Nicsa members received an in-depth look at vendor oversight programs from the perspective of both asset management firms that have outsourced key functions and the service providers they’ve hired. The event took place in February 2020.
Marc Lotti, Partner, Division Head, Cybersecurity and Risk at ACA-Aponix moderated the event, which also featured thought leaders at SS&C Technologies, Inc., Putnam Investments, Vanguard Group, Inc., and T. Rowe Price.
David Cook, Manager-Procurement at SS&C Technologies, Inc., said that from the vendor side, the enhanced need for risk management has led clients to demand more formalized and centralized governance.
“This is an important topic for our customers,” Cook said. “The number of audits conducted by our customers have quadrupled in the last three years. In addition to that, any time we respond to an RFP, there’s a section on supplier risk management.”
Lotti asked about the classification scheme asset management firms use to identify high, medium, and low risk vendors. John Ingold, VP, Head of Third Party Risk at T. Rowe Price, said his firm focuses entirely on inherent risk.
“Without taking into account their control environment, if a vendor represents a material risk to our ability to deliver continuous services to our clients, then that is a Tier 1 vendor,” Ingold said. “Vendors that don't represent that risk, but that do have access to volumes of personal information, will be in Tier 2. Same with vendors that support our compliance obligations.”
He clarified, however, that many Tier 1 vendors have built-in controls, so they’re not that high-risk after all. “We see more risk flow through to the organization from smaller vendors that are performing novel services,” Ingold said. “FinTech would be the most recent wave of such vendors.”
Lotti said a recent Gartner report noted that some of the best risk mitigation occurs when you have good relationships with the business owners — and Sheila Butze, Director, Market Data Services & Corporate Procurement at Putnam Investments, agreed.
“The key is to have vendors involved in risk management from the get-go, so they clearly understand their responsibilities and roles,” Butze said. “You have to have a good relationship to have those conversations — they’re tough conversations.”
Dawn James, Head of Third-Party Risk and Governance, Vanguard Group, Inc., said her oversight committee has the power to veto extremely high-risk vendors.
“We find it most difficult with multifaceted providers who service several parts of the business,” she said. “I might have a supplier who provides me a low tier service, while they might provide my colleague a service that's deemed critical. That’s a nuance we are working really hard on because who has responsibility for the relationship gets fuzzy.”
Another important consideration is fourth-party risk — that introduced by a service provider that uses its own third-party vendors.
“When we're assessing a service provider who is or may be using downstream parties, we really want to start by learning whether they have a third-party risk program and trying to evaluate its adequacy,” Ingold said. “We all talk about ‘Trust, but verify,” but there's a pretty big degree of trust here. And so that's why for us, the effectiveness of the third-party risk program is critical.”#NicsaEvents
Note: Although the observations contained in this work represent the best thoughts of the individuals comprising the Nicsa panel, they do not necessarily reflect the views of Nicsa or any of its member organizations. Matters addressed in this work may touch upon legal or regulatory matters, however nothing herein is intended to be or should be construed as legal advice. You should contact your own counsel in order to obtain legal advice regarding these or any other matters.