Ongoing Vendor Monitoring: Aiming for Total Transparency

Third-party vendors and service providers are often very responsive to initial requests for details about their practices. But once the contract is signed, information can be less forthcoming.

Yet ongoing vendor monitoring is a crucial part of third-party risk management. Changes in vendors’ practices or supply chains can expose your business to unexpected risk.

PrivSec Third-Party Risk will explore how to effectively monitor your third-party relationships on an ongoing basis and achieve near-total third-party transparency.

Transcription

Robert Bateman:

Hello, and welcome to PrivSec Focus Third-Party Risk. I’m your host for today, Robert Bateman, head of content here at GRC World Forums. And I’m excited to be here today to present a livestream experience, welcoming senior professionals and experts to explore all aspects of creating and maintaining a robust, efficient third party risk management program. So this event will feature presentations and panel discussions, providing some really fascinating content, and some practical, actionable insights for privacy and security professionals.

We have a fantastic lineup of leading speakers today, who will be discussing a whole range of topics, challenges, and opportunities that data protection privacy and security and risk leaders are facing right now.

On behalf of PrivSec, and from us here at GRC World Forums, the organizers of this event, I’d like to thank our headline sponsor, ProcessUnity. To learn about ProcessUnity’s initiatives, head over to the menu bar on your left and visit their page, where you can access some exclusive content. 

What’s on the agenda today? We’ve got many topics coming up, including ongoing vendor monitoring, a session on whether or not you can rely on third-party risk assessment questionnaires, a third-party risk master class on calculating inherent risk, and a few topics about supply chain management, including ethical supply chain management, and also avoiding supply chain attacks. 

You can access all of this and more by visiting the left hand menu and viewing the agenda. Make sure you register for your chosen session so you can access on demand versions as well. 

On behalf of GRC World Forums, I also just need to let you know about some of our plans for the coming year, at least a few of them. We’ve got our complete PrivSec global event coming up on the 29th and 30th of June, and some PrivSec Focus event, looking at specific issues such as privacy and security law in the Asia Pacific, enterprise risk management and GDPR four years on. Also, we’ve got some very exciting in-person events coming up this year. In June and July we’ll be visiting London, Dublin, and Amsterdam as part of Digital Trust Europe. We’ll also be looking at other areas that GRC World Forum covers at those events, including FinCrime, ESG and Cloud Modernization.

Lastly, we’ve just launched what is set to be one of our largest events of the year, called Hashtag Risk. This is a two day, in-person expo, taking place in London at the ExCel on the 16th and 17th of November. It will examine the changing risk landscape in a content rich, knowledge sharing environment. So, if you want to learn about any of these exciting events and all the others we’ve got coming up, please visit grcworldforums.com.

Now, let’s move on to our first panel of the day, Ongoing Vendor Monitoring, Aiming for Total Transparency. Our host for this session is Gareth Oldale, who’s partner, head of data, privacy and cybersecurity at TOT, LLP. Over to you, Gareth.

Gareth Oldale:

Thanks, Robert, and good morning everybody. Delighted to be here and delighted to be chairing the first session this morning, which is, as Robert mentioned, focused on ongoing vendor monitoring and aiming for total transparency. We’ll, perhaps, dive into that in a little more detail shortly.

I’m delighted to be joined by a really fantastic panel this morning. We have Jelle Groenendaal, who’s a senior associate researcher at Crisis Lab, and also the chief product owner at 3rdRisk. Perhaps, very well placed to talk on these matters. 

Puja Verma, who’s legal and privacy counsel at Phillips, based here in the UK company. Then we have Keitumetsi Tsotetsi, who’s a senior specialist in group governance risk and compliance, but with a particular focus on cybersecurity, which, again, will be great to unpack in more detail as we work through the session. Keitumetsi joins us from Vodacom. And last, but by no means least, Sumeet Kukar, who’s the CEO of Aracina, which is very much focused on delivering cyber for non-techies, which I think is certainly something which I can sign up to, Sumeet. So, thank you all for joining this morning.

I guess to get the ball rolling, Jelle, I may come to you first. The title of this session talks about aiming for total transparency. I guess a good place to start would be to ask the question of is this possible, total transparency? And if so, is it even desirable? Jelle, what are your thoughts?

Jelle Groenendaal:

Hi, Gareth. Thanks for this question. I think it’s a really good question, and well, I have a blunt statement, but my position is that aiming for total transparency is not really desirable, and it’s even hard to achieve in practice. What I think that you want to achieve in practice, based on my understanding of the scientific literature, because I’m next to a product owner, also a researcher, is that trust between you and your suppliers, you want to have trust. And you need to create an environment which your suppliers feel comfortable to timely report potential issues and incidents to you.

