An Interview with Marty Provin, Executive Vice President of Jordan Lawrence
What are most companies doing to meet their third-party diligence requirements today? Most companies are using manual processes managed out of the IT/Security department. Typically, questionnaires are delivered via excel spreadsheets and email. Tracking of reassessments is done via excel and SharePoint and most admit their processes could be improved.
What's the trouble with traditional processes? Their assessment questions are not tailored to the types of data third parties have, so while they may get a decent view of what security controls are in place, they don't provide an understanding of the regulatory obligations associated with each third party. If Vendor A is collecting biometric data for Company ABC, but Vendor B is only processing de-identified data, they shouldn't be managed the same way. The ball gets dropped because there’s no good way of tracking these things. Many times, surveys take vendors a long time to respond to and a long time for companies to review.
What's at risk with indefensible vendor diligence? The biggest risk is arguably litigation, not regulatory fines or penalties, though those can be severe, too (think GDPR - 4% of global annual revenue). If you don't have the ability to demonstrate a good faith effort in the event of a breach or audit, your process falls apart and you face serious consequences.
What is the best first step a company can take to move towards a better third-party diligence process? Having a consistent, repeatable process is essential. If your process isn't easy to repeat as new regulations take shape, or business processes change, it's time to consider a new process. Documentation of your efforts is key, as is an explanation of why you chose the methods you use.
How is Jordan Lawrence unique in its approach to vendor diligence? Our biggest differentiating point is that we approach everything based on the data access a third-party has. Before we decide what questions should be asked, we consider the data types each third party has and determine which regulations apply based on that information.
Many of our clients are surprised to find that their smaller, seemingly "non-critical" or "low-risk" vendors have access to more of their sensitive data than they thought and require greater diligence than has been conducted. Similarly, the largest vendors are often not the biggest concern. Our process allows you to objectively define which vendors are relevant to data privacy and cybersecurity regulations so you can focus resources on your greatest risk.
Our Vendor Risk Profiling Service is the most effective way for corporate legal teams to comply with third party data privacy and cybersecurity requirements and avoid risks. In 30 days, you can establish a world-class vendor diligence process and meet your regulatory obligations.
Join Jordan Lawrence and Locke Lord for a complimentary CLE webinar: Cybersecurity Compliance and Your Third Party Service Providers, on Thursday, February 21, 2019 at 12:00 pm (CST). Click here for more information and to register.