Eva Pittas / CoFounder / Laika
Daniel Kahn / Global Open Finance Lead / Plaid
Procurement processes of established businesses can be opaque, lengthy, and complicated. We’re giving you a peek behind the curtain. This session will cover what is most important to know about the changing landscape of information security and what that means when selling into enterprises.
3. The first deal
is the hardest
to close
01 Identify your champion
02 Provide product access
03 React to feedback quickly
04 Provide data to support ROI
05 Demonstrate commitment
to security
3
6. NOW: Multilateral with Multiple Gatekeepers
6
Business owners
care about business
results
Gatekeepers
predominantly care
about complying
with regulations &
managing risk
7. You closed the deal. Now what?
Continuous compliance. Or risk being replaced.
7
→ Ongoing diligence driven by
criticality and risk rating of 3rd party
→ Incident-driven diligence
8. → More scrutiny over 4th Parties
→ Cloud Security Certification
specifications
→ Continuous Monitoring
requirements
8
What’s coming?
9. Signing a deal is only the start of
your compliance journey.
Maturing enterprise relationships
and the ever-changing compliance
landscape means that your
compliance posture needs to
continuously evolve.
9
Being
enterprise-ready
never ends
12. Growing Concerns Growing Regulations
→ $4.6 million: Avg. cost of cyber attack
recovery for $1B+ businesses
→ 97%: Financial services pros worried
about 3rd-party risk
→ 82%: Nations with privacy regulations
to protect consumer data
→ 31%: Security leaders who say lack of
visibility of sensitive data is a
compliance concern
→ 280 cybersecurity bills introduced in
2020 in the U.S. alone
→ First time the OCC, Fed, and the FDIC
proposed unified guidance for the
banking industry - around managing
3rd party relationships
→ CMMC required for all DOD 3rd parties
and supply chain by 2026
12
Regulations… and more regulations!
13. Due diligence and security questionnaires keep coming. Even after audit.
→ Industry needs to
standardize compliance
→ Businesses need to
customize compliance
13
SOC 2 is ubiquitous. Why do we still need to
answer security questionnaires?
SOC 2 + CC 3.4
The entity identifies and assesses changes that could
significantly impact the system of internal control.
DDQ + I.2.3
Are applications released to production
on a fixed schedule? Identify the schedule.
16. 16
//
The emerging fintech ecosystem includes thousands of nodes
connecting banks to fintechs
FINANCIAL INSTITUTIONS
11,000 financial institutions (US, Canada, Europe)
17. 17
//
The emerging fintech ecosystem includes thousands of nodes
connecting banks to fintechs
DIGITAL APPLICATIONS & SERVICES
5,000+ applications built on Plaid
18. 18
//
The emerging fintech ecosystem includes thousands of nodes
connecting banks to fintechs
DIGITAL APPLICATIONS & SERVICES
5,000+ applications built on Plaid
FINANCIAL INSTITUTIONS
11,000 financial institutions (US, Canada, Europe)
19. Emerging data security standards
19
→ Plaid and Laika, alongside our industry competitors are developing a
new Open Finance Data Security Standard (OFDSS)
→ Industry-driven proposal to enhance data security in the fintech
ecosystem and foster responsible innovation
→ Security framework optimized for cloud-native, tech-focused
startups and growth-stage companies
20. Takeaways
20
Check-the-box security won’t land
and retain enterprise deals
The bar for infosec and data
privacy is already high--but rising
with calls for vertical-specific,
actionable guidelines and
continuous monitoring
Security and Compliance should
be a permanent business function
enabling responsible innovation
and building trust in the
marketplace
01
02
03
25. Prepare for growing
regulations
28
Industry wants to standardize security
and businesses need to customize
security
Top 4 Cybersecurity frameworks
Nist: 29%
CIS: 32%
ISO: 35%
PCI DSS: 47%
90%: Share of security pros who believe their personal data is at risk
20%: Percentage of practitioners who say their SecOps practices are
mature
31%: Percentage of security leaders who say lack of visibility of
sensitive data is a compliance concern
$4.6 million: Average cost to recover from a cyberattack for
organizations with more than $1 billion in revenue
97%: Percentage of financial services pros who worry about third-party
risk
34%: Percentage of IT pros who questioned disclosing accidental data
breaches
$21 billion: Amount organizations will spend on managed security
service providers in 2019
26. Prepare for growing regulations
29
Privacy & Security Frameworks
Regulatory Non Regulatory
CMMC ISO
GDPR
CCPA
SOC
27. Current compliance landscape
31
01 Financial Services 02 Privacy 03 Federal 04 Healthcare
PCI DSS
GDPR, CCPA,
state privacy
regulations
CMMC, NIST HIPAA
28. 32
Security Privacy
● $4.6 million: Avg. cost of cyber attack
recovery for $1B+ businesses
● 97%: Financial services pros worried
about 3rd-party risk
● 31%: Security leaders who say lack of
visibility of sensitive data is a compliance
concern
● 34%: IT pros who questioned disclosing
accidental data breaches
30. 34
Growing Concerns
→ $4.6 million: Avg. cost of cyber attack
recovery for $1B+ businesses
→ 97%: Financial services pros worried about
3rd-party risk
→ 82%: Nations with privacy regulations to
protect consumer data
→ 31%: Security leaders who say lack of
visibility of sensitive data is a compliance
concern
Source: Merrill Research for Radware, BitSight and CeFPro, Censuswide for Panaseer
Standards… and more standards!
