Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's Co-founder
•Download as PPTX, PDF•
0 likes•95 views
Eva Pittas / CoFounder / Laika Daniel Kahn / Global Open Finance Lead / Plaid Procurement processes of established businesses can be opaque, lengthy, and complicated. We’re giving you a peek behind the curtain. This session will cover what is most important to know about the changing landscape of information security and what that means when selling into enterprises.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's Co-founder
Similar to Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's Co-founder (20)
More from saastr
More from saastr (20)
Recently uploaded
Recently uploaded (20)
Secrets of the Enterprise Buyers with Plaid's Global Finance Lead and Laika's Co-founder
- 1. DAN KAHN Global Open Finance Lead Plaid EVA PITTAS Founder, COO Laika The Secrets of Enterprise Buyers
- 2. Closing Enterprise Deals What to expect when you’re expecting a deal
- 3. The first deal is the hardest to close 01 Identify your champion 02 Provide product access 03 React to feedback quickly 04 Provide data to support ROI 05 Demonstrate commitment to security 3
- 4. The Gatekeepers of Enterprise Procurement
- 5. 5 BEFORE: Bilateral Relationship Business owners care about business results
- 6. NOW: Multilateral with Multiple Gatekeepers 6 Business owners care about business results Gatekeepers predominantly care about complying with regulations & managing risk
- 7. You closed the deal. Now what? Continuous compliance. Or risk being replaced. 7 → Ongoing diligence driven by criticality and risk rating of 3rd party → Incident-driven diligence
- 8. → More scrutiny over 4th Parties → Cloud Security Certification specifications → Continuous Monitoring requirements 8 What’s coming?
- 9. Signing a deal is only the start of your compliance journey. Maturing enterprise relationships and the ever-changing compliance landscape means that your compliance posture needs to continuously evolve. 9 Being enterprise-ready never ends
- 10. Demonstrating Trust through the procurement process
- 11. 11 Standards, Frameworks, and Best Practices
- 12. Growing Concerns Growing Regulations → $4.6 million: Avg. cost of cyber attack recovery for $1B+ businesses → 97%: Financial services pros worried about 3rd-party risk → 82%: Nations with privacy regulations to protect consumer data → 31%: Security leaders who say lack of visibility of sensitive data is a compliance concern → 280 cybersecurity bills introduced in 2020 in the U.S. alone → First time the OCC, Fed, and the FDIC proposed unified guidance for the banking industry - around managing 3rd party relationships → CMMC required for all DOD 3rd parties and supply chain by 2026 12 Regulations… and more regulations!
- 13. Due diligence and security questionnaires keep coming. Even after audit. → Industry needs to standardize compliance → Businesses need to customize compliance 13 SOC 2 is ubiquitous. Why do we still need to answer security questionnaires? SOC 2 + CC 3.4 The entity identifies and assesses changes that could significantly impact the system of internal control. DDQ + I.2.3 Are applications released to production on a fixed schedule? Identify the schedule.
