10 Things I learned at the GFMI 14th Edition TPRM Conference

Last week (April 11-12, 2022), we had the immense pleasure of going to the GFMI 14^th Edition Third Party Vendor Risk Management for Financial Institutions Conference in New York. The keyword here is “going,” physically meeting people face to face, exchanging information formally and informally, and getting a much better sense of the industry than virtual events can supply.

With that in mind, I’ve put in writing the most prevalent themes and insights that surfaced across the various speakers’ presentations:

1. Ransomware attacks are the most anticipated cyber threats of the coming months/years. Your key vendors are going to get hacked. At some point, you are going to get hacked. What increases the challenge is that cybersecurity insurance – a key mitigation control – is becoming too expensive to be used widely, so we have to focus on notification periods. Still, one should ask, how long does it take for an organization to learn of a breach in the first place. A vendor might be compromised for weeks or even months before anyone knows it )Okta is one such example).

2. Operational resiliency can be assessed by looking at how vendors handled past events. You don’t know what cyber or other risks might be heading your way, so it’s key to look at past experience, which will tell you much about the vendor’s ability to maintain continuity of service.

3. Cloud vendors are a major focus of the OCC/FDIC, with operational resilience in mind. Contrary to what you might think, cloud environments are often more secure to your data than older solutions. They are also much more resilient. However, it’s challenging to migrate on-prem solution contracts to the cloud because it’s much harder to agree on the limitation of liability, ownership issues, and technical challenges, such as latency. The regulation is not clear yet on this front, and you must have the right talent to measure cloud TPs.

4. TP self-reporting – The more you are in discussion with vendors, the easier it will be to get to transparency and self-reporting. This makes sense, but an ongoing discussion with vendors requires time resources, which you probably don’t have. Therefore, you should definitely have a list of critical vendors with whom you want to make a special effort to engage in an ongoing conversation. In addition, remember that an in-person, on-site due-diligence meeting is much more enlightening than any Zoom call will ever be.

5. ESG – Although plans have been in motion for years or even decades, ESG is only now getting its due place. This is because customers now drive ESG. ESG is not about compliance, it’s about being competitive. People are making a choice of which bank to join because of what it represents. Also, diversity and variety are indicators of better resiliency and crisis response. However, ESG and DEI regulations are still not clear. Companies pick and choose what to adopt and to what extent. Recent UK regulation is setting the way, and we should expect US regulation to follow. 

6. AI is where the industry (as with all industries) is going. The only question left is that of implementation; the speed of implementation is an issue as is the idea that your AI is only as good as the information you are feeding into it. Where AI is specifically needed is filling a gap where there is a 10 percent increase a year of third parties that need vetting and an increase in emerging risks – yet there isn’t a corresponding increase in the annual budget. TPRM is seriously understaffed (and this is where Mirato’s TPRM Intelligence can make a dramatic difference).

7. Current affairs – The post-Covid economy and the Ukraine war are driving up inflation, which makes TPRM more expensive. It’s costlier to execute (especially where sending letters is involved). Vendors need more money to be profitable (and are possibly less willing to put in the effort of a questionnaire for budgets that don’t make sense). Lastly, in the great-resignation era, it’s also becoming harder to find TPRM talent.

8. COVID has really demonstrated resilience at work for financial institutions. Banks remained operational throughout (although it’s a crisis we had time to adjust to, which is not the nature of all crises).

9. 4^th parties – Over half of the hacks started at the organization’s third parties, and half of those began with 4^th and 5^th It seems that most organizations don’t maintain an inventory of N^th parties; no one is monitoring 4^th parties, and everyone is relying on the TP to monitor them. This makes concentration risk almost impossible to track, but getting vendors to audit 4^th parties might be contractually problematic (though it’s an effective tool). Therefore, approaching vendors as part of a discussion where they understand the risk on a partnership level seems like a better, more diplomatic, and effective solution.

10. Assessing contingent workers– Assessing companies is one thing. Assessing consultants is quite another. There are fewer elements you can truly vet, and everyone looks great on paper. This is where the relationship manager is vital. If they truly understand the risk, they can really assess individuals who have access to the organization’s data.

The general feeling at the conference was that we have entered a new phase, a post-Covid era where it feels like there are no more black swans because black swans are everywhere – The unexpected is to be expected. This means we need to rethink our mitigation plans, as they tackle risk that has already happened (everyone has a great Covid plan, now.), which will probably be different from the one we will need to face, soon.