Meet the expert: Amanda Tilley speaks at PrivSec Focus Third-Party Risk

Amanda Lynn Tilley is the VP, Information Security Manager of GRC & Privacy for OceanFirst Bank, a New Jersey-based community bank with over $10B in assets. She is a Certified Information Privacy Manager (CIPM), Project Management Professional (PMP), and Associate Business Continuity Professional (ABCP).

Amanda will be among industry experts at PrivSec Focus: Third-Party Risk on Tuesday April 26. Through presentations and panel debates, the one-day livestreaming experience will examine the crucial role that third-party risk management (TPRM) plays as third-party networks expand to meet the needs of the global business community. 

Conducting due diligence on prospective third-party providers is a vital part of ensuring compliance and lowering risk exposure.

We spoke with Amanda to learn more about her professional journey so far, and for more insight regarding due diligence checks into the compliance programmes of third-party providers.

1) Could you outline your career journey so far?

I graduated in 2011 with a Bachelors in Political Science and job-hopped for a few years working on a political campaign; the compliance sector of a complaints department at a collections company; a marketing manager for a pharmaceutical company, and finally landed in banking in 2013, which is where I’ve been since.

I started as a management reporting analyst reporting for the Chief Risk Officer for a small community bank in NJ. Through my responsibilities of helping report on MRAs (Matters Requiring Attention issued by the OCC), I assisted with technology and security-related initiatives and moved into a Business Systems Analyst role.

A couple of years later that bank was acquired by my current employer, OceanFirst Bank, a mid-size community bank headquartered in NJ, and I joined the Project Management Office.

Through these roles I gained experience and skills in risk management, compliance, and governance. In 2018, our current CISO took a chance on me, and I moved into the newly formed Information Security Department as an Information Security Analyst, tasked with drinking from a firehose to understand InfoSec and building out GRC for the department. In 2021, I moved into the position of Information Security Manager of GRC & Privacy, and here I am today.

2) What does “due diligence” mean when it comes to ensuring the compliance of third parties?

To me, due diligence is the process of collecting and evaluating artefacts to establish the inherent and residual risk a third-party poses to your organisation.

This should ideally start with internal inherent risk assessment of a vendor based on different risk categories (strategic, reputational, operational, legal/regulatory, financial), along with the type of data and access the third-party may receive, access, process, store, etc.

After establishing the inherent risk, your organisation may have different sets of due diligence documents that must be provided by the vendor. Ultimately, these documents should provide context and controls necessary to establish the residual risk of the third-party to your organisation. Due diligence packages will vary, but third-parties with access to sensitive information or support a critical business function should include:

• SOC 2 Type II/SOC 3 or comparable independent validation of controls
• Any additional certifications as applicable (ISO27002, PCI DSS, HITRUST, etc.)
• SIG Questionnaire
• The third party’s relevant internal policies such as Information Security Policies, Business Resumption/Continuity/DR policies/plans, other relevant internal policies
• Certificate of Insurance (including cyber insurance)
• Proof of financial solvency
• Completion of your company’s questionnaires
• Appropriate contractual language, especially right to audit, incident/breach notification, SLAs, RTO/RPO.

3) In what ways does risk increase for companies that fail to monitor third party providers’ compliance?

It’s important to understand that utilising a third party does not transfer the risk to the third party. Instead, the third party is an extension of your organisation and their controls should reflect the controls your company requires.

You are responsible for what your third party does with your data, your customers’ data, and your employees’ data. In the US, we don’t have a federal data privacy law, we have a patchwork of state laws and administrative rules and regulations based on industry. You never want to be in a position where your third party suffers a data breach and investigations find your company did not conduct appropriate due diligence.

Your company increases its reputational risk, financial risk, legal/regulatory risk, and operational risk by ignoring third party risk management. Your cyber insurer may fail to cover your losses if appropriate due diligence was not completed. Your regulator (if applicable) issue a fine, or corrective action.

The risk of cyberattack is not “if”, it’s “when”, and while attacks aren’t necessarily prevented by due diligence, your company is in a much better position by knowing the cyber risk and posture of your third party. Due diligence is not fool proof and it’s not the whole story - it would not have predicted Solarwinds, or Microsoft Exchange servers, or the thousands of software companies using open source code - like Apache Log4j - but part of due diligence is protecting your company from right of action, regulatory action, bankruptcy, etc. Due diligence is ensuring your company did all it could to protect your business, its customers, and employees.

4) What are the primary challenges facing organisations as they bid to increase due diligence checks?

In the US, the biggest challenge is third-party cooperation and obligation. Many companies - at least the better ones - will have a SOC 2 Type II, but the SOC report is only as useful as the controls validated. It doesn’t necessarily paint the full picture of standards and controls. So, to dive deeper many organisations want their own questionnaire completed by the third party (good luck) – and I don’t blame the third parties because all of their customers are providing different questionnaires and that’s a lot of work when you’re trying to make a deal and churn business.

Now technically there is a standard questionnaire - SIG and SIG Lite developed by shared assessments, but they are long and I haven’t come across many third parties (even large ones) that actually have this as part of a due diligence package. No one has time for that. Not even the people conducting the due diligence for the organisation. Which brings us to another challenge - getting the organisation on the same page.

Most people in your organisation probably understand third party risk and why it’s important at a high level – yes, an HVAC vulnerability caused a Target breach, yes Experian was a disaster - that is until they’re at a deadline and have to sign this contract today or else the third party is going to increase its price or they go down the “ask for forgiveness not permission” route and a vendor suddenly appears in Accounts Payable.

It is imperative for the tone at the top to support appropriate risk management when it comes to third party relationships. It’s my personal opinion that onboarding a new vendor should take time for appropriate analysis and risk evaluation prior to signing a contract, because after the contract is signed you’ve lost all bargaining power and may uncover detrimental weaknesses or noncompliance after you’re locked into a multi-year deal.

If appropriate time and due diligence is completed on the front end, coupled with regular monitoring, the continued risk management and annual reviews of these third parties becomes less time consuming.