- 14. Continuous Procurement Supporting the process of
- 15. 15 // The emerging fintech ecosystem includes thousands of nodes connecting banks to fintechs
- 16. 16 // The emerging fintech ecosystem includes thousands of nodes connecting banks to fintechs FINANCIAL INSTITUTIONS 11,000 financial institutions (US, Canada, Europe)
- 17. 17 // The emerging fintech ecosystem includes thousands of nodes connecting banks to fintechs DIGITAL APPLICATIONS & SERVICES 5,000+ applications built on Plaid
- 18. 18 // The emerging fintech ecosystem includes thousands of nodes connecting banks to fintechs DIGITAL APPLICATIONS & SERVICES 5,000+ applications built on Plaid FINANCIAL INSTITUTIONS 11,000 financial institutions (US, Canada, Europe)
- 19. Emerging data security standards 19 → Plaid and Laika, alongside our industry competitors are developing a new Open Finance Data Security Standard (OFDSS) → Industry-driven proposal to enhance data security in the fintech ecosystem and foster responsible innovation → Security framework optimized for cloud-native, tech-focused startups and growth-stage companies
- 20. Takeaways 20 Check-the-box security won’t land and retain enterprise deals The bar for infosec and data privacy is already high--but rising with calls for vertical-specific, actionable guidelines and continuous monitoring Security and Compliance should be a permanent business function enabling responsible innovation and building trust in the marketplace 01 02 03
- 21. THANK YOU
- 22. SLIDE BANK
- 23. Current compliance landscape 01 Financial Services 02 Privacy 03 Federal 04 Healthcare 25
- 24. Current compliance landscape 01 Financial Services 02 Privacy 03 Federal 04 Healthcare 27
- 25. Prepare for growing regulations 28 Industry wants to standardize security and businesses need to customize security Top 4 Cybersecurity frameworks Nist: 29% CIS: 32% ISO: 35% PCI DSS: 47% 90%: Share of security pros who believe their personal data is at risk 20%: Percentage of practitioners who say their SecOps practices are mature 31%: Percentage of security leaders who say lack of visibility of sensitive data is a compliance concern $4.6 million: Average cost to recover from a cyberattack for organizations with more than $1 billion in revenue 97%: Percentage of financial services pros who worry about third-party risk 34%: Percentage of IT pros who questioned disclosing accidental data breaches $21 billion: Amount organizations will spend on managed security service providers in 2019
- 26. Prepare for growing regulations 29 Privacy & Security Frameworks Regulatory Non Regulatory CMMC ISO GDPR CCPA SOC
- 27. Current compliance landscape 31 01 Financial Services 02 Privacy 03 Federal 04 Healthcare PCI DSS GDPR, CCPA, state privacy regulations CMMC, NIST HIPAA
- 28. 32 Security Privacy ● $4.6 million: Avg. cost of cyber attack recovery for $1B+ businesses ● 97%: Financial services pros worried about 3rd-party risk ● 31%: Security leaders who say lack of visibility of sensitive data is a compliance concern ● 34%: IT pros who questioned disclosing accidental data breaches
- 29. 33 4th Party Regulation Define Risk Clarify Standards Create Transparency Demonstrate Trust
- 30. 34 Growing Concerns → $4.6 million: Avg. cost of cyber attack recovery for $1B+ businesses → 97%: Financial services pros worried about 3rd-party risk → 82%: Nations with privacy regulations to protect consumer data → 31%: Security leaders who say lack of visibility of sensitive data is a compliance concern Source: Merrill Research for Radware, BitSight and CeFPro, Censuswide for Panaseer Standards… and more standards! Growing Regulations → 280 cybersecurity bills introduced in 2020 in the U.S. alone → First time the OCC, Fed, and the FDIC proposed unified guidance for the banking industry - around managing 3rd party relationships → CMMC required for all DOD 3rd parties and supply chain by 2026
- 31. Growing Regulations - ● 280 Cybersecurity Bills Introduced in 2020 in the U.S. alone ● First time the OCC, Fed and the FDIC proposed unified guidance for the banking industry - around managing 3rd party relationships ● CMMC required for all DOD 3rd parties and supply chain by 2026 35
- 32. Standards, Frameworks, and Best Practices 36 Financial Services Privacy Federal Healthcare → PCI DSS → GDPR → CCPA → State privacy regulations → CMMC → FedRAMP → NIST → HIPAA → HITRUST
Editor's Notes
- Q: What does it look like to close your first enterprise deal?
- A: Identify your champion Provide product access React to feedback quickly Measure enterprise ROI Demonstrate commitment to security
- Q: who are the four horsemen of procurement? Remember: compliance isn’t just about your internal security, but also about the company you keep (aka your vendors).
