Context And Scope Of Term

• TPRM (third-party risk management) refers to managing the risks that come from using third-party providers of goods and services. These include vendors, suppliers, partners, contractors, and service providers. It involves identifying, assessing, mitigating, and monitoring these risks, which are also called outsourcing risks. While outsourcing risks specifically relate to outsourced activities, third-party risk is a more general term that encompasses all risks from third parties that can impact the client institution.
• Financial firms outsource various activities to specialized third-party providers to
  • save costs and benefit from their expertise, and
  • reduce operational risks in processes and data
    While this may reduce errors and cybersecurity risks, it doesn’t fully mitigate operational risk and instead creates a new challenge of managing third-party risk. Third-party risks in financial institutions include service disruption, fraud, data privacy breaches, compliance breaches, IP theft, and reputational damage. These risks are similar to operational risks that can occur within the institution itself.
• TPRM manages risks from third parties (vendors, suppliers, etc.) and can also extend to fourth parties (subcontractors of service providers) and even fifth parties (suppliers of the suppliers). This approach touches upon the entire supply chain of an organization.
• “Third-party failure” risk has become increasingly significant. For many institutions, TPRM is categorized as a level 1 operational risk and is managed using specific risk management practices. In its revised taxonomy, ORX has placed third-party risk as a level 1 risk category.
• Financial firms have outsourced core processes such as loan and deposit processing, payroll processing, and customer call centers to third-party providers in recent decades. They also use third-party relationships, especially with FinTechs, to implement new business applications and digital services. These companies are often located in countries different from that of the contracting bank. Outsourcing to a company in a different legal jurisdiction increases country risk, as well as compliance and legal risk.
• The COVID-19 pandemic has increased the reliance on outsourcing and highlighted the risks from international supply chain disruptions. Managing third-party risks has become more complex with the proliferation of IoT devices in firms, which adds an extra layer of protection for sensitive data. For example, Avanti Markets experienced a hack through its vending machines connected to employee cards for payment, exposing personal data to hackers.
• TPRM is closely related to information security management, data privacy risks, and business continuity management. Unfortunately, it remains a challenge for many organizations, and a 2018 study found that nearly 60% of companies surveyed experienced data breaches caused by third parties or vendors in the past year. A 2020 survey by TPRM consultants across several industries and countries found the following –
  • 77% organizations had limited visibility into their third-party vendors.
  • 80% suffering a third-party-related breach in the past year.
  • The average number of breaches experienced was more than two.
  • Only 22.5% monitored their entire supply chain.

TPRM Life Cycle

There are five stages in the life cycle of the TPRM process –

1. Business Model Decision – The initial stage of the TPRM process is about making strategic decisions regarding outsourcing and provider selection, including considerations of quality and pricing. These decisions depend in part on the firm’s risk appetite.
2. Evaluation, Risk Rating, and Due Diligence-Due diligence and evaluation of third-party providers are crucial steps in TPRM, just like customer due diligence in AML risk management. Proportionality is important in due diligence, i.e., long-term and complex arrangements (IT cloud company in charge of hosting sensitive data) require more due diligence than short-term and simple ones (e.g. a consultant doing a one-day training course). Standard assessment questionnaires, such as the SIG questionnaires provided by Shared Assessments, are increasingly used to simplify and standardize due diligence.
3. Contracts, SLAs, and Contract Management-Contracts and SLAs are often neglected in third-party management, posing risks and control issues. Clear definitions of responsibilities, expectations, and quality measures are crucial to avoid misunderstandings and operational Microsoft PowerPoint – OR 13 – Case Study Third-Party Risk Management risks. Ambiguity in expectations is a common reason for third-party relationship failures. Therefore, expectations should be formally established in the contract and SLA, with clear and measurable quality measures. When dealing with foreign-based service providers, it is essential to ensure they understand applicable domestic laws and comply with them. Before signing contracts, all open issues must be assessed and remedied, and periodic reviews established to ensure compliance and remediation of contract deficiencies. Cross-country contract management adds complexity, as seen during the covid-19 pandemic shutdowns. Contract terms can address fourth-party risk management by establishing standards or limits on outsourcing. Vendor standards can be replicated from the firm’s own rules, and audit rights should be included for continuous monitoring.
4. Continuous Monitoring – Monitoring service provision, SLAs, and compliance is vital in TPRM. Thorough implementation of the first four TPRRM life-cycle steps results in shorter reassessment and review cycles. Trigger events should be defined for reassessment, not just during scheduled reviews or end-of-contract. These triggers can be data breaches, business or legal changes, performance failures, or “Acts of God” such as COVID-19. An exit strategy should be developed in case things do not go as planned, addressed in the fifth step of the TPRM life-cycle.
5. Remediation or Termination – Although third-party relationships usually end when contracts are completed, it is advisable to include a grievance period and an exit strategy or termination clause that allows firms to terminate contracts when needed. Termination of relationships can occur for various reasons, including convenience, regulatory changes, or other abrupt reasons. Both parties should plan for a wind-down process that includes transferring intellectual property, transitioning to in-house services or another provider, and providing evidence of data transfer or destruction if necessary. Fairness is essential in termination situations.

Case Studies

• There are two compelling case studies related to TPRM. The first involves a data breach at Capital One caused by a former third-party vendor employee, while the second focuses on weak third-party controls at Morgan Stanley. These cases emphasize the importance of data security and TPRM and demonstrate that the responsibility for managing risks ultimately falls on the institution utilizing third-party vendors, as it cannot be delegated to others.

1. Capital One Data Breach by Former Amazon Web Services (AWS) Employee

In July 2019, Capital One (a US Bank holding company) reported that data for around 100 million people in the US had been illegally accessed. A former employee of AWS was later arrested and charged with stealing 140,000 Social Security numbers and 80,000 bank account numbers.

The attacker exploited a misconfigured Web application firewall to access files in an AWS database. Capital One and AWS were aware of their vulnerability to SSRF attacks, but the stolen data was not encrypted due to improper configuration. Capital One addressed the bug and modified its automated scanning to detect the issue..

Cloud service providers offer strong security, but businesses remain responsible for risk management, monitoring, backups, and maintenance. Capital One was fined $80 million by the Office for the Comptroller of the Currency (OCC) for failing to establish effective risk assessment processes before moving IT operations to the public cloud. The bank also faced lawsuits consolidated into a single case in 2020.
Cloud breaches often result from poor security practices, despite cloud providers offering strong security features. Customers must take responsibility for implementing these features. In the case of Capital One, the bank had a history of weak controls and failures to address them, leading to regulatory fines and lawsuits. An internal audit four years before this incident failed to identify control weaknesses in the cloud environment. The OCC found the bank’s deficiencies constituted unsafe practices and resulted in noncompliance with information security standards.

2. MorganStanley

• Morgan Stanley was fined $60 million by the OCC for inadequate risk management and oversight of vendors during the decommissioning of two data servers in 2016, and for similar issues with wide-area application service devices in 2019.
• The OCC found the following –
  • the bank did not properly evaluate or mitigate the risks associated with decommissioning its hardware,
  • the bank did not sufficiently evaluate the risk of using third-party vendors, including subcontractors, and
  • the bank did not maintain a proper inventory of customer data stored on the devices in question.
• The OCC found that Morgan Stanley did not perform adequate due diligence in selecting and monitoring third-party vendors. In 2016 and 2019, incidents related to decommissioning of hardware resulted in customer data being compromised. The bank notified impacted customers and offered credit monitoring services, but also faces a class action lawsuit. This case emphasizes the relationship between data security and third-party risk management, and reinforces the idea that accountability for operational risks cannot be transferred through outsourcing.