Let’s take an example, like the critical vulnerability as [inaudible 00:07:27]. You want to know from your suppliers if they are impacted, and have taken appropriate measures, especially of course, those suppliers with connection to your enterprise network.

And I think that aiming for total transparency can be counterproductive for creating trust. The more transparency does not automatically lead to more trust. It can even lead to reduction in trust, and there’s a lot of research that supports that. So, I would not be in favor of aiming for total transparency.

And furthermore, what I think, is that total transparency can also be a barrier for obtaining good understanding of your supplier chain risks. For instance, I’m in doubt whether if you have a lot of information from your suppliers, because, what does it mean, total transparency? It means that you get a full disclosure of all kinds of information. And the more information we have about something, the more distant we get from what it’s going on, and the less able we become in comprehending its full complexity.

So, total transparency means, in my view, that yeah, that you get overwhelmed with the information. And I think there’s a lot of research that shows that people are not really good at processing large amounts of information, so you want to prevent that. So, in short, I’m not really in favor of total transparency. For me, it’s more about intelligence accountability. You want to make sure that at-risk trust relationship, and for that, I don’t think you need total transparency. I think you need to have other things.

Gareth Oldale:

Completely blowing apart the agenda, Jelle, straight off the bat. That’s fantastic.

I should say, delighted to say we’ve had one question come through already, and we’ll certainly come to [crosstalk 00:09:12] but we’re keen to try and leave some time at the end of the session for questions. But if there are ones which fit in naturally with the flow of the discussion, we’ll absolutely pick those up in flight as well. So please do send those questions through.

Before we move on to the next question. I don’t know if anybody on the panel had any thoughts on Jelle’s point there, around the risks or the limitations that total transparency can bring? Sumeet, I can see you’ve come off mute. I don’t know if that’s coincidental, or if you were looking to take Jelle up on what he said.

Sumeet Kukar:

No, no. I was actually agreeing with Jelle. I didn’t realize I’d forgotten to unmute, so I didn’t actually come off. But yeah, no. Look, I guess while that I’m on unmute, poor choice, but anyway. Look, I think that what Jelle’s actually described is pretty much on point. I think it is really about that balancing between how much is too much? And I think that also leads into a whole separate can of worms, or a separate discussion about how much reporting and how much information is too much, so that you can’t actually fundamentally be able to sift through it. And I think it really becomes that whole balancing act.

Gareth Oldale:

Yeah. I think that’s the key, isn’t it? It’s striking that right balance between having sufficient information to feel like you have the right information to make informed decisions, whilst not being swamped with spreadsheets and MI reports every five minutes.

And needless to say, there’s plenty of tools, and really good tools, coming through all the time to help streamline that supply chain risk management process, particularly in the context of data. And cyber risk is something that we’re seeing a lot of innovation in that space at the moment, which is all to the good.

Puja, just building on that point that Jelle’s discussed, I guess the natural follow-on question, when looking at transparency, is what’s it look like in practice? What should organizations do? How can they approach proactive monitoring and transparency in their supply chains? And I guess the final part to that, if this isn’t too much to load into one question, is which parts of the business, in your experience, do you think need to be involved in completing that risk profiling?

Puja Verma:

Yeah, good question, Gareth. Nice meaty one for me to get into. First, I just want to say, it’s an absolute honor to be here. And, “Hello,” to everyone who’s watching.

So, I think with organizations, you really have to define what do you mean by transparency, and what you’re looking to get out of it. So, is transparency about having your due diligence questionnaire, getting that in, all the boxes agreeing because you’ve made a beautiful Excel spreadsheet that lights up. And then you’re happy, you’re satisfied that those assurances are there. And then you’re really taking an approach that is very much like an assurance based approach, so you know where you can shift your liability. You know you have recourse against that supplier, and you’re really taking a kind of profit over protection kind of approach. And there are organizations that do that. There are organizations that think that that’s absolutely fine, if you take a really kind of critical legal approach to it. 

But then you have another approach, which is actually the GDPI, and UKGDPI does say that you need to monitor your vendors. So, how are you going to do that? Are you going to take a collaborative approach that actually builds on, essentially what Jelle was saying, which is having that trust, having that kind of genuine transparency where your supplier can come to you and say, “Hey, like actually we’ve made a mistake. Something’s gone wrong. There’s a human error.”

We all know. We’re all professionals on there. We know that a data breach doesn’t have to be a hard-core hacking, malicious event. It can be a genuine mistake. So, having that genuine relationship is really, really important. 

