Written by Tom Turner, CEO and President, BitSight
In my experience there are a number of common blind spots associated with vendor risk management (VRM), or third-party risk management’ as it is sometimes called. In this article I will share with the readers what I see as six top misconceptions surrounding VRM and suggest strategies for businesses to overcome or avoid some of these pitfalls.
- Only the highest value business relationships have the most inherent risk
Today we see many high profile data breaches hitting the headlines. That’s because businesses are more connected than ever before, and organisations are having to deal with increasing numbers of third parties. Often, there will be a direct relationship where data is exchanged. However, we’re seeing more indirect relationships where a third party may not be deemed critical to the organisation’s service or product, yet they still have the potential to introduce risk. Take the Netflix ‘Orange Is The New Black’ leak in April last year from Larson Studios. This was a post-production company that was probably thought to be a distant vendor in the supply chain, yet when they were hacked it had a massive impact on the core business.
Likewise, many businesses are using the same third party, which is often unavoidable. For some products and services, there’s only one dominant player in the market to choose from if you need to outsource. This situation can result in massive downstream effects if there’s a data breach, compromise, or service disruption. For example, theNotPetyamalware hit many companies in Ukraine particularly hard, such as the shipping giant Maersk. This happened because a Ukrainian based software accounting platform was compromised, and the ransomware spread to its customer base.
Breaches and outages aren’t just resulting from typical third parties anymore. They’re also stemming from more distant vendors. While these organisations may not have access to your network, you may rely on their technology or services which could cause considerable risk downstream.
- Your most trusted form of assurance is a diligence questionnaire
VRM programmes have traditionally focused on setting contractual obligations for vendors. Risk managers would periodically check on whether vendors were meeting certain obligations and move on to the next item on their “to do” list. For a long time, the only way to manage risk was to use questionnaires, audits, and penetration tests. This haschanged, and businesses are now actively ‘hunting’ for risk. They are consuming multiple data feeds about operational, financial, and cyber security risk. In doing so, many organisations have taken a more collaborative approach with vendors, rather than a combative one. The notion that VRM is a game of strong arming between risk and legal departments is changing. Organisations and their vendors are having more constructive dialogues.
- VRM is not a Board level issue
According to Gartner, 80% of security risk management leaders are being asked to present tosenior executives on the state of their security and risk programme and 75% of Fortune 500 companies arenow expected to treat VRM as a board level initiative to mitigate brand and reputation risk. Boards are beginning to request updates more than once a year and this has led to the emergence of security committees.
The challenge for risk managers is how best to contextualise the company’s level of risk. This is where objective, quantitative measurement can really help. For example, being able to say that the aggregate level of cyber risk posed by vendors has dropped 20 percentage points is a lot more insightful than saying, “We’ve mandated that all of our vendors implement multifactor authentication.” It’s important to learn how to speak the right language to the Board.
- Regulations and VRM programmes are two different issues
The impact of regulationvery much depends on the industry sector, but if you are subject to any regulation at all, then it needs to be included in your VRM programme. Regulations that encompass all industries, such as General Data Protection Regulation (GDPR)which comes into force on 25th May this year, will need to be part of the risk management programme of every single organisation. Article 32 states that organisations that collect personal data must have rigorous due diligence processes to ensure that appropriate controls are in place before sharing data with vendors.
- VRM can be handled manually with existing resources
Relying solely on subjective point-in-time questionnaires can leave a lot of risk unidentified or unaddressed. Many companies now understand that having a continuous objective view is needed.
Also, you can’t simply just throw people at this problem. There are too many vendors connected to the enterprise and not enough risk professionals in the world to manage them. Companies need to automate processes whenever possible to manage this risk. There’s going to be a huge breakthrough when businesses across all sectors recognise the importance of automation and allow human intervention when urgent action is required.
- Engaging with vendors and the supply chain to correct risk is difficult and confrontational
Companies have different approaches for engaging with vendors and some have more influence than others. However, we are learning that presenting data and accessing a common platform providessignificant benefits.
