Prevalent - Third-Party Risk Management

⚠️ In the early hours of Friday, July 19, an update to the CrowdStrike Falcon Sensor product triggered a worldwide outage on Windows machines. The incident was not a cyberattack or malicious in any way. It was faulty code in a regular product update. This is a perfect example of why you need to continually assess the business resilience practices of your third parties and understand the third-party risk exposure in your vendor universe when widespread outages like this one occur. CrowdStrike regularly publishes content updates to its Falcon Sensor products to ensure that they're protecting against the newest cyberattacks. All reports point to the update being part of that deployment cycle. The update, however, included some faulty code that triggered the dreaded Blue Screen of Death on Windows machines. Affected equipment suddenly displayed the dreaded "Blue Screen of Death," grinding thousands of companies to a halt worldwide and disrupting operations at banks, airlines, hospitals, and other organizations. Regardless of the cause, a high-impact incident is the wrong time to ensure you have a third-party incident response plan. https://buff.ly/3WbAppV Instead, start preparing for the next incident by implementing a proactive approach now. Start with these 4 best practices: 1. Develop a centralized inventory of all third parties 📇 2. Build a map of third parties to determine technology concentration risk 🗺️ 3. Assess third parties' business resilience and continuity plans 📋 4. Continuously monitor impacted vendors and suppliers for issues 📡 The CrowdStrike issue was thankfully not from a malicious source, but risk monitoring remains a key component in understanding your exposure to a third-party incident. However, over the next few weeks, companies affected by the CrowdStrike outage will likely spend significant time recovering their systems. Vendors, large and small, will contend with the business slowdown and potentially bring many thousands of end-user machines back into service.  #TPRM #VendorRisk #RiskManagement #Cybersecurity

Forty-nine percent of companies experienced a significant third-party data breach in the last 12 months, according to the Prevalent 2024 TPRM Study. ⚠️ As third-party risks become more complex, information security teams increasingly take the lead in TPRM efforts. Achieving a mature TPRM program is essential to staying ahead of these challenges, but the path to maturity can seem overwhelming. Join TPRM and compliance expert Alastair Parr in this comprehensive webinar on July 31, where he'll explain and simplify the process of maturing your TPRM program. https://buff.ly/4684Lyg In this webinar, you'll learn: ⚡ The various types of third-party risks addressed by a mature TPRM program ⚡ How to use the Capability Maturity Model to define and achieve TPRM maturity ⚡ The 5 essential pillars for a successful TPRM program The different levels of TPRM maturity ⚡ Key steps to elevate your program to the next level By enhancing your TPRM program maturity, your organization will more effectively mitigate risks and make informed decisions at every stage of third-party relationships. Register, and you'll also gain instant access to our white paper, Improving Third-Party Risk Management Program Maturity: How to Use the Capability Maturity Model! #TPRM #VendorRisk #RiskManagement

Third-party risk management can frustrate even the most well-resourced organizations. 😤 However, a strategic approach to Third-Party Risk Management TPRM governance and oversight is critical for organizational resilience and success. The process of developing the right TPRM governance and oversight involves a few key components, including: 🤔 Assigning the right roles 🎯 Developing the right strategy and objectives ⚙️ Integrating vendors into your processes ⚡ Ensuring that third-party risk management is a component of your overall enterprise risk management strategy Effective TPRM governance and oversight involves seamlessly blending people, processes, and technology. This leads to a strategy that empowers organizations to manage vendor risk efficiently. It also ensures that stakeholders understand the value of TPRM and can readily track program performance over time. We created Ten Tips to Improve Governance and Oversight of Third-Party Risk Management as your blueprint for developing a TPRM program that aligns with industry standards and organizational goals. https://buff.ly/3SeM722 This white paper explores the essential components you need and curated best practices for robust TPRM governance and oversight. Check the comments to download your copy! 🔗 #TPRM #VendorRisk #RiskManagement #Governance

You’ve devoted quite a bit of resources to ensure your company is compliant with emerging #ArtificialIntelligence regulations – and that’s great! But what about your third parties? Prevalent - Third-Party Risk Management's Alastair Parr argues that companies should take a risk-based look at how third parties are using AI. https://hubs.ly/Q02GMLtc0 #Compliance

In a time of increasingly global supply chains and the growing risk of disruptions, ensuring that products are safe, meet their intended use, and adhere to quality processes has never been more important. 🌍 TPRM and SRM professionals should assess and monitor their suppliers' adherence to these best practices to reduce the impact of safety and quality problems. That's where GxP compliance comes in. GxP (Good [Industry] Practice) refers to a collection of quality guidelines and regulations created to ensure that products in industries such as pharmaceuticals, medical devices, and food production meet established good practices. https://buff.ly/4bIyU8j Some common types of GxP include: 🔧 GMP (Good Manufacturing Practice): Focuses on manufacturing processes 🔬 GLP (Good Laboratory Practice): Pertains to non-clinical laboratory studies 🥼 GCP (Good Clinical Practice): Related to clinical trials and human subjects 🚚 GDP (Good Distribution Practice): Concerns the proper distribution of goods 💊 GPP (Good Pharmacovigilance Practice): Relates to the safety of pharmaceutical products Compliance with GxP regulations is a legal requirement in many countries. Non-compliance can result in severe consequences, including fines, product recalls, and legal action. Regulatory bodies hold the primary company responsible for any GxP non-compliance, even if it occurs at a third-party site. Various GxP regulations and frameworks are established by regulatory bodies to ensure that products are produced and controlled according to quality standards. Additionally, global ISO standards provide frameworks for quality management systems applicable to GxP. GxP compliance is essential for ensuring product quality and safety and significantly impacts third-party risk management. Effective management involves stringent qualification processes, regular audits, clear contractual obligations, and continuous monitoring to mitigate risks associated with third-party non-compliance. #TPRM #VendorRisk #RiskManagement #GxP