Building onto the second part of your question, is who does that? Now, we’re probably one of very few people in an organization that has to manage data protection and cyber security. And something it is literally just one person. So, it’s not always going to be practical for you data protection officer, your privacy council, whoever, to be actually going in and trying to assess all the different vendors that you might have.

I think, personally, that the best way to do it, if we’re really focusing on good relationships and good quality relationship, the best way to do that is with the person who brought the supplier in. So, whether that’s an innovation team, whether that’s a procurement team, or even if it’s a sales team, whoever brought the supplier in has to kind of look after them and babysit them, just like you would with a customer. If you’re an account manager, you know, you work with account managers, you’ll understand what I’m saying. You’re picking up the phone and you’re calling them, and you want to know how they’re doing, and are they coming to an event. Like a little bit of care towards our suppliers, as well, could equally kind of create a really good environment of trust and transparency, that that’s actually workable.

So, to answer your question, I think you have to define what transparency means in your organization. But my preference is to take the root of actually nurturing that relationship more.

Gareth Oldale:

Fantastic. Thanks, Puja. I think I absolutely agree. We’re seeing, again, organizations invest quite significantly in vendor management, supply chain risk management, there are different names given to these teams. And inevitably, as you say, I think it’s falling quite heavily on the shoulders of the privacy function, whether that’s the DPO’s office, or a privacy consultancy unit, depending on the scale of the organization. And ditto InfoSec. That’s a lot of additional due diligence that’s falling within the day to day to-do list for those parts of the organization that perhaps wasn’t the case even just five or ten years ago.

Keitumetsi, I guess the corollary of all of what Puja’s just described there, is that there may be a degree of complacency that starts to creep in with compliance activities, and maybe a sense of people just going through the motions at times. What do you see are the risks around compliance complacency? And what do you think organizations can do to prevent that causing damage to their businesses?

Keitumetsi Tsotetsi:

Okay. Thank you so much for that question. So, when we look at compliance complacency, I mean, we’ve just heard about the great Excel spreadsheets that are green everywhere. And that is something that is very high risk, I believe, because then the focus becomes looking good on paper. And a lot of the trust is something that is very important that will come up frequently, I think, when it comes to third-party risk and third-party management. 

But the reason we actually get third-parties, is so that we can focus on our core business, right? So, the element of trust comes in where we say, “We trust that you are doing what you have to do. And here are a few things that we’d like you to look at.” 

What we’re finding is that there are so many frameworks and so many standards, and the organization has certain expectations, and the third-party has their own expectations, so it becomes this big activity of us proving that we’re doing this, and the vendor proving that they’re doing that, and do these things all align? And that takes away from actual risk management at the time.

So, what we much remember about controls, even when they are effective, is that they are a point in time assessment. And it’s almost impossible to have full visibility of everything that’s going on all the time, without planning and understanding what the high risks are within the organization.

So, I think what’s important is for the organization to have context of what they are doing and what their role is, the countries that they’re operating in, even taking into consideration the legislative environments. And for the third-party or vendor to have an understanding of what they are doing, the countries that they are operating in, the legislative environment, and what expectations are. And two, the organization and the third-party then coming together to see where there could potentially be major gaps, but also just to streamline and have an understanding of how things are done.

I think sometimes we impose a lot of what we want as organizations, instead of trusting that the vendor will do what they do. And it goes back to what Jelle was saying about transparency. If you see too much of what your vendor is doing, you will try to take control over that.

But I think the way to address this, is really just be aware of your risks. Have an active risk register that you are tracking. Understand how the introduction of that third-party could impact your risk, and understand how your third-party is managing that risk from their perspective as well.

And from a security and data privacy perspective, it’s so broad, and sometimes you have due diligence questionnaires that are about 180, 190 questions. It’s important to drill down and understand what it is that’s important. Are you doing the basics? Housekeeping, patch management, vulnerability management, access control, incidence response backups? There are some things that are very important, and there are some things, I won’t say let them go, but trust that your third-party is doing their job. I mean, I doubt they want to be hacked either, right?

Gareth Oldale:

Yeah, it’s pretty professionally embarrassing for any organization, isn’t it? It causes huge amounts of reputational risk, not to mention the financial risk and delivery risk of services, as well.

We’ve had a couple of questions come in, just whilst we’re talking there, Keitumetsi, that I think might be useful to pick up at this stage. One of those kind of builds on what you were just saying, actually, which is if your firm doesn’t have any oversight of their suppliers currently, what would you say would be the first place to start to get the transparency in the information? Would you look at some kind of risk banding? So, starting with your major suppliers first and working down from there? Any practical guidance you can give to colleagues on that point?