Giving non-customers free access to a security ratings platform via a trusted partner will allow third party vendors to investigate potential network issues and allow access to remedial resources. This is a good example of how engagement with vendors can be driven by objective data. It also offers vendors a benefit in return for their engagement and reduces some of the confrontation that can accompany risk assessment.
With economies of scale at play, there are potentially long-term benefits too. With many organisations using the same vendors to rectify issues, we can reach a wider audience and the whole digital economy is better off.
To learn more about vendor risk management, visit www.bitsighttech.com
Britain starts formal countdown in ‘final chapter’ of Libor
LONDON (Reuters) – Britain’s Financial Conduct Authority (FCA) on Friday called a formal end to nearly all Libor rates on December 31 as anticipated, piling pressure on markets to complete their biggest change in decades.
Libor, or London Interbank Offered Rate, is being replaced by rates compiled by central banks after lenders were fined billions of dollars for trying to rig what was once dubbed the world’s most important number, used for pricing home loans and credit cards across the world.
“This is an important step towards the end of Libor, and the Bank of England and FCA urge market participants to continue to take the necessary action to ensure they are ready,” the FCA said in a statement.
All sterling, euro, Swiss franc and Japanese yen denominations of Libor will end on Dec. 31, the FCA said. As previously announced by the U.S. Federal Reserve, some dollar denominated versions will continue until mid-2023.
“Today’s announcements mark the final chapter in the process that began in 2017, to remove reliance on unsustainable LIBOR rates and build a more robust foundation for the financial system,” Bank of England Governor Andrew Bailey said in a statement.
“With limited time remaining, my message to firms is clear – act now and complete your transition by the end of 2021.”
The FCA said that it does not expect any Libor setting to become “unrepresentative” before December, meaning that contracts that use Libor for pricing would have to switch to another rate at short notice.
(Reporting by Huw Jones; editing by Rachel Armstrong and Jason Neely)
China’s export growth seen surging in Jan-Feb on low base: Reuters poll
BEIJING (Reuters) – China’s exports likely surged to a three-year high and imports also jumped in the first two months of the year, thanks to a low base, as economic activity ground to a halt last year due to draconian COVID-19 control measures, a Reuters poll showed.
Exports are expected to have risen 38.9% in January-February from a year earlier, according to a median forecast in a Reuters poll of 22 economists, up from 18.1% gain in December.
China’s customs began combining January and February data last year to smooth distortions caused by the Lunar New Year, which can fall in either month.
Separately, the head of China state planner said on Friday that China’s exports are estimated to have grown over 50% in the first two months, without specifying whether that was in yuan or dollar terms.
The strong forecasts contrast with official and private manufacturing surveys that have indicated a weakening in external demand for Chinese products.
“China’s exports are facing both positive and negative impacts currently,” analysts with China Minsheng Bank said in a note.
“The exports volume of medical supplies and transferred orders from other countries due to coronavirus-related disruptions to production will decrease, with more countries speeding up work resumption with the rollout of vaccines.”
The bank’s analysts also expected a rebound of overseas demand for Chinese goods with the reopening of global economy.
Chinese factory activity normally goes dormant during the Lunar New Year break as workers return to their home towns. This year, the government appealed to workers to avoid travelling to curb the spread of COVID-19, prompting some economists to forecast a marginal boost to production especially in the country’s coastal export-dominant provinces.
Imports likely rose 15% in the first two months versus a year ago, the poll showed, with some analysts expecting the number to have been lifted by high commodity prices.
China’s trade surplus is expected to have narrowed to $60 billion in the same period from $78.17 billion in December, according to the poll. The data will be released on Sunday.
(Reporting by Lusha Zhang and Ryan Woo; Editing by Simon Cameron-Moore)
U.S. job growth likely regained steam in February
By Lucia Mutikani
WASHINGTON (Reuters) – U.S. job growth likely accelerated in February as more services businesses reopened amid falling new COVID-19 cases, quickening vaccination rates and additional pandemic relief money from the government, putting the labor market recovery back on firmer footing and on course for further gains in the months ahead.
