Guest post by Lee Bristow, Chief Technology Officer at Phinity Integrated Risk Management
As the value of personal data increases, so too does the consequence of data breaches. The responsibility of ensuring client and supplier data is kept safe, has become tantamount to a bank securely holding our cash.
This is an ethical Catch-22.
The business case for ethics and robotics
Most businesses, from global giants to SMEs, are more reliant on third parties to provide core business services. This is dependent on the sharing of essential client data with these parties. Hence, as a user, when signing away your data, you could be handing it over to unknown entities.
Who is responsible for this data? A client signs a deal with the contracting company, and it’s up to them to take ethical and legal responsibility to protect their clients’ information. It’s also the contracting business that will shoulder the dire consequences of resulting bad press and reputational damage for compromised data.
It’s no longer time that’s money
Data leads to money, one way or another.
The old chestnut that ‘data is the new oil’ springs to mind. As data value increases, so too does its desirability. More people want it. And more people are willing to go to criminal lengths to get it.
The convenience that the internet offers to us average users has also created leverage for scoundrels, who don’t even need to organise a getaway car anymore. Bonnie and Clyde robbing banks have been replaced with scammers and hackers hidden deep within the internet.
Data is less secure than ever
April 2020 saw an unusually high increase in cyber-attacks as people worked remotely, thanks to Covid. In that year, there was a general upsurge in data security breaches in the EU and UK of 10% (Lexology).
A survey in 2021 by the Ponemon Institute found that 51% of organisations experienced a data breach caused by third parties, resulting in the misuse of sensitive data.
There’s no doubt that using third parties massively increases risk.
And as more operations are outsourced, the complexity of relationships intensifies. So you’ve got a wobbly combination of greater relationship complexity and increased risk.
Third party risk management (TPRM)
Historically, the procurement department was responsible for third party contracts. Made sense.
But as the convolutions of these relationships become ever more intricate, and the risks spread their tendrils across the organisation, does it still do so?
An example of this was one of South Africa’s largest banks, Nedbank.
Using the services of SMS marketing provider, Computer Facilities, it experienced a data breach affecting 1.7 million of Nedbank’s clients. While the press pointed at Netbank, it wasn’t in fact the bank’s information security provision that was at fault.
However, Nedbank had engaged the supplier.
This begs the question: who was accountable? IT? Procurement? Marketing? Client services? The list goes on. It’s no longer just one division’s problem. From an information security issue, TPRM has become a privacy issue.
Large organisations tend towards rigidity in managing third parties. Their size simply doesn’t allow for flexibility in dealing with smaller start-ups. The only mitigation here, really, is for a more ethical attitude towards TPRM, and the use of automation.
More than just the law
While legal contracts are essential to third party relationships, they won’t repair the damage when the horse has bolted.
There are a few considerations when looking at mitigation strategies for data breaches: organisation size, jurisdiction, and types of service being supported. Organisations must do thorough due diligence on third party vendors, which it seems they’re not.
In the Ponemon survey, it was found that 51% of companies had not been assessing security and privacy practices and processes before granting access to sensitive and confidential data.
Deloitte ran some research on the current approaches to TPRM and the findings are grim. For example:
Only 15% of organisations have an integrated and optimised approach to managing risk with third-parties.
29% are putting greater focus on ethical responsibility.
17% had faced a high impact incident relating to third parties.
47% are adopting third-party risk management to be a more responsible business.
59% believe third-party processes are not flexible enough to assess all third-parties.
41% invest in third-party risk management to reduce costs.
57% of respondents are establishing a centre of excellence to support federated operating models.
It’s clear from these figures that the way forward lies in better ethics and greater automation. Third parties need to be incorporated into strategic thinking – they’re partners and crucial to the success of your business.
The silver lining of Covid was technological advancement, growth, and greater awareness of cyberthreats. Adoption of robotic process automation (RPA) into risk management is growing, increasing efficiencies and reducing risk.
While automation is critical, there’s the equally crucial human element: ethics.
Are your third parties’ operations ethically aligned with your own business operations? Potential partners that include ethical policies and codes of conduct into their strategies, should be at the forefront of your selection process.
Crime is still an issue of human behaviour and you can have as much automation as you like, you’ll still have delinquents. A culture of ethics woven into company strategy and policy, gives clues as to the type of organisation you’re dealing with and what flavour of relationship you’re likely to have. Placing this at the core of your TPRM strategy is a good starting point.
A good relationship is based on trust, transparency, and communication. Both in our personal spheres, and in business. While personal relationships aren’t contract based, they’re founded on the same tenets. But when you have many relationships with third party suppliers, that network can become chaotic and complicated.
It’s clear that a TPRM strategy that includes a solid ethical foundation along with RPA shows a strong business case. A much stronger one in fact, than having a data breach.
About the author:
Based in Dublin, Ireland, South African-born Lee Bristow has over 20 years of experience in technology, product management, risk and compliance. His focus is on a new vision for risk management; enabling it to be more accessible, engaging and simpler in his role as Chief Technology Officer for Phinity.
See more breaking stories here.