Keitumetsi Tsotetsi:

It’s never an easy one. From a major suppliers perspective, how organizations determine that is also different. Is it the people that are bringing in the most money? Or is it the people that have the most data, you know? So already having an understanding of where your risk is, which with each of the suppliers. And this is even before going into the formal assessment. You almost already know who has their hand very deep within the organization. And that’s where you can then start looking at your risk assessments. And, again, very drilled down version of what is critical and important. And also giving the vendors and opportunity to say where they might have issues, so that you can have visibility of that, and have an understanding of how that’s being resolved.

I think the mistake we make a lot is expecting perfection from the get-go. It’s much easier to start and fix things along the way, than it is to start with a whole complete picture. And from a transparency perspective, I think what Puja said is very important. You need to know what you want to know. And that way, the supplier, the vendor, the third-party will be able to give you the… Well, not give you the responses you’re looking for, but answer the questions that you are putting forward, and, hopefully honestly, as well.

And [crosstalk 00:22:01] once you have a… Sorry, I’ll just wrap it up. Because once you have a system of vendors, and you have an overall risk of which vendors potentially pose more risk than others, you actually also know how to direct your attention towards certain activities from a business as usual perspective.

Gareth Oldale:

Yeah. Absolutely. Couldn’t agree more. I think that that approach of identifying which are your higher risk suppliers, if you like, but acknowledging that that might not just be the value of the contract or the nature of the services. But it could be things like, obviously hot topic at the moment, are there any international data transfers involved, and if so, where are they going to and from? Is there particularly sensitive data that’s being processed? So something which might be quite a small contract, like your potentially an occupational health contract, or something that involves quite significant volumes of medical data, for example, and yet the contract value is quite low, could be escalated quite high up your risk triage system pretty quickly, and sit quite comfortably alongside some of your more kind of megalithic contracts, if you like. Your ERP solution, for example, which is likely to trigger that higher prioritization.

But certainly organizations that we’ve been working to, the person who submitted that question, I think if you’re starting from a green field site, if you like, then certainly it makes complete sense to focus your energies on those which present the highest risk first, and then move down the chain, particularly if you’re in a situation where you are working with a constrained budget, or with a finite amount of resource. That seems to be an approach which organizations favor, and also something which I think regulators can sympathize with.

Puja, there was another question along similar lines, actually, that came in almost at the same time. In terms of that monitoring piece that you were talking about, what do you consider to be best practice in terms of what should be indicated in the contracts? So, for example, should you include audits within your contract provisions?

Puja Verma:

Yeah. Audit rights are… I think they’re the bane of my life, in the role that I’m in. I’m just going to be completely candid, completely honest. You have to really think about if you want the right to audit, and I know the GDPR does talk about having rights to kind of observe the practices of your sub-processors and your processors. The challenge with audit rights is if I’m doing a contract with Amazon, I’m not catching a flight to Seattle, or wherever they’re based, and they’re not going to let me in. They’re probably going to tell me to go away. And it’s very, very hard to get those rights.

So, you have to really think about if I want audit rights, what do I want audit rights for? And who am I actually asking, and am I actually going to get that? So a lot of that is combative, I think. 

When I look at larger companies, I’m looking at they’re providing an audit report on an annual basis that you can maybe log into a platform and access. Is that going to satisfy you?

And then moving backwards, we were talking about trust. If you’re looking at an organization, do you actually trust them to do the job? If you don’t trust them to do the job that you’re hiring them for, why are you hiring them in the first place?

And then when we’re looking at maybe slightly smaller organizations, what kind of a burden are you putting on them by saying, “Hey”, in my case, “I’m Phillip. I’m going to just rock up into your offices, and I’m going to just start assessing everything.” 

So, the way I actually handle that, is I say, “Okay, there’s a cost to all of us here, if we’re going to really go hard core down these audit rights route. Let’s say, if there’s a data breach, then I want to be able to investigate properly, and I want to be able to satisfy myself that you did everything that you could, I did everything I could, and we can actually speak to the regulator appropriately.”

And so, having kind of the relationship actually does the job that you want your audit rights clause to do, if you’re willing to invest in that route. If you’re not, then you can battle against lawyer to lawyer, and say, “Well, I want to be able to go in at five days notice.” It’s actually a big ask for any organization, large or small. And you’re putting cost on them, and you’re putting cost on you. 

I don’t know if that answers the question, Gareth. I could rant about audit rights all day.

