This document discusses third party risk management (TPRM) in the UK. It notes several data breaches involving third parties that exposed personal and payment card data. It advocates for establishing formal TPRM frameworks aligned with enterprise risk management. It promotes standardizing TPRM processes using tools from the Shared Assessments program to increase efficiency and allow assessments to be shared. It also notes increasing regulatory pressure around operational resilience and the need for senior management oversight of outsourced activities.

1. Sean O’Brien, Director, DVV Solutions
sobrien@dvvs.co.uk
Third Party Risk Management in the UK

2. 2 Private and Confidential © Copyright 2019www.dvvs.co.uk
The Third Party Risks Are Real
380,000 PII and PCI Records stolen by Magecart
Primary incident took place over two weeks in August 2018
40,000 PII & PCI Records - June 2018
Inbenta Technologies - Third Party Customer Support App
70,000 PII records of potential offenders - January 2019
ElasticSearch server – Third Party Platform Service

3. 3 Private and Confidential © Copyright 2019www.dvvs.co.uk
Oversight &
Governance
Third Party
Inventory
Risk Approach
& Models
Policies &
Standards
TPRM
Processes
Technology,
Automation &
Reporting
Third Party
Risk
Management
Enterprise Risk Management
Framework

4. 4 Private and Confidential © Copyright 2019www.dvvs.co.uk
Defining Third Party Due Diligence
What is a Third Party?
What is the breadth of Third Party Risk?
Key elements of a Third Party Risk Assessment process:
Onsite Assessment
Remote Assessment
(Questionnaire/Attestation)
Risk Advisory &
Remediation Tracking
Continuous Monitoring

5. 5 Private and Confidential © Copyright 2019www.dvvs.co.uk
Know Your 3rd Parties….
Scope:
Q. Do you have a comprehensive list of ALL 3rd Parties, the services they
provide and a risk register/rating for each one?
Q. What access do 3rd Parties have to data/systems/applications?
Do they really need it?
Q. What PII, Sensitive and Mission-Critical data storage and processing is
outsourced by your 3rd Parties – to nth Parties?
Q. What % of your data processing is performed Internally v Externally?
Appetite:
Q. Is your spend on 3rd Party risk and compliance proportional?

6. 6 Private and Confidential © Copyright 2019www.dvvs.co.uk
Regulatory Drivers

7. 7 Private and Confidential © Copyright 2019www.dvvs.co.uk
Increasing Regulatory Pressure
Existing regulation in support of building “Operational Resilience”:
“Boards’ and senior managements’ oversight also needs to cover any activities outsourced to third-
party providers... While outsourcing can enable firms and FMIs to manage risks more effectively and
at a reduced cost, it can also give rise to new risks for which they remain responsible.“
BoE Discussion Paper DPO1/18, Jul 2018
GDPR and the data supply chain:
“Controllers…must only appoint Processors who can provide ‘sufficient guarantees’ that the
requirements of the GDPR will be met… Controller also has a duty to ensure the Processor’s security
arrangements are at least equivalent to the security the Controller would be required to have..”
ico.org.uk
Senior Managers and Certification Regime (SM&CR):
“The strengthening accountability regimes for banking and insurance help to support a change in
culture at all levels…. A new set of Conduct Rules applying to banking and Solvency II firms that
includes the responsibility of senior managers for oversight of any delegated activities.”
fca.org.uk

8. 8 Private and Confidential © Copyright 2019www.dvvs.co.uk
TPRM State Of The Nation
Deployments - De-centralised, Centralised and Federated
Stakeholders - Historically Procurement, as they have become more risk orientated
- Contracts/Legal
- CISO/Cyber
- Governance/Compliance Teams
- New drivers from GDPR around Privacy and the emergence of the BISO role
- SMCR driving CIRO role
Assessments - Excel & Email, Manual, Limited automation, Self built (maybe ISO based), Q&A
Onsites - Coffee and Donuts, Peer to Peer Management meetings
Inefficiencies - 60% of a remote assessors time is spent on admin
- Limited frameworks in place
- Risk ownership
- Poor level of Standardisation – from business to business, sector to sector
What is the Tone at the Top?

