The Challenge of Third-Party Compliance Management

Cyber-criminals are getting ever smarter at hacking into IT systems and stealing sensitive data. As data breaches increase and online fraud grows, so does the importance of complying with local, national, and international regulations on data security and privacy.

Every organization, whether a for-profit business, non-profit association or government agency, must ensure that its data is handled according to the law - both internally and when the data is shared with third-party providers.

Data Privacy and Security Laws are Multiplying

Cybercrime and data theft have increased substantially over the past few years, as have government efforts to protect data with tighter privacy and security laws. Risk Based Security's Cyber Risk Analytics 2019 MidYear QuickView Data Breach Report counted 3,813 data breaches during the first half of 2019, which exposed more than 4.1 billion records including birthdates, bank account information, and social security numbers. That number is 54% higher than 2018’s mid-year count - and it only includes publicly-reported break-ins.

The response to this was to implement regulations, governing how organizations protect sensitive data. The most famous of these is the EU’s General Data Protection Regulation (GDPR). The US currently lacks a universal law; however, many states and industries have strict regulations including California’s recently passed Consumer Privacy Act.

In addition, the US Family Educational Rights and Privacy Act covers colleges and universities. The Sarbanes-Oxley Act, which enforces cybersecurity on financial records, covers public companies. Banks must comply with the Gramm-Leach-Bliley Act to protect consumer data. Any organization that accepts credit card payments must comply with the Payment Card Industry’s Data Security Standard (PCI-DSS).

Complying with this growing collection of international, national, and state regulations is a major challenge for small and mid-sized organizations that lack the necessary expertise and resources. The compliance management process includes a long list of responsibilities such as:

  • Creating internal compliance policies
  • Providing security and privacy awareness training to employees
  • Tracking and investigating issues
  • Keeping up to date on changing regulations and new regulations
  • Documenting compliance and providing visibility into the data for auditors

Third-Party Compliance and Risk Management

A recent survey by eSentire found that 44% of companies experienced a significant data breach caused by a third-party vendor. Any organization that provides a third party with regulated data or access to IT systems that contain the data is responsible for that third party’s compliance and could be penalized if the data is lost or leaked.

TPRM (Third Party Risk Management) is the process of identifying and controlling the risks that a third party’s non-compliance poses to an organization. How risky is doing business with this third party? TPRM evaluates and manages those risks by evaluating companies based on a list of weighted criteria. The vendor then typically is given the opportunity to resolve issues and reduce its risk to the evaluating organization. A high-risk vendor may require additional follow-up, or, in worst cases, the relationship may be severed.

Signs of Poor Vendor Compliance Management

Third-party compliance management is an extension of an organization’s internal compliance management. Inadequate internal compliance practices inevitably lead to poor third-party compliance management.

In organizations that lack a compliance manager, individual departments may have to handle compliance for their own data and third-party relationships. Marketing may have to document how it shares customer data with its marketing agency, for instance, while department staff should be involved in compliance, centralization can ensure the integrity and completeness of documentation and the consistency of practices and policies for the entire organization.

Compliance requires knowing what data is flowing out of your organization and to your suppliers. That means maintaining an inventory of the organization’s regulated data, such as financial information or other personal identifiable information (PII).

A data inventory may include information about the data, such as the level of sensitivity (e.g. public, internal use only or sensitive), the data’s owner and the third parties that share the data. Inventories can be created manually, but that is an inefficient and time-consuming method. Many software applications on the market today automate data discovery and mapping.

A 2018 Osterman Research report found that 62% of respondents used spreadsheets as their main compliance tools. Many organizations said they were unaware of other compliance solutions or lacked the funds to purchase one. Organizations that use spreadsheets must laboriously input large amounts of information by hand. That data includes:

  • Data inventories
  • Vendor contacts and ratings
  • Compliance issues and updates
  • Compliance regulations and requirements

That amount of manual data input represents a lot of wasted productivity and potential for error. Organizations that use spreadsheets have an additional, related problem—lack of automation of the compliance process.

Compliance management involves many processes, most of which can be done quickly and efficiently through automation. Automating the workflow not only saves employees hours of manual labor but ensures that critical due dates and reminders aren’t forgotten. 

For example, an automated process can check for changes to data protection laws and update a database of regulations and requirements. Or it might automatically email monthly reminders to vendors to update their compliance documentation. Automation can save time and staffing costs, as well as reduce human errors. 

Managing an organization’s compliance with national and international laws is an enormous responsibility. However, the costs of not complying can include six-figure (or higher) fines, legal action, negative publicity, brand damage and loss of business. Unfortunately, as the regulatory landscape for data privacy and security laws becomes more complex, many organizations lack the resources to conduct a complete compliance program. Many SMEs lack even basic knowledge of the laws that apply to their data, as well as the staff and software tools to do the job correctly. 

They can, however, improve their compliance significantly by adopting a compliance management solution to automate processes and tasks to reduce the burden on employees. Rising awareness of the need for better data protection has expanded the number of affordable compliance management applications, many of which include automated workflows, templates for various regulations, customizable vendor questionnaires, and third-party risk management.

With the right tools, organizations can greatly improve their internal and third-party compliance management. 

What’s Hot on Infosecurity Magazine?