Growing Regulations
→ 280 cybersecurity bills introduced in
2020 in the U.S. alone
→ First time the OCC, Fed, and the FDIC
proposed unified guidance for the
banking industry - around managing 3rd
party relationships
→ CMMC required for all DOD 3rd parties
and supply chain by 2026
31. Growing Regulations -
● 280 Cybersecurity Bills Introduced in
2020 in the U.S. alone
● First time the OCC, Fed and the FDIC
proposed unified guidance for the
banking industry - around managing 3rd
party relationships
● CMMC required for all DOD 3rd parties
and supply chain by 2026
35
32. Standards, Frameworks, and Best Practices
36
Financial Services Privacy Federal Healthcare
→ PCI DSS → GDPR
→ CCPA
→ State privacy
regulations
→ CMMC
→ FedRAMP
→ NIST
→ HIPAA
→ HITRUST
Editor's Notes
Q: What does it look like to close your first enterprise deal?
A:
Identify your champion
Provide product access
React to feedback quickly
Measure enterprise ROI
Demonstrate commitment to security
Q: who are the four horsemen of procurement?
Remember: compliance isn’t just about your internal security, but also about the company you keep (aka your vendors).
OLD WAY:
Sell into a company, sign the contract, onboard with procurement
NEW WAY:
Find a champion, tackle legal & compliance, then information security, then risk. Finally, talk to procurement about pricing and signing the contract.
Q: What challenges or documentation will these departments throw your way?
Legal & Compliance
Information Security
Risk:
SPEAKER NOTES:
You’ll need to face off with Legal, Information Security, Compliance, and Risk to get a signed contract.
Each of these departments has veto power and decision-making authority.
While each enterprise is different, the heads of each department likely reports directly to the BoD
Annual vendor review
Incident driven
Continuous monitoring
4th-party
Review driven by
regulation changes
Privacy and data protection in DD
Exit strategy is part of the vendor lifecycle - need to have a way to get out if the vendor misses the bar
Q: Okay, so what happens after you get the contract signed? How can you keep their business?
Periodic diligence
Continuous review and monitoring
Attention and reporting for SLAs
Joint testing of major changes, BCP and/or incident response
Being pulled into a regulatory review
Maybe we can find a cycle visual for this?
REFERENCE: https://www.youtube.com/watch?v=vNpl7nUsWk8
https://www.youtube.com/watch?v=uN-LxfehITU
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
Used to be trust but verify
Now, zero-trust
What to expect as a regulated partner
\To cope with the increasing complexity of vendor risks, industries and regulators have developed
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
25+ different frameworks to consider.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
Identify the schedule (e.g., Daily, Weekly, Monthly, Ad-hoc) in the Additional Information field.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
Q: What advice can you give growing SaaS businesses, looking to move upmarket?
-Check the box security won’t work in the long run. Information Security, Privacy compliance is truly a day 1 core capability that will need to grow and mature with your company.
PLAID SLIDE*
Our competitors think about compliance as one-size-fits-all but OFDSS and Laika are striving to customize the standards and security posture for growing businesses
Eva: New regulations are being introduced at high velocity. What can you share about OFDSS?
Dan:
When to sell into enterprises depends on your unique business model
Similarly, the security programs and risk management you need is dependent on your business model -
Takeaways: industry wants to standardize security and businesses need to customize security
Check-the-box security won’t land enterprise deals or scale with you
Bar is already high to deal with the federal government, privacy protections are already popular, and PHI needs to be taken seriously (even if it doesn’t require an audit)
as industry evolves with increasing scrutiny, we need to uplevel entire ecosystem:
through empowering not just the big clients but making it easier for “2 gals in a garage” to access to demonstrate responsibility
stage-appropriate examinations along with stage-appropriate security
Always going to be some level of scrutiny, doing what we can to create clear guidelines and accessible lanes to growth - informed by real-world participants
SPEAKER NOTES:
-Check the box security won’t work in the long run. Information Security, Privacy compliance is truly a day 1 core capability that will need to grow and mature with your company.