Gareth Oldale:

Yeah, I think so. It’s certainly one of those that, when it comes to negotiating, those kind of based in the UK and the EU [inaudible 00:26:49], then you know when it comes to negotiating, the Article 28 provisions that need to go into a contract, audit rights is absolutely one of those that still needs to be a meeting of the minds, I guess, between the controller and the processor, because it can have quite a profound cost impact. 

You know, we’ve seen, for example, for some of the larger processors, provisions introduced that say, “Look, we’re happy for you to do an audit, but if we’ve got an ongoing customer audit at the same time. We’d ask you to align to that, so that we’re not having to start on one new audit every second day, as it were.” And other negotiations around the cost of delivering on those audits, as well. So, yeah still very much one of those areas.

Robert talked at the top of the session around looking at GDPR four years on, and I think one of the lessons learned for me, four years on, is that we’ve still not quite got to coalescence as an industry around some of those terms that you look to embed within contracts.

We’ve had a flurry of questions come in, which is fantastic. We’ll absolutely try and get to all of those before the end of our time, but Sumeet, just to bring you in. First of all, there’s quite a lot of focus when we’re looking at risk and vendor monitoring. There’s a lot of focus, understandably, on cyber, and I think the greatest concern often is in terms of how are we going to be impacted if there’s a cyber incident arising somewhere within the supply chain, and ultimately that causes damage to the end customer organization?

Do you have any guidance, Sumeet, on the strategy or the governance structures that you’d recommend for organizations to manage and mitigate that cyber attack risk within their supply chain?

Sumeet Kukar:

Yeah, definitely. And spot on, Gareth. I think you’ve nailed it on the head in terms of the cyber component of the third-party risk management of the supply chain. Short answer, if I can just sum it up in three words, is integrate cyber strategy, period. But, okay, I won’t leave you all hanging there. If we expand on that a little bit, what I’m actually trying to get at here, is mapping your cyber governance principals to the supply chain life cycle. And then take a cyber risk mitigation approach.

Personally, that would be my opinion. And that’s how I would actually recommend. That’s how I’ve advised a lot of others, in terms of this is a potential approach that you can take.

But, the follow-up question I always get, and I’m assuming everyone on the webinar is going to ask me this, is, “Well, that’s all fine. That’s the theory bit. How do I actually go and apply that? Like, what’s the practical?” So, I thought I might actually change this response into a bit of a practical exercise that everyone can do at home, as we go along.

It looks like this. Step one of the supply chain, onboarding. So, when it comes to your onboarding, what are you actually needing to do? You’re needing to review your third-parties for their existing cyber posture. And I know there’s one question that’s coming through from the audience that’s going to touch on this. But looking at what their current site assessment is, their maturity, or their current cyber posture, is a good indicator of how they’re going to be able to deal with future cyber incidents, if and when they do happen.

But then what that does, is it paves a way for you to check the cyber controls. So, the cyber controls that the third-parties actually have in place will tell you a bit of a chance about, “Okay, how do you actually go about mitigating that?” What’s the residual that you’re actually coming across, rather than just basing and assessing and prioritizing everything on inherent risk.

The take-away from the first step is you’re reducing your cyber risk through due diligence. That’s pretty much the take-away on that.

The second step is your ongoing influence of the life cycle. So here, you’re looking at reporting of security incidents versus reporting of security test results. My question to everyone on the audience here, is for any third-party supply chain management that you actually reviewing, or anyone that’s actually you’re engaged with, what are they reporting to you? Are they reporting security incidents to you? Or, are they actually reporting the results of the security tests that they’ve undertaken, whether that be a security audit, whether that be a [inaudible 00:31:08], whether that be their internal risk assessment, or their own cyber threat analysis. Are those the results being shared with you? Or, is it only something that gets through? So what was a near miss, and what was an actual hit, is a big question mark.

The other thing is, if third-parties are then addressing vulnerabilities, what’s the communication timeline, and how do they actually go about doing that? So your take-away from the second step of the supply chain model, is you’re reducing your cyber risk through your own vulnerability management program, which in this case is also extending to third-parties.

Now, the last step in your life cycle is the exit, or off-boarding of a potential supplier. Here, you’re needing to actually look at IAM. So appropriately removing access privileges. Has this been done? Whom is actually looking at it? Whom has actually checked it? 

The second part of that is the data retention. So, is the data actually being scrubbed or deleted? Or is it being left out there in the open and still exposed after you’ve off-boarded someone?

