I was recently invited to speak on a panel regarding third party risk strategies for the Securities Industry and Financial Markets Association's (SIFMA) Internal Auditors Society. While there, I had the opportunity to meet and hear from two individuals who are well known and respected in their related fields: former US Attorney General John Ashcroft and noted author and cyber risk authoritarian MacDonnell "Don" Ulsch.
John Ashcroft, in the keynote for this event, touched on topics ranging from homeland security and terrorism to cyber espionage. He delivered one commanding prediction; that financial institutions will need to prepare for "anticipatory compliance." In other words, organizations will need to be prepared to show that their organization is actively anticipating, studying and acting on perceived threats.
This makes sense on a couple of fronts.
First, given the present state of the world, we are evidencing on an almost daily basis cyber threats from foreign adversaries, activist groups, crime syndicates and - yes - even from within our own walls. These can cause major disruptions to organizations, third party service providers and ultimately the consumers relying on the products and services that organizations provide. In addition to cyber threats, environmental and political events need to be added into the equation, as these can further affect our supply chains and third party vendors that support critical process.
Second, as organizations are moving full speed ahead to hit their targeted goals, they may not always be taking the time required to see information on their radar that reveals possible business line threats. That means that they become locked into reactionary mode (e.g., putting out fires), making it increasingly difficult to find the time to analyze their threat horizon. And when such time does become available, their resources are all too often pulled right back into the fray to fight the next blaze. In this way, perceptions of advancing threats become an afterthought, rather than part of the planning process.
Both of these SIFMA speakers warned organizations that regulators are aware of this gap and are looking to close it. With this prediction, it would be prudent for financial institutions to start to prepare themselves for scrutiny into how they: anticipate new threats; establish policies, procedures, standards and practices on how to deal with them; as well as how they document these processes. This emerging construct demands that every organization's evaluation and planning be fluid, as well as robust.
The same cautions surrounding anticipatory compliance extend to a financial institution's use of third party vendors for critical processes. Don Ulsch noted that FBI statistics show that two-thirds of all breaches are at third party levels. Various regulatory guidance has already been promulgated to the financial service community pointing the way as how organizations are to take into account the roles third party service providers play in key processes and that anticipatory compliance should be further pushed from the financial institution to the third party vendor (1).
This would include targeted inquiry to third party vendors regarding what steps they themselves are taking with respect to anticipatory compliance: to monitor, chart and provide analysis to risks affecting key systems and processes that affect their customers.
None of us were ever issued a crystal ball, but we need to keep our eyes and ears open to possible threats and risks to our enterprises and develop a strategy to address these head-on. This is generally what anticipatory compliance demands. Additionally, organizations will need to document this work for assessment personnel and regulators.
1. Most notably: Third Party Relationships: Risk Management Guidance. Bulletin OCC-2013-29. Office of the Comptroller of Currency. October 30, 2013. http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. FFIEC. February 2015. http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspx
Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn.