Prevalent, Inc.

11/22/2024

The Shared Assessments Standard Information Gathering (SIG) questionnaire is a key component in many companies' vendor risk management programs, serving as an industry benchmark for assessing third-party controls across 21 risk domains in four key control areas, including Governance & Risk Management, Information Protection, IT Operations & Business Resilience, and Security Incident & Threat Management. Now that the 2025 update is available, what do you need to know?

Join compliance experts Thomas Humphreys and Sophie Pothecary on December 4 as they review key changes and updates to the SIG 2025 questionnaire and how to leverage new mappings to standards and regulations such as NIST CSF 2.0, NIS2, DORA, and more.

In this webinar, Thomas and Sophie will:
📋 Introduce the SIG questionnaire and its risk domains.
⚡ Review the top changes and how it compares to 2024.
📊 Demonstrate how to maximize its value for TPRM.
👩‍💻 Recommend steps your TPRM team should take now.

Register now for this webinar to gain an understanding of the pivotal changes to SIG 2025 and learn how to use them to optimize your third-party risk management program.

11/07/2024

Effectively managing third-party risks is essential for protecting data, safeguarding operations, and maintaining regulatory compliance. However, with a variety of information security frameworks available to choose from - such as NIST, ISO, and others - it can be challenging to select the one that best aligns with your organization's needs.

Join compliance expert Thomas Humphreys on November 20 as he explores key considerations for choosing the right TPRM framework.

In this webinar, Thomas will:
🔎 Examine the strengths and limitations of several leading information security frameworks.
📝 Review how to evaluate common frameworks based on your industry and risk profile.
🥅 Discuss steps for aligning TPRM practices with broader organizational goals.

Whether you're building a TPRM program from scratch or enhancing an existing one, this session will equip you with practical insights to strengthen your approach to third-party risk.

11/05/2024

A strong, secure, and efficient offboarding process is as important as other stages of a vendor lifecycle. However, many organizations overlook this step, exposing them to future risks.

Proper vendor offboarding is critical to managing risk, particularly since security, procurement, and vendor management teams discontinue vendor oversight when the relationship ends. An incomplete or hastily conducted offboarding process can result in financial losses, regulatory penalties, and reputational damage.

Procurement, vendor management, and security teams often view TPRM as an exercise to be conducted before onboarding a new vendor. So, it's no wonder vendor offboarding is an afterthought at many organizations. While nearly 90% of companies track risks from the sourcing and selection phases, fewer than 80% track service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle. While due diligence in vendor sourcing and selection is important, measuring and managing risk extends throughout the relationship with a vendor. This includes managing the end of a relationship with thorough vendor offboarding.

A centralized process can help teams automate vendor offboarding, ensure completeness, and mitigate risk effectively. Here are seven best practices to follow during offboarding:
📞1. Keep lines of communication open
📃 Perform a final review of the contract
📝 Settle any outstanding invoices
🪪 Revoke access to IT infrastructure, data, and physical buildings
🛡️ Review data privacy and information security compliance
📇 Update your vendor management database
📡 Continuously monitor vendors for potential future risks

10/31/2024

The AICPA SOC 2 has become an industry-standard framework that third-party vendors and suppliers can use to supplement a risk assessment. So, how do you interpret and mitigate risks identified in a vendor SOC 2 report in a way that's consistent with your TPRM program?

Join Bob Wilkinson on November 13 as he explores the intersection of SOC 2 and TPRM, focusing on how to align SOC 2 audits with your program.

Bob will examine:
⚡ The "when" and "why" for using a SOC 2 report as part of a risk assessment.
⚡ Best practices for mapping SOC 2 controls into common vendor risk and security frameworks.
⚡ Tools and techniques for effective vendor risk assessment and monitoring.

Register for this webinar to enhance your organization's resilience against third-party risks - and get instant access to our SOC 2 eBook and checklist!

10/25/2024

Here's your Friday listen! 🎧 Prevalent's Alastair Parr joined this week's To The Point Cybersecurity Podcast to discuss TPRM, compliance, AI, and more!

Head over to Forcepoint or your favorite podcast app and tune in! https://www.forcepoint.com/resources/podcast/third-party-risk-ai-alastair-parr

Today, we're diving deep into the intricate world of compliance and third-party risk management with none other than Alastair Parr, the Senior Vice President of Global Products & Services at Prevalent. We'll explore the 80/20 Rule in Compliance, the challenges organizations face with DORA reporting,...

10/24/2024

The EU Digital Operational Resilience Act (DORA) introduced a new regulatory framework designed to strengthen the resilience of financial entities against ICT-related incidents and third-party risks. How prepared is your organization to address DORA requirements with the impending January 2025 compliance date?

Join expert speakers Gareth Stinton, Connor Conlan-Coke, and Alastair Parr on November 6 as they delve into DORA's third-party risk management intricacies and offer actionable strategies to ensure compliance and safeguard your organization against ICT risks.

In this webinar, our experts will share:
🧭 A comprehensive roadmap to achieving and maintaining compliance with DORA, highlighting key requirements and timelines.
🔎 Best practices for identifying, assessing, and managing risks associated with third-party vendors and service providers.
💡 Insights into the evolving ICT threat landscape and how to defend against them.
📄 Real-world case studies showcasing successful DORA TPRM strategies.