- OLD WAY: Sell into a company, sign the contract, onboard with procurement NEW WAY: Find a champion, tackle legal & compliance, then information security, then risk. Finally, talk to procurement about pricing and signing the contract. Q: What challenges or documentation will these departments throw your way? Legal & Compliance Information Security Risk: SPEAKER NOTES: You’ll need to face off with Legal, Information Security, Compliance, and Risk to get a signed contract. Each of these departments has veto power and decision-making authority. While each enterprise is different, the heads of each department likely reports directly to the BoD
- Annual vendor review Incident driven Continuous monitoring 4th-party Review driven by regulation changes Privacy and data protection in DD Exit strategy is part of the vendor lifecycle - need to have a way to get out if the vendor misses the bar Q: Okay, so what happens after you get the contract signed? How can you keep their business? Periodic diligence Continuous review and monitoring Attention and reporting for SLAs Joint testing of major changes, BCP and/or incident response Being pulled into a regulatory review Maybe we can find a cycle visual for this? REFERENCE: https://www.youtube.com/watch?v=vNpl7nUsWk8 https://www.youtube.com/watch?v=uN-LxfehITU
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- Used to be trust but verify Now, zero-trust What to expect as a regulated partner
- \To cope with the increasing complexity of vendor risks, industries and regulators have developed need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- 25+ different frameworks to consider. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing 25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- Identify the schedule (e.g., Daily, Weekly, Monthly, Ad-hoc) in the Additional Information field. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- Q: What advice can you give growing SaaS businesses, looking to move upmarket? -Check the box security won’t work in the long run. Information Security, Privacy compliance is truly a day 1 core capability that will need to grow and mature with your company.
- PLAID SLIDE* Our competitors think about compliance as one-size-fits-all but OFDSS and Laika are striving to customize the standards and security posture for growing businesses Eva: New regulations are being introduced at high velocity. What can you share about OFDSS? Dan: When to sell into enterprises depends on your unique business model Similarly, the security programs and risk management you need is dependent on your business model -
- Takeaways: industry wants to standardize security and businesses need to customize security Check-the-box security won’t land enterprise deals or scale with you Bar is already high to deal with the federal government, privacy protections are already popular, and PHI needs to be taken seriously (even if it doesn’t require an audit) as industry evolves with increasing scrutiny, we need to uplevel entire ecosystem: through empowering not just the big clients but making it easier for “2 gals in a garage” to access to demonstrate responsibility stage-appropriate examinations along with stage-appropriate security Always going to be some level of scrutiny, doing what we can to create clear guidelines and accessible lanes to growth - informed by real-world participants SPEAKER NOTES: -Check the box security won’t work in the long run. Information Security, Privacy compliance is truly a day 1 core capability that will need to grow and mature with your company. -For FI’s Last Interagency guidance around managing 3rd party relationships was in 2013 and that spurred what is currently in place. -Bar is high already if you want to do biz with the Federal government. FedRAMP already has a continuous monitoring component. But now all vendors (approx. 300,000) who deal with non critical (need to get the right term) will need to be CMMC certified or they will lose their contracts. The gov. Is giving the industry a few years to -Privacy, privacy, privacy -Healthcare? -Need solutions like Laika to help support innovation. - as industry evolves with increasing scrutiny, we need to uplevel entire ecosystem: through empowering not just the big clients but making it easier for “2 gals in a garage” to access to demonstrate responsibility - stage-appropriate examinations along with stage-appropriate security Always going to be some level of scrutiny, doing what we can to create clear guidelines and accessible lanes to growth - informed by real-world participants
- 25+ different frameworks to consider. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks 25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- Q: What does the current compliance landscape look like for SaaS businesses? SOC 2 is ubiquitous Increasing regulations for SMBs Examining 4th-party relationships SPEAKER NOTES: SOC 2 is becoming ubiquitous for 3rd parties Varying infosec and compliance expectations are increasingly relevant for SMBs Huge increase in diligence questionnaires 4th parties becoming in-scope for diligence and mapping/understanding regulations New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring SPEAKER NOTES: Enterprises in the US are requiring SOC 2 audits for practically all 3rd parties, not just those that represent a higher risk Inconsistent and varying info sec and compliance expectations from smaller and medium sized businesses. We have seen an Increase in diligence associated with privacy and data protection regulations 4th parties are increasingly in scope for diligence and understanding the risk in the supply chain New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring Even with SOC 2 audits and other certifications, the questionnaires keep coming because SOC 2 audits are not all the same because a companies individual compliance and security program gets tested and written up. That could be 20 controls that are immature or 100 controls that are very mature. There is no easy way to determine that - no tools and transparency.