The Labor Department’s closely watched employment report on Friday will, however, also offer a reminder that as the United States enters the second year of the coronavirus pandemic the recovery remains excruciatingly slow, with millions of Americans experiencing long spells of joblessness and permanent unemployment.
Federal Reserve Chair Jerome Powell on Thursday offered an optimistic view of the labor market, but cautioned a return to full employment this year was “highly unlikely.”
“We will probably see more people having gone back on payrolls,” said Sung Won Sohn, a finance and economics professor at Loyola Marymount University in Los Angeles. “Many will be related to service jobs, but that will not mean a rapid increase in jobs. It’s a slow progress toward eventual full recovery.”
Nonfarm payrolls likely increased by 182,000 jobs last month after rising only 49,000 in January, according to a Reuters poll of economists. Payrolls declined in December for the first time in eight months.
Economists saw no impact from the mid-February deep freeze in the densely populated South as the winter storms hit after the week during which the government surveyed establishments and businesses for the employment report.
But unseasonably cold weather last month, especially in the Northeast, and production cuts at auto assembly plants because of a global semiconductor chip shortage likely shortened the average workweek.
The labor market has been slow to respond to the drop in daily coronavirus cases and hospitalizations, which helped fuel a boost in consumer spending in January that prompted economists to sharply upgrade their gross domestic product growth estimates for the first quarter.
Historically, employment lags GDP growth by about a quarter. But economists believe the catching up started in February, a year after the economy fell into recession at the start of the U.S. COVID-19 outbreak.
A survey last week showed consumers’ perceptions of the labor market improved in February after deteriorating in January and December. In addition, a measure of manufacturing employment increased to a two-year high in February.
Though millions are unemployed, companies are struggling to find workers, which is contributing to holding back job growth. A survey on Wednesday showed employment growth in the services industry slowed last month, with businesses reporting they were “unable to fill vacant positions with qualified applicants.”
That was underscored by an NFIB survey on Thursday showing 91% of small businesses trying to hire in February reported few or no qualified applicants for their open positions.
This labor market dichotomy is because the pandemic is keeping some workers at home, fearful of accepting or returning to jobs that could expose them to the virus.
It has also disproportionately affected women who have been forced to drop out of the labor force to look after children as many schools remain closed for in-person learning. According to Census Bureau data, around 10 million mothers living with their own school-age children were not actively working in January, 1.4 million more than during the same month in 2020.
The Fed’s Beige Book report on Wednesday showed there are shortages of workers in both low-skill and skilled trade occupations. The vacancies are mainly in the high-growth industries that have fared well throughout the pandemic, such as information technology, engineering, construction, customer support, manufacturing, and accounting and finance.
“Jobseekers are more hesitant to pursue many of the in-demand roles that are required to be onsite, particularly in industries like manufacturing, which has seen double digit increases in job roles like assemblers and warehouse managers,” said Karen Fichuk, CEO of Randstad North America.
The virus has greatly altered the economic landscape and many of the services industry jobs lost will likely not return.
Though the unemployment rate has dropped below 10%, it has been understated by people misclassifying themselves as being “employed but absent from work.” It is expected to have held steady at 6.3% in February. Just over 4 million Americans had been unemployed for more than six months in January, while 3.5 million were permanently unemployed.
Given the difficulties of retraining, structural unemployment could account for a bigger share of joblessness in the near future.
But there is light at the end of the tunnel. Economists believe the labor market will gather steam in the spring and through summer, with vaccinations increasing daily, even though the pace of decline in COVID-19 infections has flattened recently.
A boost to hiring is also expected from President Joe Biden’s $1.9 trillion recovery plan, which is under consideration by Congress.
“The labor force will begin a meaningful recovery in mid-2021 as extensive vaccine distribution will push toward herd immunity, reducing health concerns and allowing for a more complete recovery of some hard-hit industries,” said Ryan Sweet, a senior economist at Moody’s Analytics in West Chester, Pennsylvania.
(Reporting by Lucia Mutikani; Editing by Dan Burns and Andrea Ricci)