Third Party Management
Third party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third party relationship represents to a company. Areas of monitoring include supplier and vendor information management, corporate and social responsibility compliance, supplier risk management, IT vendor risk, anti-bribery/anti-corruption (ABAC) compliance, information security (infosec) compliance, performance measurement, and contract risk management.[1] The importance of third party management was elevated in 2013 when the US Office of the Comptroller of the Currency stipulated that all regulated banks must manage the risk of all their third parties.[2]
Third Parties
A ‘third party’, as defined in OCC 2013-29, is any entity that a company does business with.[2] This may include suppliers, vendors, contract manufacturers, partners and affiliates, brokers, distributors, resellers, and agents.[2] Third parties can be both ‘upstream’ (suppliers and vendors) and ‘downstream’, (distributors and re-sellers) as well as non-contractual parties.[2]
Firms do not have to conduct critical activities to be considered a ‘third party’; a cleaning services firm responsible for maintaining a company’s office space is a third party as much as a primary supply-chain supplier. The role or size of the third party is not as important as the nature of the relationship, the criticality of its activities, the level of access it has to sensitive data or property, and a company’s accountability for inappropriate actions of its third parties. A cleaning company with access to a CEO’s filing cabinet represents a different but still significant risk relative to a supplier who provides a critical component to the production line.
A non-critical service provider - such as an air-conditioning contractor - operating in a country with low corruption risk may erroneously be considered a low risk. However, if that contractor has poor cyber-security and is able to submit invoices to a customer electronically across the customer’s firewall, this may represent a high cyber risk to the customer company. Target Corporation's December 2013 data breach, in which approximately 70 million Target customers’ credit and debit card information was stolen, highlights the cyber security risk posed by innocent third parties – even in low risk countries such as the USA. Hackers exploited an HVAC contractor with poor cyber-security who conducted electronic payments with Target and thus had access to behind the firewall.[3]
Due to trends towards specialization and outsourcing, companies increasingly focused on core competencies are engaging greater numbers of third parties to perform key functions in their business value chain;[4] third party activity is typically responsible for driving approximately 60% of total revenue.[5] This trend is creating greater numbers of critical third party relationships throughout the economy which – in the case of companies with tens of thousands and even hundreds of thousands of third party relationships – can become cumbersome to monitor and manage manually.
Regulation
Due to regulatory requirements, third party management is most prevalent in the financial sector. The use of third-party-management systems is mandated by the Office of the Comptroller of the Currency for American national banks and federal savings associations.[2] OCC bulletin 2013-29 explicates the third party management requirements for financial institutions. The British Financial Conduct Authority (FCA) requires, under the SYSC 8.1 ‘Outsourcing Requirements’, that critical functions conducted by third parties must be continuously monitored.[6]
The healthcare sector also has growing regulatory requirements that require third party management. HIPAA,[7] the Health Insurance Portability and Accountability Act, sets the standard for protecting private patient data. There are regulations around the saving [8] and storing of PHI, Protected Health Information[9] which can be even more valuable than credit card information.[10] The HITECH Act,[11] signed in 2009 requires increased privacy and security obligations and extends those obligations to business associates.
While other industries are not required by law to have third party management systems in place, most non-financial companies are bound by anti-bribery/anti-corruption (ABAC) and other regulations.[1] Consequently, many of them manage their third parties and have adopted third-party-management solutions.[12]
Third Party Management Solutions
Third Party Management Solutions are technologies and systems designed to automate the performance of one or more third party management processes or functions. Third Party Management Solutions are external facing and designed to complement internal facing governance, risk and compliance (GRC) systems and processes. They run on both on-premises-installed and SaaS-delivered enterprise platforms.[13]
Security Ratings Services (SRS), subscription services which "provide continuous, independent quantitative security analysis and scoring for organizational entities," are gaining popularity as well.[14] The space for SRS becomes increasingly competitive as players such as Security Scorecard, UpGuard and BitSight offers companies to compile different risk factors to calculate a quantitative score for vendor comparison.
References
- 1 2 "CMS Guide to Anti-Bribery and Corruption Laws", CMS Legal. http://www.cmslegal.com/Hubbard.FileSystem/files/Publication/867d81f9-25b2-49d3-9991-04a3a5e862d5/Presentation/PublicationAttachment/53cb5525-344f-4b8f-9bab-081aeacadd93/Guide-to-Anti-bribery-and-corruption-laws-final.pdf
- 1 2 3 4 5 "OCC: Third-Party Relationships: Risk Management Guidance". occ.gov.
- ↑ Gregory Wallace (6 February 2014). "HVAC vendor eyed as entry point for Target breach". CNNMoney.
- ↑ "Outsourcing: on the increase as firms hone core competencies". Osney Buy-Side.
- ↑ "Use Cases for Third Party Management", Hiperos 3PM White Paper
- ↑ "Combined View". fshandbook.info.
- ↑ https://www.hhs.gov/hipaa
- ↑ http://www.hhs.gov/hipaa/for-professionals/security/
- ↑ https://www.hipaa.com/hipaa-protected-health-information-what-does-phi-include/
- ↑ http://www.beckershospitalreview.com/healthcare-information-technology/medical-records-10x-more-valuable-to-hackers-than-credit-card-information.html
- ↑ https://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/
- ↑ "Managing third-party risk in a changing regulatory environment" McKinsey & Company (Working Papers on Risk, Number 46)
- ↑ "The Difference Between Enterprise Software and Software-as-a-Service". effectivedatabase.com.
- ↑ https://www.gartner.com/doc/3367218