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- Q: What does the current compliance landscape look like for SaaS businesses? SOC 2 is ubiquitous Increasing regulations for SMBs Examining 4th-party relationships SPEAKER NOTES: SOC 2 is becoming ubiquitous for 3rd parties Varying infosec and compliance expectations are increasingly relevant for SMBs Huge increase in diligence questionnaires 4th parties becoming in-scope for diligence and mapping/understanding regulations New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring SPEAKER NOTES: Enterprises in the US are requiring SOC 2 audits for practically all 3rd parties, not just those that represent a higher risk Inconsistent and varying info sec and compliance expectations from smaller and medium sized businesses. We have seen an Increase in diligence associated with privacy and data protection regulations 4th parties are increasingly in scope for diligence and understanding the risk in the supply chain New guidance was just proposed (OCC, Fed, FDIC) and they are accepting comments from the industry. Expect there to be more requirements especially around continuous monitoring Even with SOC 2 audits and other certifications, the questionnaires keep coming because SOC 2 audits are not all the same because a companies individual compliance and security program gets tested and written up. That could be 20 controls that are immature or 100 controls that are very mature. There is no easy way to determine that - no tools and transparency.
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- 25+ different frameworks to consider. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks 25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough
- 25+ different frameworks to consider. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Top 4 Cybersecurity frameworks: https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks 25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- 25+ different frameworks to consider. Growing regulation list: https://docs.google.com/spreadsheets/d/1SUVWukag0Rcgs_mH9wGeMdYF4EUAd4D8lcOVx8JHla8/edit?usp=sharing 25 different frameworks: https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider Rising number of Regulations Cybersecurity & Privacy (e.g. 280 new cybersecurity bills introduced in 2020 alone) Snowball effect Lack of standardization within and across industries Leaves a lot up to interpretation There are attempts to harmonize within industries but this could take years. So, for now SaaS companies should think about InfoSec and Privacy compliance as: Core Capabilities that need to be invested in Programs need to be flexible and adaptable to allow SaaS companies to scale because of : The current landscape and the rising tide And because as your relationship grows, the risk to the enterprise grows. Q: How do we expect 4th parties to be regulated? Define Risk Clarify Standards Create Transparency Demonstrate Trust SPEAKER NOTES: Needs to be something more to offer back to banks in terms of security We need to defining risk - what is an appropriate level of risk for small businesses? Adding clarity around standards and assessments, as well as those who are executing assessments Creating easier flow of information and management of risk through continuous monitoring, integrations, etc. transparently Systems that have data available when it’s needed to answer questions on demand Annual diligence process dependent on criticality of the vendor
- \To cope with the increasing complexity of vendor risks, industries and regulators have developed need for continuous monitoring - impacts who you are as a company and how you do business Reputational risk * Criticality of vendor impacts the number of requirements As your business grows with the enterprise, this process will increase for your business lines - reflective of a good relationship with the enterprise More robust reviews (this is a good thing!) Q: What does the current compliance landscape look like for SaaS businesses? Financial Services Privacy Federal Healthcare SPEAKER NOTES: Financial Services - New proposed interagency guidance for managing 3rd party relationships. First time the Federal Reserve, FDIC and the OCC issued guidance jointly. It is out now for comments. PCI DSS → Privacy - GDPR, CCPA, state privacy regulations. Repealing privacy shield, EU Cookie Directive Federal government - CMMC requirement for all 3rd parties/4th parties working with DOD to be certified by 2026. NIST: new prescriptive framework of choice Increasing difficulty as requirements rise to make this a core capability Health Care - we need to research something about this. Not familiar enough