9. 9 Private and Confidential © Copyright 2019www.dvvs.co.uk
Tone At The Top - Vendor Risk Management Benchmark Study
Key takeaways from 2018/2019 SA Study and other recent research
Fully 57% of organisations responding high board engagement had mature TPRM programs while
more than half of organisations with low board engagement levels had significantly underperforming program
Governance
55% of organisations reporting high board engagement had mature TPRM programs;
52% of organisations with low board engagement levels had seriously underperforming programs.
Policies Standards, and Procedures
57% of organisations reporting high board engagement had mature TPRM programs;
47% of organisations with low board engagement levels had seriously underperforming programs.
Contract Development, Adherence and Management
57% of organisations reporting high board engagement had mature TPRM programs;
50% of organisations with low board engagement levels had seriously underperforming programs.
Vendor Risk Assessment Process
57% of organisations reporting high board engagement had mature TPRM programs;
50% of organisations with low board engagement levels had seriously underperforming programs.

10. 10 Private and Confidential © Copyright 2019www.dvvs.co.uk
Key takeaways from 2018/2019 SA Study and other recent research
Skills and Expertise
56% of organisations reporting high board engagement had mature TPRM programs;
52% of organisations with low board engagement levels had seriously underperforming programs.
Communication and Information Sharing
56% of organisations reporting high board engagement had mature TPRM programs;
51% of organisations with low board engagement levels had seriously underperforming programs.
Tools, Measurement and Analysis
58% of organisations reporting high board engagement had mature TPRM programs;
53% of organisations with low board engagement levels had seriously underperforming programs.
Monitoring and Review
58% of organisations reporting high board engagement had mature TPRM programs;
51% of organisations with low board engagement levels had seriously underperforming programs.
In short… organisations with Highly engaged boards consistently post Higher practice maturity scores!
Tone At The Top - Vendor Risk Management Benchmark Study

11. 11 Private and Confidential © Copyright 2019www.dvvs.co.uk
Defining and Driving Standards & Best Practices
The Shared Assessments Program, the trusted source in third party risk assurance, is a member-driven, standards body with
tools and best practices that inject speed, consistency, efficiency and cost savings into the control assessment process.
Thought Leadership
− Members work to eliminate redundancies and create efficiencies,
for a faster, more rigorous, more efficient, and less costly means
of conducting vendor assessments.
TPRM Toolkit
− Vendor Risk Management Maturity Model (VRMMM)
− Standardised Information Gathering (SIG) Questionnaire
− Standardised Control Assessment (SCA)
− GDPR Processor Privacy Toolkit
Certification
− Certified Third Party Risk Professional (CTPRP)
− Certified Third Party Risk Assessor (CTPRA)
− Certified Third Party Risk Manager (CTPRM) 2020!

12. 12 Private and Confidential © Copyright 2019www.dvvs.co.uk
Where Are We Going?
Growing pressure on the content, quality and governance of Third Party risk throughout the organisation
Drivers both up and down the supply chain
More formal TPRM frameworks, aligned to ERM required
Increased Automation and Workflow
Collaborative, “Assess Once, Share Many” models

13. 13 Private and Confidential © Copyright 2019www.dvvs.co.uk
Building The Foundations
Policies
Procedures
Standards

14. 14 Private and Confidential © Copyright 2019www.dvvs.co.uk
Risk Assessment Inefficiencies
50%-60% of Time Taken in Risk Assessment is spent on Administration
− Planning & Scheduling
− Sending emails & Chasing Responses and Updates with Suppliers
− Understanding & Interpreting Responses
− Collating Data & Building Metrics
− Generating Reports
− Overlap and Repetition with other teams
− Poor Audit Trail
Consider the Typical Head and Management Cost……

15. 15 Private and Confidential © Copyright 2019www.dvvs.co.uk
Typical UK Manual Questionnaire
Content
• Usually 80-100 Questions
• Based on ISO 27002 or specific historic issue/requirement
• Each question may be made up of multiple questions
• English word answers required
Common issues with “home grown” questionnaires: -
• Questions poorly worded and easily mis-interpreted
• Can miss key security control areas
• High overhead to maintain and improve the questionnaire to keep abreast of current legislation/regulation
• Answers open to interpretation, often requiring additional feedback/investigation - less valuable as an attestation

16. 16 Private and Confidential © Copyright 2019www.dvvs.co.uk
Shared Assessments Program – Trust, but Verify