A key component of TPRM is third-party risk scoring, closely followed by vendor risk tiering. ⭐ Understanding these concepts is essential for building a robust third-party risk management foundation. https://buff.ly/4bIyU8j Third-party risk scoring is the process of evaluating and assigning a numerical value to the potential risks that an external partner or supplier might bring to a business. This score helps determine how risky it is to work with that third party based on factors like their security practices, financial stability, and compliance history. Third-party risk tiering categorizes external partners or suppliers into different levels or tiers based on their risk scores. These tiers help businesses prioritize and manage their third-party relationships according to the level of risk each partner presents. Different third parties pose varying levels of risk. The criteria for each tier will vary depending on the nature of the vendor. For instance, a parts vendor has different criteria than a cloud hosting service. Calculating and categorizing risk is important for protection, efficiency, and compliance. By understanding and implementing third-party risk scoring and tiering, businesses can better manage their external relationships, minimize risks, and enhance overall operational stability. #TPRM #VendorRisk #RiskManagement

🤔 Understanding the amount of risk your organization is willing to accept from vendors, suppliers, and other third parties is vital to your TPRM program and to your organization's overall operations and objectives. A clear third-party risk appetite can support your TPRM due diligence efforts, decision-making processes, and more. But with the seemingly endless variables to defining third-party risk appetite and risk tolerance, how do you know what the best approach is for your organization? Join Bob Wilkinson, CEO of Cyber Marathon Solutions and former CISO at Citigroup, on July 25 as he leverages his experience to show you how to calculate a third-party risk appetite that's right for your business. https://buff.ly/4cYunzW In this webinar, Bob will: 🤔 Explain the difference between risk appetite, risk tolerance, inherent risk, and residual risk 🧮 Examine why you need to calculate risk appetite as part of your TPRM program 📊 Identify standard definitions, levels, metrics, and reporting that should be included in your calculations 🔎 Define how to identify your organization's inherent and residual risks ⚡ Demonstrate the steps to take to calculate and present your risk appetite statement Calculating your third-party risk appetite will strengthen your TPRM program and support your business objectives. Register for this webinar to learn first-hand from a leading TPRM expert! #TPRM #VendorRisk #RiskManagement #RiskAppetite

SOC has become a go-to standard for organizations to assess their IT controls. ⚙️ With more third-party vendors and suppliers providing SOC 2 reports in lieu of complete risk assessments, how do you understand, interpret, and mitigate risks identified in a vendor SOC 2 report? We assembled the SOC 2 TPRM toolkit to help you make sense of it all! https://buff.ly/3zFg1Gb The toolkit includes: 📝 How to Use SOC 2 Reports to Assess Third-Party Risk | FAQ eBook 🙋 SOC 2 & TPRM: Your Questions Answered | On-Demand Webinar 🤔 How to Decode Third-Party SOC 2 Reports | On-Demand Webinar 📋 The SOC 2 Third-Party Compliance Checklist | On-Demand Webinar Whether you're just getting started with SOC 2 reports or want to check your current program against best practices, the SOC 2 Third-Party Risk Management Toolkit can help! #TPRM #VendorRisk #RiskManagement #SOC2

VRM is an important aspect of enterprise risk management, as vendors can introduce risks that can negatively impact an organization's operations, reputation, or compliance posture. https://buff.ly/3RWnqqH VRM activities should be conducted throughout all stages of the vendor lifecycle, including sourcing & selection, intake & onboarding, inherent risk scoring, risk assessment & remediation, continuous risk monitoring, performance & SLA management, and offboarding & termination. So, why is VRM important? Being in "reactive mode" is exhausting, inefficient, and stressful – and it's especially risky when your workload gets heavy. Vendor risk management (VRM) is no different: Having a reactive VRM program that responds to vendor risk instead of proactively managing vendor risk puts your organization in jeopardy of data breaches, privacy violations, and regulatory compliance infractions. That's why you need a clear process for proactively managing the third-party cyber risks and business continuity exposures that inevitably crop up throughout the vendor relationship lifecycle. With the right best practices in place for your VRM program, you efficiently identify, assess, and mitigate the risks associated with engaging third-party vendors or suppliers who provide goods or services to your organization. #TPRM #VendorRisk #RiskManagement

TPRM is comprised of many processes and disparate risk categories to manage. While many regulations focus on managing risks from vendors, suppliers, and other third parties, they aren't always specific about what to assess and monitor. 🧾 Join Samira Duijnmayer of Booking on July 17 as she provides insights on the top regulatory areas to consider for your program and recommends steps to take to improve TPRM compliance. https://buff.ly/45ZydGL In this session, Samira will discuss: 🌍 Key risk considerations impacting global enterprises 🛡️ Data privacy and cybersecurity regulations 🪙 International sanctions, trade, and financial regulations 🧾 ESG standards, as well as anti-corruption and bribery 🚧 How will new regulations affect TPRM - even if your organization is outside the EU, UK, or US Navigating regulatory requirements that affect TPRM can be challenging. Register now to gain insights from a leading expert! #TPRM #VendorRisk #RiskManagement