So, the cyber principal and the practical take-away, is you’re reducing your cyber risk by managing your cyber attack surface area. But of course if you left that untouched or untapped, your surface area would actually be a lot greater.

So, in a nutshell, what I’m trying to get at here, is the requirement is to actually have the learning of the practical cyber skills, and infuse that with your third-party risk knowledge. And end the end, what you’re able to do by doing that, is integrate cyber strategy, and that is pretty much the take-away for that.

Gareth Oldale:

Fantastic. Really, really helpful commentary, Sumeet. And it’s certainly something I will take away with me, for sure. There’s a kind of related question that’s coming to me. I wonder if you might want to pick this up at the same time. So, the question is with respect to due diligence at the onset of relationship building, and when it comes to drafting that supplier questionnaire, is it better to use the recommended NIST guidelines and customize it to each relationship? Or is there another approach that you’d recommend?

Sumeet Kukar:

Look, I am open to it. I think it’s not the only way to do it, though. Well, look at maybe one that suits your needs. I think you could take any guidelines. Whether you take NIST, or whether you take a [inaudible 00:33:31] model or a [inaudible 00:33:32] model, whichever one you want to use, whether it be from a privacy, or whether it be from cyber, or a risk approach. Yes, definitely, there will be some level of customization, because you’re not going to have, “I can just apply the NIST framework and that’s all.”

Let me give you an example. If there was someone that actually you were about to onboard, and you did the due diligence relationship, and you drafted, okay, here’s what the NIST approach is. You might be actually looking at a certain five-step model there. But what about if you were an e-commerce business, and you’re level of available or uptime is your biggest cyber risk? And what if there was a DDoS attack on your online commercial platform? You would actually be down, and every second or every hour that you’re down, you’re losing millions and millions, right?

So in that case, would it not be fair to say that the respond and recover element of the NIST framework would actually play a greater weight? Because otherwise, you’d actually be doing 20%, 20%, or whatever percentage you do. All the sudden, you’d realize how just with one example of an e-commerce, or a commercial vendor, in terms of having an online presence, all the sudden changes the weights on it.

So what I would actually, and what I do recommend to a lot of people globally, is to take an approach from an appetite. Because at the end of the day, the board is responsible, right? So if you take a risk-based approach to say, “Okay, what are you willing to be able to accept?” With that recovery example, what is your recovery time objective? So are you willing to take four hours of downtime, if you’re on e-commerce platform? Or if you’re actually bricks and mortar, and you’re not actually relying on an online portal, then maybe the availability portion isn’t that big of a thing and it’s not the responsive thing, but it’s actually being able to have a presence physically, and actually looking at your cyber physical attacks.

So in short, I think definitely use NIST as a guideline. Definitely use other frameworks as a guideline. And definitely look at customization. But the way you customize it, you should be looking at weights, rather than actually looking at appetites, to actually guide you on how you assess your vendor. That would be my [inaudible 00:35:47].

Gareth Oldale:

Fantastic. Thanks, Sumeet.

Jelle, coming back to you. Another one of the questions that we’ve had through is around prioritization. And so the question is, what should be the priorities for managing third-parties and vendors? Should you focus more on self-assessments? Or on audits? Or is there a balance to be struck?

Jelle Groenendaal:

Yeah. Again, I think it’s indeed a balance. And what I always would advise my clients is to look at the risk of your third parties and vendors. In case of a high risk, you want to rely more on audits, and for the medium and low risk vendor suppliers, you can rely on due diligence assessments. But again, I think here it’s a balance. And what I always advise is to collaborate with your third parties. So based on your due diligence assessments, for instance, you can say, “Well, I have some more questions. Maybe it’s good to do…” And as a next step to do an onsite inspection, or have a drink with the supplier and ask for more detailed questions. So, not always have to be an audit, a firm audit. But you also can just visit your third-party, and just raise some questions, drink a cup of coffee, and have a conversation about things that might be worrying because of the assessment that the supplier filled in.

So I think it’s a balance, but for the high risk suppliers, it might be a due diligence assessments, then audits. But for the less important suppliers, for instance, those without access to your network, or those that do not process that much data of your company, you can rely on due diligence assessments, I think.

Gareth Oldale:

Yeah, I think even for the most well resourced of organizations, reality bites, doesn’t it? And I think the notion of auditing each one of your suppliers every 12 months, is just not going to be practical.

Jelle Groenendaal:

No, indeed. And the biggest ones, as already discussed by Puja, and by others, the don’t want you to audit them. So that’s why I always say, take a look at the suppliers below your biggest ones, like the Microsoft, the Amazons, those you don’t directly target with an audit. But maybe you have other suppliers that are a level below the big companies, that should get an inspection or an audit.

