In July 2019, UK authorities announced that Marriott Hotels would be fined $124 million under GDPR for a data breach of one of its subsidiaries, Starwood Hotels. The fine amounted to 2.5 percent of Marriott’s global revenue for 2018. This breach began in at least 2014 and involved the personal data of nearly 340 million individuals (30 million in the EEA), including passports, payment cards, travel itineraries, names and more. In its announcement, the UK’s supervisory authority, the ICO, stated that Marriott hadn’t conducted sufficient due diligence when it acquired Starwood Hotels in 2016 nor done enough to secure its systems after the acquisition. The ICO also stated that if organizations don’t protect personal data “like they would do with any other asset. . . the ICO will not hesitate to take strong action when necessary to protect the rights of the public.” This and other recent data protection incidents highlight the importance organizations have to ensure they’re protecting data, including the data of third-parties.
Whether your organization is acquiring or outsourcing operations to or a third party, due diligence must be conducted surrounding the third party’s data protection program. Third-party risk management is so important that the European Banking Authority (EBA) has issued guidelines specific to this area. Following these guidelines enables organizations to lower their third-party risk.
In this article, we talk about the EBA’s third-party risk management guidelines and what your organization can do to implement them. While the EBA’s guidelines have been created with financial institutions in mind, they can be applied to any organization. To review the full EBA out-sourcing guidelines, read our previous post.
EBA’s guidelines apply primarily to functions that are considered to be critical or important to financial institutions. But because many business functions are becoming digital/automated and in light of the increasing number of data protection regulations & their consequences for failing to protect data, organizations may need to reassess what constitutes a “critical” function. A couple of examples highlight this need.
While not a desirable outcome, losing someone’s email and mailing addresses five years ago would not have had as many consequences as it would today. With today’s focus on privacy (from both individuals and governments), a compromise of PII could result in an organization facing tens or hundreds of millions of dollars in regulatory fines on top of lost sales.
As organizations continue to migrate many of their functions to digital, automated ones and continue to collect PII, the criticality of these functions will change. An employee’s pen & paper process or filing cabinet isn’t going to be infected with malware or be accessible to a hacker thousands of kilometers away, but that same process/cabinet turned digital can be. It’s important, therefore, for organizations to accurately label the criticality of their functions and not solely rely on how they’ve historically classified functions.
EBA Third-Party Risk Management Guidelines
While the EBA’s third-party risk management guidelines apply specifically to critical and important functions within the financial industry, they provide sound principles that can be applied to any business function within any industry.
Under the EBA’s guidelines, organizations must:
- Have robust internal governance in place, including a clear organizational structure
- Determine which functions are critical or important and which are not
- Conduct regular risk assessments and ongoing monitoring. In these assessments, institutions must consider and treat the risks associated with:
- Outsourcing multiple functions to the same third-party
- Outsourcing critical functions to a limited number of service providers
- An over-reliance on outsourcing critical functions
- Allowing sub-outsourcing (i.e., fourth-party risk)
- Assess third-parties’ quality and performance of outsourced functions, and from a data protection perspective understand that:
- Solely undertaking formal assessments of whether or not outsourced functions meet regulatory requirements is insufficient
- Relying solely on certifications (e.g., ISO 27001) is not appropriate when conducting risk assessments & ongoing monitoring of outsourced functions
- Ensure that:
- Effective day-to-day management by senior management or the management body is in place
- Sound outsourcing policies and processes are in place
- Outsourcing concerns are included in BC/DR, including having plans in place to migrate to another service provider or bring critical functions in-house
- Competent authorities are engaged in a dialogue regarding planned outsourcing arrangements, particularly when critical or important functions are to be outsourced
Fourth-party Risk Management
Increasingly, EU regulations require organizations to consider not just the risks posed by their vendor but also their vendors’ vendors (i.e., fourth-parties). GDPR and these EBA guidelines require fourth-party risk management. Specifically, the EBA requires organizations to have their third parties notify them when outsourcing critical or important functions, understand why the fourth-party is being used and always retain the right to terminate their third-party’s contracts, if use of a fourth-party would adversely affect the protection of data.
Fourth-party risk management is a trend we expect will only increase and become more important. As organizations have become more secure, threat actors are increasingly targeting third-parties. This has happened because third-parties often hold the same data as the primary organization and are easier to target; however, as third-parties have increased their security, they’ve become increasingly difficult to break into. In response, threat actors have begun targeting fourth-parties for the same reasons they initially went after third-parties.
How Your Organization can Implement the EBA’s Guidelines
To comply with these guidelines, organizations should implement appropriate policies & processes, which are approved and reviewed by management. One of these policies/processes should include a requirement to assess vendors’ data protection posture.
When organizations outsource, they lose direct control of their security posture. It’s imperative, then, for organizations to appropriately manage their third-parties. Most organizations have many vendors, which makes managing third-parties challenging. Traditionally, managing these vendors has been done through questionnaires, spreadsheets and occasionally audits. These are time-consuming, labor-intensive, and only provide a point-in-time (often self-reported) analysis of a vendor’s security posture.
RiskRecon addresses these issues by providing real-time, independent verification of how vendors are performing. This enables organizations to address their vendors’ risks in real-time, rather than waiting until next year’s reassessment. By using RiskRecon to monitor critical third- and fourth-parties’ data protection posture, organizations can save money while more easily following the EBA’s outsourcing guidelines.