-For FI’s Last Interagency guidance around managing 3rd party relationships was in 2013 and that spurred what is currently in place.
-Bar is high already if you want to do biz with the Federal government. FedRAMP already has a continuous monitoring component. But now all vendors (approx. 300,000) who deal with non critical (need to get the right term) will need to be CMMC certified or they will lose their contracts. The gov. Is giving the industry a few years to
-Privacy, privacy, privacy
-Healthcare?
-Need solutions like Laika to help support innovation.
- as industry evolves with increasing scrutiny, we need to uplevel entire ecosystem: through empowering not just the big clients but making it easier for “2 gals in a garage” to access to demonstrate responsibility
- stage-appropriate examinations along with stage-appropriate security
Always going to be some level of scrutiny, doing what we can to create clear guidelines and accessible lanes to growth - informed by real-world participants
25+ different frameworks to consider.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks
25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
Q: What does the current compliance landscape look like for SaaS businesses?
SOC 2 is ubiquitous
Increasing regulations for SMBs
Examining 4th-party relationships
SPEAKER NOTES:
SOC 2 is becoming ubiquitous for 3rd parties
Varying infosec and compliance expectations are increasingly relevant for SMBs
Huge increase in diligence questionnaires
4th parties becoming in-scope for diligence and mapping/understanding regulations
New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring
SPEAKER NOTES:
Enterprises in the US are requiring SOC 2 audits for practically all 3rd parties, not just those that represent a higher risk
Inconsistent and varying info sec and compliance expectations from smaller and medium sized businesses.
We have seen an Increase in diligence associated with privacy and data protection regulations
4th parties are increasingly in scope for diligence and understanding the risk in the supply chain
New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring
Even with SOC 2 audits and other certifications, the questionnaires keep coming because SOC 2 audits are not all the same because a companies individual compliance and security program gets tested and written up. That could be 20 controls that are immature or 100 controls that are very mature. There is no easy way to determine that - no tools and transparency.
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
Q: What does the current compliance landscape look like for SaaS businesses?
SOC 2 is ubiquitous
Increasing regulations for SMBs
Examining 4th-party relationships
SPEAKER NOTES:
SOC 2 is becoming ubiquitous for 3rd parties
Varying infosec and compliance expectations are increasingly relevant for SMBs
Huge increase in diligence questionnaires
4th parties becoming in-scope for diligence and mapping/understanding regulations
New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring
SPEAKER NOTES:
Enterprises in the US are requiring SOC 2 audits for practically all 3rd parties, not just those that represent a higher risk
Inconsistent and varying info sec and compliance expectations from smaller and medium sized businesses.
We have seen an Increase in diligence associated with privacy and data protection regulations
4th parties are increasingly in scope for diligence and understanding the risk in the supply chain
New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring
Even with SOC 2 audits and other certifications, the questionnaires keep coming because SOC 2 audits are not all the same because a companies individual compliance and security program gets tested and written up. That could be 20 controls that are immature or 100 controls that are very mature. There is no easy way to determine that - no tools and transparency.
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
25+ different frameworks to consider.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks
25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough
25+ different frameworks to consider.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks
25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
25+ different frameworks to consider.
Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing
25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider
Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone)
Snowball effect
Lack of standardization within and across industries
Leaves a lot up to interpretation
There are attempts to harmonize within industries but this could take years.
So, for now SaaS companies should think about InfoSec and Privacy compliance as:
Core Capabilities that need to be invested in
Programs need to be flexible and adaptable to allow SaaS companies to scale because of :
The current landscape and the rising tide
And because as your relationship grows, the risk to the enterprise grows.
Q: How do we expect 4th parties to be regulated?
Define Risk
Clarify Standards
Create Transparency
Demonstrate Trust
SPEAKER NOTES:
Needs to be something more to offer back to banks in terms of security
We need to defining risk - what is an appropriate level of risk for small businesses?
Adding clarity around standards and assessments, as well as those who are executing assessments
Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently
Systems that have data available when it’s needed to answer questions on demand
Annual diligence process dependent on criticality of the vendor
\To cope with the increasing complexity of vendor risks, industries and regulators have developed
need for continuous monitoring - impacts who you are as a company and how you do business
Reputational risk *
Criticality of vendor impacts the number of requirements
As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise
More robust reviews (this is a good thing!)
Q: What does the current compliance landscape look like for SaaS businesses?
Financial Services
Privacy
Federal
Healthcare
SPEAKER NOTES:
Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments.
PCI DSS →
Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive
Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026.
NIST: new prescriptive framework of choice
Increasing difficulty as requirements rise to make this a core capability
Health Care - we need to research something about this. Not familiar enough