[BreachExchange] Third-party compliance risk could become a bigger problem

Destry Winant destry at riskbasedsecurity.com
Wed Apr 29 10:20:24 EDT 2020


Since the onset of COVID-19, more than half of legal and compliance
leaders believe that cybersecurity and data breach is the
most-increased third-party risk their organizations face, according to

Which third-party compliance risk has increased (or could increase)
the most at your organization as a result of COVID-19?

Third-party compliance risk

“Remote working has been hastily adopted by suppliers to keep their
business running, so it’s unlikely every organization or employee is
following best practices,” said Vidhya Balasubramanian, managing vice
president in the Gartner Legal and Compliance practice.

“Legal and compliance leaders are concerned about the new risks this
highly disruptive environment has created for their organizations.”

Bribery and corruption, privacy, fraud, and ethical conduct were all
noted as the most-increased third-party risks (10% of respondents for
each) for a signification number of respondents.

“Legal and compliance leaders need to act now to mitigate third-party
risk while still enabling their supply chain partners to flex to the
current pressures on the system,” said Ms. Balasubramanian.

“This will likely mean managing the contractual risks and
opportunities of current relationships, mitigating emerging issues,
and streamlining due diligence for new third-parties. Legal and
compliance leaders will also be looking at other ways to reduce the
compliance burden on third parties.”

Navigate the contractual relationship

Legal and compliance leaders are managing the contractual risks of
disrupted supply chains by:

Working with procurement or supply chain leaders to identify which
critical suppliers have manufacturing facilities, or a portion of the
workforce, located in high risk areas.
Contacting high-risk, critical suppliers to understand their
preparedness for COVID-19, and the likelihood that they will meet
contractual obligations.
Anticipating ongoing financial or business disruption by conducting a
review of existing contracts with high-risk suppliers to identify
those with force majeure and other relevant clauses.

Mitigate amplified third-party risks

Several emerging practices from the survey respondents were identified:

Reviewing third-party compliance activities, including third-party
work from home policies, as well as privacy and security training
Updating contracts to include clauses intended to mitigate
cybersecurity & data privacy risks (e.g., clauses on VPN use, data
Reducing the compliance burden on suppliers by:

Entering into temporary “workaround agreements” by amending contracts
to maintain services in a remote environment
Postponing supplier audits until later in the year
Modifying payment structures to those suppliers needing to boost cash flow

Streamline third-party due diligence

Emerging practices in this area include:

Talking to functional partners about working with new third parties if
needed to alleviate supply chain issues.
Identifying critical, zero tolerance risks and revising due diligence
processes to flag these.
Identifying and prioritizing critical third parties and helping them
manage risk throughout the pandemic.
Conducting remote audits.
Decreasing the amount of information requested from potential
suppliers about general risks.

“Legal and compliance leaders have had to pivot quickly to support
their supply chain and other business partners as part of this rapidly
shifting third-party risk landscape,” Ms. Balasubramanian said.

“The most progressive companies have approached this crisis as an
opportunity to clarify and streamline compliance obligations,
strengthen current relationships, and focus their risk management
efforts on the most critical, urgent risks.”

More information about the BreachExchange mailing list