fbpx

Monthly Archives: November 2019

VRM and Regulations

VRM is becoming a more widespread nowadays, and more and more organizations realize the importance of conducting proper vendor verification process to reduce cyber risk. This awareness is a result of high-profile incidents (such as Target and Lockheed Martin) but also of intimate knowledge of the risk. At a recent survey, two-thirds of respondents reported that their organizations had experienced a software supply chain attack, and 90 percent of those confirmed that they had incurred financial loss as a result.  

But awareness and first-hand experience are not the only drivers towards greater adaption of VRM. Regulation is another driver that influences organizations and forces them to add VRM to their security agenda.  The following regulations/ standards

  1. GPDR

The European Union’s (EU’s) General Data Protection Regulation (GDPR) has been introduced in May 2018 and includes a new set of requirements for third party data processors, as laid out in Articles 28, 32 and 33.

The novelty of GDPR in this respect is that it is extends the reasonability over personal data also to third parties (sub-processors) who process the information.

Article 28 ,” requires contractual protections with data processors and their sub-processors, adequate data protection, and production of evidence of compliance with the GDPR; Article 32, “Security of processing,” requires data processors and their sub-processors (3rd parties) to implement comprehensive information security controls to protect EU personal data;

Article 33 (“Notification of a personal data”) requires data processors (and their respectable 3rd parties) to report compromises of EU personal data to their clients without undue delay; and

Article 36, “Prior consultation,” requires data processors to provide data protection impact assessments (DPIAs) to their clients in certain high-risk situations. 

All the above requirements present a new set of processes, procedures and skills to be implemented as part of one company’s compliance process.

While GPDR isn’t relevant to every country and company, it is the first of many such regulations that tackle the issue of 3rd liability and risk.   

  • NYC DFS (23 NYCRR 500)

The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.

The NYS DFS regulation defines a 3rd party as:” Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity”. It requires the regulated entities (which include State-chartered banks, Licensed lenders, Private bankers, Foreign banks licensed to operate in New York, Mortgage companies, Insurance companies and Service providers) to have a dedicated Third Party Service Provider Security Policy, that includes “written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers”. It requires that, prior to egaging 3rd parties, companies should perform a comprehensive due diligence processes in order to evaluate the adequacy of cybersecurity practices of Third Party Service Providers; and conduct periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices. In addition, companies must designate a senior member as responsible for direction and oversight of the Third Party Service Provider.  

  • CCPA- The California Consumer Privacy Act (CCPA),

The CCPA covers California state resident data and will come into effect in January 2020.

In similar fashion to GDPR and NYC DFS it extends the responsibility over private data to third parties collecting and handling it. For instance, section 1798.115(d) of the CCPA limits third parties’ ability to resell personal information they obtain from your business.

Also, as other data protection and privacy regulations dictate – there is a continuous requirement to map where the data is processes, assess and evaluate the potential exposure risk and manage it continuously.

  • DOD Cybersecurity Maturity Model (CMMC)

The US Department of Defense is working on a new mandatory cybersecurity certification program that would demand that contractors demonstrate their cybersecurity readiness in order to allow them to participate in DOD bids.

The new CMMC certification creates a five-level system. Vendors are assessed on 18 separate “domains,” or elements of cyber security such as incident response plans and risk management policies. Although it seemed at first to have a rather limited reach (impacting only the defense industry), it might be relevant to the entire DoD supply chain of about 300,000 contractors, and as such to have  a far-reaching impact on many vendors, from electronics maker to steel plate manufacturers.

Conclusion

The regulations and standards covered in this post are by no means the only ones that companies should adhere to. Multiple laws and agencies such as The Federal Deposit Insurance Corporation (FDIC) the Office of the Comptroller of the Currency (OCC), the Health Insurance Portability and Accountability Act (HIPAA), the Consumer Financial Protection Bureau (CFPB), the Foreign Corrupt Practices Act (FCPA), Dodd–Frank, the HITECH Act, and the Gramm-Leach-Bliley Act, and even the Open banking standard all call for certain degrees of third party risk management policies and controls.  

While these all vary in their specific requirements, the basic underlying notion is the same- companies cannot ignore their reasonability over 3rd parties they engage with. They need to ensure these 3rd parties adhere to the same levels of scrutiny and regulation as themselves, and take measures to evaluate and be able to demonstrate their supply chain security compliance on a continuous basis.

Navigating this regulatory landscape without the proper knowledge and tools is extremely difficult, time-consuming and risky. Findings can help you map the regulatory requirements and facilitate 3rd party risk management process.

You can have your cake and eat it (too)

It’s always nice to see something you are building grows and becomes a core key component in your customer’s experience.

This time we’re talking about Findings Notification system, which delivers events to your (and your supply chain’s) mail box, facilitates streamlined collaboration and process management.

The challenge with scalable notification engines is to balance between enabling standardized behavior in a massive amounts of notifications environment while enabling customization for the specific user needs.

If you’re not already familiar with Findings Notification system, let us bring you up to speed: by using the notification system, you can customize a handful of notification message types that, among others, includes:

  • Vendor notifications – all messages required along the vendor risk management life-cycle, including:
  • On-boarding notifications – supporting the vendors smooth entry to the system in the timeframe defined by yourself
  • New assessment request – inform your supply chain vendor about a new incoming assessment.
  • Set of reminder notifications
    • Assessment not started – in case the supply chain vendor did not start the assessment after a fixed period of time (defined by the platform or customized to your choice).
    • Assessment in progress – reminding the supply chain vendor they still have an ongoing assessment, pending findings to report, new chat notifications etc.
    • Assessment overdue – inform the supply chain vendor about an overdue assessment or upcoming due date.
  • Findings notifications – informing and tracking findings and their status of completion
  • Business owner/Procurement notifications – all messages related to a request for a supply chain vendor assessment by an internal business owner.

By customizing notifications, we mean that you have the ability to:

  • Change the email subject and content (using an advanced WYSIWYG editor)
  • Use your own outgoing email address (both SPF and DKIM are supported)
  • Ability to deliver a copy of the message to yourself & your teammates mail box

Over the last year we saw tremendous demand for feature requests, bug reports and high usage statistics all related to the notification system.

We took the time to analyze the key factors by observing our users usage behavior and come up with an awesome formula we believe can help them streamline their supply chain risk management and achieve even better results.

Notification delivered to supply chain can be automatically delivered (as a bcc) to the issuer’s organization admins to help them be on the same page, keep track of the recent event, so in case a user of the admins group is absent for any reason, his colleagues have the same information to work with. 

If a request for a new supply chain vendor issued by a business owner, this business owner user is automatically CC’ed to every outgoing email that the vendor receives, so he/she could also be part of the entire process status, and of course can assist in any inquiries received from the vendor’s response emails.

Lastly, if a supply chain vendor decides to response to an email sent by the customer, the email would be automatically delivered to the issuer organization owner, and if a business owner is part of the process, he should be CC’ed as well.
Would you like to give it a try? See it in action! Click here to try it.