if it’s being provided by a third party. Organizations relying on AI tools or services from external vendors need to consider the risks of data breaches, privacy violations, and algorithmic biases when conducting risk assessments, due diligence, and monitoring.

While it’s impossible to predict exactly what 2024 has in store, 2023 reminds third-party risk management professionals everywhere that fundamental practices, such as effective risk identification, assessments, vendor risk reviews, and monitoring create the foundation for successful third-party risk management programs and will leave you better prepared for the year ahead.

Thanks for tuning in!