Gareth Oldale:

Yeah. Yeah, it’s a really good [crosstalk 00:38:18]- Sorry. Go on, Keitumetsi.

Keitumetsi Tsotetsi:

Sorry. I just wanted to say, I think we all also personally know how people feel about auditors. Also, having been and auditor, I know how people felt about me at the time. So, when we talk about transparency and trust, I think a lot of it is also about honesty, and giving the opportunity for your third parties and suppliers to be honest. And if you’re always just going to throw an audit at them, you might not get the desired results from an honest perspective, because of, I guess, the feelings we know that everyone has around auditors and how they worry about what the outcomes of those audits mean. Because sometimes they’re actually tied to people’s performance goals, and that brings company culture into it, about how the company deals with audits, and how the vendor’s culture is towards audits as well.

So, it is very important to meet your vendor where they’re at, and understand the context of the information you’re looking to get out of the vendor. That will inform the tools you should use, be it a consultant, an assurance provider, or an audit, or drinks, you know?

Jelle Groenendaal:

Indeed.

Gareth Oldale:

Exactly right. We had a question, actually to you, kind of along those lines, which is somebody saying, is assessing the processor or supplier maturity that’s equally important, and not necessarily scared of a supplier having been attacked or breached, as long as they show that they’ve handled it appropriately and learned the lessons from it? And the question is, “Am I wrong in thinking that?”

Keitumetsi Tsotetsi:

Absolutely not. So I think for all of us, what the focus is on is having reliable service, secure service, something that’s available, functional, and secure. And you know the assumption is that security is involved, right from defining the business requirements, through procurement, through design configuration and implementation. I’m sure we can have a whole separate webinar about the reality of that happening. But the assumption is that security is there, and they’re involved. And if anybody says they’re… I mean, we expect that breaches will happen. And sometimes they will be successful. That’s the nature of cyber security. And I definitely think knowing how a vendor handled a breach or a compromise is very important, because it’ll give you insight into how they would handle a similar situation if it were to happen within your organization space.

I mean, if you think about it, if somebody says, “I haven’t had a breach.” Which, maybe they haven’t, but they might just have chances, and it might not be a breach, but an attack. You know, attacks are not always successful. So just to differentiate between the two. How people identify, detect, and protect against, and recover, especially, from the attacks, is really important whether successful or not. And somebody who has actually gone through it will have a better way of telling you how they’d be able to handle it for you, as opposed to somebody who’s anticipating it in theory, and looking green on their audits.

Gareth Oldale:

Yeah, I mean it always raises the slightest alarm bell for me if you come across an organization that says it’s never had a breach. In my experience, it probably means that they have. They just don’t know about it. Which is probably more worrying than they have and they told you about it, because at least they’re picking it up right. I think it’s… Yeah. The threats are so pervasive at the moment that it’s… And increasing all the time, and I think it’s right to acknowledge that different organizations, different scales of organizations, and in different industries, there are different levels of organization maturity around vendor monitoring and risk and threat analysis. 

And so, I think one of the points you were making there, Keitumetsi, which I completely agree with, is that there are going to be different perceptions as to what constitutes a risk, or what constitutes a breach. And just having some understanding of that when you’re going in to audit, for example, an SME, compared to auditing a Microsoft or an AWS, or somebody of that scale, I think is going to give you a better outcome at the end of the process, for sure.

Keitumetsi Tsotetsi:

Absolutely.

Gareth Oldale:

Puja, there was a question earlier on that came through, which we might just loop back on. It’s a really interesting one, and we’d really welcome your views on this. Which is, where the term third-party is used, should be covering processors and sub-processors as well? And if yes, why?

Puja Verma:

It’s a good question. I personally take the view that when we’re looking at third parties, yes, we are looking at processors. We’re looking at sub-processors if we can have access to them. Or at least flow down the due diligence requirement to sub-processors. But I would also say I would also capture separate data controllers, and joint data controllers. And the reason why I take that approach is because ultimately I’m responsible for any data transfer that occurs outside of my organization, whether that’s a regulated transfer that goes down the supply chain, or down a project chain, but also if you’re, for example, you’re dealing with employee data and you’re sending that to a separate data controller to provide employee benefits, or for recruitment purposes. I also want to make sure that there’s at least basic provisions in place that’s not going to compromise the data that I’ve sent out or the data that I’m receiving in for those processing activities as well.

