This document discusses supply chain compliance and risk management. It begins with an overview of the large scale of third-party partnerships companies have and how this expands their risk exposure. It then discusses how third parties are often involved in data breaches and how visibility and management of third-party risk is important. The rest of the document outlines new regulations like the German Supply Chain Due Diligence Act, strategies for addressing cyber supply chain risk, and how to future-proof third-party risk programs. It concludes with information about OneTrust's compliance platform.
Welcome to our session, Securing the Supply Chain: What Does Compliance Look Like?
Today we're going to talk about just how deep and wide the supply chain has grown, why that's become a huge risk factor to your business, and how to make sure you AND your third-party risk management programs stay compliant.
--
What's your company gone through in the last 2 years? Make engaging, add key takeaways at beginning and end for audience / resonate
Joseph Byrne
Principal Solutions Engineer
Real Engineer
CIPP/E CIPM, CIPT
Rides motorcycles.
Our agenda for today will go over three key areas:What's Going on Down There?-Just how far and wide has your supply chain expanded, and how much additional risk has come as a resultThe Evolution of Risk
-How should we be defining risk and what does it mean to the cyber security of your business
And finally, what's on the Supply Chain Horizon-We'll talk about the German Supply Chain Due Diligence Act, what do new regulations mean to the business as a whole, and where does security fit in.
Setting the tone:Two years of pandemic-fueled digital innovation has lead to a farther-reaching supply chain.
-22% of all companies contract with more than 250 third parties-The majority (55%) of all companies contract with more than 50 third parties
According to the CyberRisk Alliance and OneTrust survey, 59% of businesses can't see their most critical third-party direct dependencies, and 74% can't see the full map of interdependencies across all tiers of the supply chain
--
Add in Gartner stat about 5,000 as median
Check in to see if there are more breaches / up to date
It's simple: What companies can see is just not enough to understand what's beneath the surface. In this case it's the potential for you organization to be clipped in a number of ways – through cybersecurity, non-compliance, ethics issues, and brand reputation.
-Implement contractual liability
-Integrate information security and business processes
-Prioritize building quality business relationships
-Build strong vetting processes for evaluating new vendors
What does risk look like across all third-party factors?
We can survive, but how can we become the most evolved version of ourselves – it’s not because we don’t know how to do it… technology has been accelerating faster than any time in history but has also opened businesses up to a wider risk landscape. That means we need to evolve – and more quickly – than the risk factors we're likely to face.
--
Computer guy evolution graphic
Evolution depends on industry; big biz may be human size and suppliers may be at far left
If organizations haven’t done so already, the Act requires all companies within the defined parameters to:
Establish a risk management system;
Identify and minimize human rights and environment-related risks;
Name a position or person responsible for monitoring risk management;
Conduct an annual risk analysis and communicate it internally;
If an enterprise identifies a risk prior to the annual analysis, immediate preventative measures are required
Issue a policy statement on its human rights strategy that is subsequently adopted by the enterprise
A statement for the company’s own internal use as well as for its direct suppliers is required
The policy’s effectiveness must be evaluated annually
Implement due diligence with regard to risks at indirect suppliers
Documentation and reporting with regard to fulfillment of due diligence obligations
Supply chain due diligence and third-party risk management are dovetailing, and must include all segments within the business.
What does this mean for the cybersecurity aspect of due diligence?
Conduct and maintain business impact assessments (BIAs): This will allow your organization to understand the risk associated with a vendor in the event that it is compromised.
Develop situational questionnaires: In the face of an unexpected crisis (health, natural disaster, geopolitical conflict), it’s important to understand exactly how your vendors are responding to prepare to any incidents that might stem from the crisis. This will provide visibility into what your vendors are anticipating, and give you an opportunity to understand their own continuity plan.
Include resilience plans in vendor contracts: It's critical to your organization’s resiliency plan that each vendor contract includes a list of business resilience requirements that can be referenced if your vendor faces a crisis.
Tier vendors and evaluate risk tolerance: Identify and tier your vendors by risk level, referencing your organization’s overall appetite and tolerance. This requires you to understand your internal capacities, external vulnerabilities, and encourages you to assess risk across domains, including IT and operational risk.
Create an evergreen reporting resource: A key part in establishing a resilience strategy is moving reporting away from static and manual formats. Extract key terms from contracts, making them yes/no, and pull a report based on these answers to understand a vendor’s business resilience. This allows the creation of an evergreen resource to report on information like expiration dates, service requirements and other key resilience information, and is critical to streamlining the resiliency process and ensuring efficient incident management.
--
Make graphic into a circle with key points**
Knowledge sharing and two-way communications are necessary to future-proof third-party risk programs. Regulations will continue to evolve, and compliance for your business – and the businesses you collaborate with – will have changing parameters. How are you taking next steps to ensure proactive compliance rather than reactive protocols?
--
Cut slides 15 and 16
Pioneered the trust software platform, unifying and operationalising Privacy, Governance, Ethics and Environment.
Portfolio of 12,000 clients across all verticals.
3,000 employee’s in the team, 40% of which work in research and development
OneTrust community and ecosystem has twenty thousand members collaborating and driving the future of this market.
This trust platform represents a unified cloud application across 4 key disciplines
– Privacy & Data Gov
Etc.
All on top of a single application,
a single view of data so you can share data and information across these activities and discipline,
get insights from the combined data sets
automate the workstreams and activities you need to do
POINTS:
We’ve heard from our customers that they don’t care to invest in different products. They want a true platform that can accommodate all of their needs across the organization. That’s why we build the way we do. OneTrust is investing in the first trust platform to enable organizations to establish trust as a key competitive differentiator.
We think about trust across four main pillars – Privacy & Data Governance, including consent and preferences for Marketing Teams, GRC & Security Assurance, including third-party due diligence and risk management, Ethics & Compliance, to help establish a culture that’s enabled to speak-up, not out, and ESG & Sustainability, to help organizations become the leaders in saving our planet.
All of these pillars are connected through powerful data and analytics, the largest team of researchers and regulators who help to establish guidelines based on the environments you operate within, and proactive data discovery to focus teams on the areas the are the absolute most important for the development of the organization.
TRANSITION:
- Today, we’re of course here to speak about [segment that the customer was initially interested in], and we recognize that building a brand of trust is a maturity journey.
Hard problem to solve
Takes many years to solve it
We’re ahead of the game