17. 17 Private and Confidential © Copyright 2019www.dvvs.co.uk
Standardised Information Gathering (SIG) Questionnaire
• Member-driven questionnaire sets and procedure
• SIG Master, SIG Core, SIG Lite
• Automated analysis and scoring to quickly identify, prioritise and remediate issues
• Reviewed annually with updates and revision based on referenced industry regulation, guidelines and standard including:
• NIST, FFIEC, ISO, HIPAA, PCI, GDPR
• 18 Risk Control areas or “Domains” are assessed in one document:
• Operations Management
• Access Control
• Application Security
• Incident Event and Comms Mgmt
• Business Resiliency
• Compliance
• End User Device Security
• Network Security
• Privacy
• Threat Mgmt
• Service Security
• Cloud Hosting
• Risk Assessment and Treatment
• Security Policy
• Organisation Security
• Asset and Information Mgmt
• Human Resources Security
• Physical and Environmental Security

18. 18 Private and Confidential © Copyright 2019www.dvvs.co.uk
Question Comparison: Typical vs. SIG

19. 19 Private and Confidential © Copyright 2019www.dvvs.co.uk
Independent customer questionnaire
Based on answering approximately 100 Questions
Time taken to complete questionnaire,
with evidence provided
Time taken to review and score
completed questionnaire
No. of Controls Assessed
(In accordance with SCA)
12 hours with evidence 8 hours 35
0
2
4
6
8
10
12
14
16
18
20
Overall Control Status
In Place High Impact Moderate Impact Low Impact
Domain Name Total In Place Findings High Impact
Moderate
Impact
Low Impact N/A
A. Risk Assessment and Treatment 1 0 1 1
B. Security Policy 1 1 0
C. Organizational Security 1 1 0
D. Asset and Information Management 3 2 1 1
E. Human Resources Security 4 3 1 1
F. Physical and Environmental Security 5 1 4 2 2 1
G. Operations Management 2 0 2 1 1
H. Access Control 6 4 2 2
I. Application Security 1 1 0
J. Incident Event & Communications Mgt 2 2 0
K. Business Resiliency 2 0 2 2
L. Compliance 0 0 0
M. End User Device Security 0 0 0
N. Network Security 2 2 0
P. Privacy 1 1 0
T. Threat Management 2 1 1 1
U. Server Security 1 1 0
V. Cloud Hosting 1 1 0
Total 35 21 14 3 6 5 1
% of Controls In Place 60%

20. 20 Private and Confidential © Copyright 2019www.dvvs.co.uk
Shared Assessments SIG Lite customer questionnaire
Based on answering 77 Parent questions and then depending on the response up to 328 questions in total
Time taken to complete questionnaire,
with evidence provided
Time taken to review and score completed
questionnaire with a Master SIG completed
No. of Controls Assessed (In
accordance with SCA)
16 hours with evidence 2 hour 136
0
2
4
6
8
10
12
14
16
18
20
Overall Control Status
In Place High Impact Moderate Impact Low Impact
Domain Name Total In Place Findings
High
Impact
Moderate
Impact
Low
Impact
N/A
A. Risk Assessment and Treatment 12 9 3 1 1 1
B. Security Policy 2 2 0
C. Organizational Security 1 1 0
D. Asset and Information Management 9 9 0
E. Human Resources Security 5 5 0
F. Physical and Environmental Security 9 9 0
G. Operations Management 8 7 1 1
H. Access Control 13 13 0
I. Application Security 20 20 0
J. Incident Event & Communications Mgt 11 11 0
K. Business Resiliency 8 2 6 2 4
L. Compliance 4 2 2 1 1
M. End User Device Security 2 2 0
N. Network Security 11 9 2 2
P. Privacy 10 4 6 4 2 3
T. Threat Management 6 5 1 1
U. Server Security 1 1 0
V. Cloud Hosting 4 2 2 2
Total 136 113 23 4 12 7 3
% of Controls In Place 83%

21. 21 Private and Confidential © Copyright 2019www.dvvs.co.uk
Observations
Time for Supplier to
complete
Time Taken for Review No. of Security Controls
Assessed
SIG 16 hours with evidence 2 hours 76
None SIG 12 hours with
evidence
8 hours 35
• Customers are frequently concerned that using SIG or SIG Lite represents considerably more questions and
Suppliers will frequently be put off, as they think it will take much longer.
• While the SIG took longer for the Supplier to complete we were asking considerably more questions and covering
a much larger number security controls.
• However, effort on the part of the Customer is significantly reduced both in time to assess and report and in
maintaining an up to date questionnaire.
• It should be noted that when the Supplier comes to complete the SIG/SIG-Lite the following year, all they will
have to do is update anything that has changed.