So maybe, I don’t know if that goes against the grain a little bit, but I would include all third parties. I think the approach that you take with those third parties is going to be different. Building on what Sumeet said, if you’ve got an e-commerce platform provider, then you’re going to take a different approach to someone who’s a recruiter who’s sending you CVs or you’re sending CVs to them. Having that conversation. So I think having a measured approach for each type of third-party. 

So to answer the second part, so why? I’ve already explained the data control, joint data controller piece. But if you’re… For processors and sub-processors, of course, there is legal requirement to do so. You do have to make sure that they also have the appropriate organizational and technical measures. Forgive me, I think it’s Article 32, I feel a bit on the spot right now, in order to comply with that requirement, you definitely want to be assessing as far down the supply chain as you possibly can. And if you can’t do that, then at least flow that requirement down.

And I could go into what happens when you hit a sub-processor that’s a massive Amazon or a Google, and all of that stuff. But maybe that’s a rant for another time.

Gareth Oldale:

But a very neat segue, Puja, into the very first question we had too, and actually it’d be remiss of us not to pick this up, because we’ve just got a few minutes left, but we’ll try and squeeze in maybe two more questions. 

The first question that came through, was which of the hyperscale cloud providers have the right approach and considerations for privacy in their implementations and solutions? And I mean, what a question. What a question. Worthy of a session on its own, but I think the answer… my answer, and then would welcome views from others on the panel for sure. But my answer would be to say that they are all evolving. They’re all taking steps to improve their privacy practices, to respond to changes not just in the law globally, just as much as, for example, I sit here in the UK. So very much kind of EU and UK GDPR perspective on things. But then you pretty much look at any country in the world at the moment, and they’re doing something on privacy legislation Keitumetsi. No doubt we’ll talk to POPIA in South Africa, and that’s the same in, as I say, many other major data processing and data transfer destinations.

But yeah, I think each of the hyperscale cloud providers are doing something. We saw, in the wake of the Schrems II judgment from a couple of years ago. Fairly soon after that, Microsoft started talking about building its own EU domiciles, end-to-end cloud environment, so that even in cases of disaster recover, or fail over, or providing support and patching in, it would always be within the EU, rather than having any kind of default back to the US.

And we’ve seen others pick up on that as well. Along similar lines, the Google Analytics case is from the start of this year is starting to have an impact, and we’re starting to see the likes of Google, for example, change its approach to cookies management as a result. 

So yeah, there’s a great deal to say on the cloud providers. I don’t think any one of them has got it absolutely right at the moment, but they’re all iterating. They’re all improving all of the time. Keitumetsi, anything to add on that? Be interested to get your take from a… Don’t want it to be too GDPR centric, but if there’s anything to add from South African perspective, that would be really interesting.

Keitumetsi Tsotetsi:

I think, from a South Africa perspective, the biggest different between GDPR and POPIA is that POPIA also recognizes juristic persons as individuals.

Gareth Oldale:

Yeah.

Keitumetsi Tsotetsi:

So it’s not just the individual person, but companies are also seen as people, and their information has to be protected as well. I think, as you said as well, with the very big cloud providers, they usually have a lot of information about their security and privacy controls readily available online, even before you engage with them. And what I will say I’ve experienced at my previous workplace, was some of the challenges that employees faced sometimes with having certain requirements and going up against such a big company and saying, “Actually, we don’t want XYZ, or you guys need to change that.” 

And I haven’t, in honest, seen a successful attempt at challenging the big cloud providers. But what I can say is that they are very open with what they do have, and what they are doing within their organizations. Yeah.

Gareth Oldale:

Fantastic. Thank you.

I think we are just about out of time, so we’ll maybe have to leave it there. There are a few questions that we didn’t quite get to, so apologies if we haven’t been able to pick up your question. Needless to say, I think myself and any of the panelists would be very happy to pick up any queries that you’ve raised and we’ve not been able to discuss offline. So please do get in touch if that would be helpful.

I’m conscious that there’s a fully-packed agenda for today, so I will try to keep us to time and wrap up there. So I think it just leaves me to say thank you so much to everybody for attending. And thank you, in particular, to Jelle, to Puja, Sumeet, and Keitumetsi, for attending and for offering your views on really interesting discussion.

Thanks, everyone. [crosstalk 00:50:37]

Keitumetsi Tsotetsi:

Thank you, everyone.

Puja Verma:

Thank you. Bye.

Robert Bateman:

Thanks so much to Gareth and the panel. Really great discussion there. I really enjoyed that. And some great questions from the audience. Quite a lot of audience engagement, which is great to see. One interesting question there that the panelists touched upon, about the distinction between third parties under the GDPR and processors, which of course are not classed technically as-