A well-structured TPRM program puts your organization on a path to DORA compliance. Don't miss this opportunity to stay ahead of emerging threats and regulatory requirements. Register now!

10/23/2024

Half of the companies that responded to our 2024 Third-Party Risk Management Study still rely on spreadsheets to manage their third-party relationships, leading to gaps in identifying, monitoring, and mitigating risks. Upgrading to an automated TPRM solution can ensure your vendors and suppliers don't introduce unnecessary data breaches or privacy risks – so how do you make a solid financial business case for the right solution?

Download our Financial Business Case for a TPRM Solution Template and learn how to make a clear case for this critical investment.

Utilize this customizable Word Docx template to:
💸 Illustrate the financial ROI for your third-party risk management solution.
📈 Outline where cost savings will come from and why the manual process falls short.
⏳ Map out implementation timelines, internal resources needed, and ongoing support expectations.

Download the financial business case template today and take the next step toward securing a more efficient, cost-effective risk management future.

10/22/2024

In June, a ransomware attack at software provider CDK Global halted operations at thousands of car dealerships across the US. Roughly half of the industry relies on the CDK software - and it's an example of how a single vendor can impact entire industries.

Prevalent's Brad Hibbert shared his insights on industry cyber risks in the software supply chain with The Daily Upside. Check out what he has to say!

https://www.thedailyupside.com/analysis/a-cyberattack-rattled-us-car-dealerships-which-industry-is-next/

A single point of software failure can turn entire industries into teetering Jenga towers. Next time could be a lot worse.

10/18/2024

A massive thank you to everyone who joined us and our partners at 3VRM last night in London! We tasted some whiskey over dinner and, of course, talked third-party risk management. 🥃

We look forward to seeing you again soon!

10/17/2024

As 2025 planning, budgeting, and prioritizing ramp up, now is the perfect time to think about what the next year has in store for your organization's third-party vendor and supplier risk management. How will evolving technological landscapes, risks, and regulatory shifts reshape TPRM?

Join TPRM experts Alastair Parr and Sophie Pothecary on October 31 as they review this year in third-party risk and explore the emerging trends that will drive TPRM programs in 2025.

Alastair and Sophie will discuss:
📋 Regulatory Changes: Understand upcoming regulations influencing third-party risk strategies and compliance requirements.
🤖 Technology Integration: Discover the role of AI and machine learning in automating risk assessments and enhancing decision-making processes.
🚚 Supply Chain Vulnerabilities: Analyze the impact of global supply chain disruptions and strategies for mitigating associated risks.
👩‍💻 Cybersecurity Landscape: Examine emerging cyber threats and how they affect third-party relationships and risk exposure.
⚡ Best Practices for Adaptation: Gain actionable insights and best practices for evolving your risk management frameworks to meet future challenges.

This webinar will deliver insights and a roadmap to help you prioritize your TPRM program in 2025. Register now!

10/16/2024

In response to increasing numbers of cyber-attacks, the EU parliament passed the Digital Operational Resilience Act to improve IT security and ensure financial institutions can operate during disruptions.

With compliance expected by January 17, 2025, we examined the key articles in DORA Chapter V: Managing of ICT Third-Party Risk.

Our comprehensive checklist provides guidance for understanding DORA articles call for third-party risk assessments, monitoring and other TPRM activities. It also maps key TPRM capabilities to applicable DORA principles and framework components.

The DORA Third-Party Compliance Checklist is ideal for any security, compliance, or risk management professional in the financial sector who needs to ensure compliance with this critical piece of EU legislation.

10/11/2024

In a world with increasingly interconnected companies, vendors, suppliers, logistics partners, and cloud services providers, TPRM has advanced from being an annual checklist exercise to a critical daily function.

When an incident on the other side of the world can cause disruptions in your client service, it is critical to understand and manage those risks effectively and efficiently. Aside from the necessity of TPRM, the practice has advanced significantly from an exchange of emails 10 years ago to a continuous monitoring process that incorporates traditional due diligence with high degrees of automation.

A core part of your vendor risk management process goes beyond simply assigning security ratings to your service providers. A successful TPRM management solution grants you visibility into your third-party ecosystem, allows you to identify who has access to your data, and lets you ascertain how your third parties keep their data secure.

To address risk exposures in TPRM environments, you should enable organizational standards and language in the following areas:
📃 Set up contract and service level agreement requirements to address risk-related commitments.
🪪 Analyze the vendor risk profile with the risk profile of the engagement or the service provided.
📊 Enable a reporting process driven by dynamic monitoring and risk assessment based on events.
📝 Mix periodic risk assessments (self-reported) and continuous risk monitoring (externally reported) approaches for holistic risk identification.
💻 Implement technology solutions to integrate procurement, performance, and risk management on a unified platform that provides stakeholders with updated information on demand to meet their specific needs.

The value of an effectively implemented TPRM solution is in achieving a critical risk management program that provides early warning and drives effective risk mitigation. Ultimately, strengthening your organization, addressing gaps (understanding where the gaps are, implementing processes and protocols), and resolving third-party risk management issues will improve your business, helping you sustain and grow.