22. 22 Private and Confidential © Copyright 2019www.dvvs.co.uk
Onsite Assessment Process
Common issues
• Separate process/procedure to the remote assessment
• Poor or non-existent assessment audit log
• Inconsistent or missing metrics
• Overly time consuming to report on
• Reporting positives and negatives, NOT findings
• Resulting in increased man hours to undertake, assess and report
In a “Trust, but Verify” model, the Onsite assessment process should validate the statements made in the completed questionnaire
• Questionnaire should map to the onsite assessment and utilising the same metrics
• Questionnaires, previous assessments and Continuous Monitoring output should provide scope for the onsite assessment
• Onsite should identify Control Gaps, where a Policy or Procedure is not carried out in Practice
• Output from an Onsite Assessment should be: -
• Assessment Audit Log
• Findings Rep

23. 23 Private and Confidential © Copyright 2019www.dvvs.co.uk
Standardised Controls Assessment (SCA)
The “Verify” part of the “Trust, but Verify” Shared Assessments model
A holistic tool for performing standardised onsite and/or virtual risk management control assessments
A robust, consistent, repeatable assessment methodology, usable by:
• Organisations who want to perform a self-assessment
• Organisation who want perform and industry standard assessment on their third parties
• Any in-house audit or assessment team
• Any independent assessment firms
Test procedures, a control framework, reporting templates and engagement criteria to support assessments
Substantiation-based, not opinion-based
• The presence of a control is tested by evaluating attributes that define the control
• An opinion would require a more in-depth audit and effectiveness criteria
• This allows a faster execution and facilitates sharing

24. 24 Private and Confidential © Copyright 2019www.dvvs.co.uk
Standardisation – Goals for Clients and their Third Parties
Work collaboratively with other companies
through industry associations and public-private partnerships with outsourcers and vendors.
Improve Tone at the Top
to break down internal silos, so that TPRM efforts can be more effectively coordinated.
Form, build and sustain cooperative relationships within companies
to effectively span the alignment challenges presented by organisational silos.
Utilise industry-designed, standardised tools
to streamline information sharing where appropriate and improve efficiency/effectiveness throughout the TPRM
lifecycle.
Build critical mass within the TPRM ecosystem
using common controls, tools and practices, in order to reduce assessment overhead and improve risk management.

25. 25 Private and Confidential © Copyright 2019www.dvvs.co.uk
Keeping Score and Measuring Success
Third Party Program Metrics
• Quantity of Assessment by Risk Tier
• Quantity at current or through stage gates
• Open Findings/Remediation Expectations
• Assessors Assignments
Budgeting
• Average cost of an assessment (by tier)
• External assessment budget
• Travel Costs
• Personnel
• Training

26. 26 Private and Confidential © Copyright 2019www.dvvs.co.uk
How Can I Evaluate SIG?
DVV Solutions offer an economical SIG Evaluation Service.
A Shared Assessments Certified Third Party Risk Professional provides a detailed look at SIG tooling:-
Hands-on walk through of SIG tooling and processes
Cross-map your current questionnaire to the SIG-LITE questionnaire set
Identify any current risk domain and control gaps
Recommend where incorporating SIG could enhance your current processes

27. 27 Private and Confidential © Copyright 2019www.dvvs.co.uk
Managed Services
What Value Can a Managed Service Provider (MSP) like DVV Solutions Bring to TPRM?
• Experience….DVV Solutions has built and run multiple TPRM frameworks for customers
• As already discussed….Methodology and standards already in place, therefore time to value is significantly reduced
• No need to purchase and manage a TPRM platform, including SIG/SCA
• Scalability and flexibility of resources
• Accredited Assessors
• Free up your own resource to undertake more valuable tasks like reviewing findings and assessing risks

28. 28 Private and Confidential © Copyright 2019www.dvvs.co.uk
Questions?

29. 29 Private and Confidential © Copyright 2019www.dvvs.co.uk
You’re only as strong as your weakest link