Is Your Third Party Risk Management (TPRM) Program Primed To Fail?

Is Your Third Party Risk Management (TPRM) Program Primed To Fail?
Is Your Third Party Risk Management (TPRM) Program Primed To Fail?

Not long ago, the FCC fined venerable AT&T $25 million following a data breach that impacted nearly 280,000 of its customers. What is especially telling is the story behind that breach. Like many other consumer-heavy companies, AT&T had engaged international call centers to handle inquiries, specifically in Mexico, Columbia, and the Philippines. Thieves, aka “unauthorized third parties” evidently targeted employees in these centers and offered compensation for sensitive customer information. “At least two employees believed to have engaged in the unauthorized access confessed that they sold the information obtained from the breaches to a third party, known to them as “El Pélon.”  

Not only was AT&T levied a hefty fine, they were directed by the FCC to develop and implement a compliance plan to ensure appropriate processes and procedures were incorporated into their business practices to protect consumers against similar data breaches in the future. Specific measures included appointing a compliance officer, conducting a risk assessment and implementing an information security program. It makes you wonder why those steps weren’t taken in the first place. If it can happen to AT&T, what can the rest of us do? Short answer – plenty, starting with learning from AT&T’s missteps in dealing with Third Party Risk Management.

Failure to monitor. Bad news doesn’t get better with time. The breach in question happened over a 168-day period. Not only were three vendor employees in Mexico involved, but the FCC learned of additional breaches in Columbia and the Philippines due to unauthorized access of sensitive customer data by forty additional 3rd party employees.  168 days is nearly six months of unfettered access, and evidently that anomalous activity was not detected and reported by AT&T before significant damage was done.

Failure to put a comprehensive 3rd party risk management program in place. 3rd party risk is one of the most vulnerable points in a company’s operations, but is often overlooked in risk management mitigation. FCC found AT&T’s failure to reasonably secure their customers’ personal information was an unjust an unreasonable practice – not what consumers want to hear about a company they trust with their sensitive data.

Failure to conduct regular risk assessments. AT&T’s failure to conduct risk assessments, including onsite inspections, is a notable failure. Assessments of different types should have been standard and ongoing practice.

The fact is that every third-party vendor is a potential risk liability. Establishing a functional and up-to-date risk management program is critical to an effective approach for safeguarding sensitive information. No company sets out to fail, but poorly executed 3rd party risk management usually doesn’t demand attention until the damage is done.

To set your program up for success, the key is incorporating your third-party risk into a strong centralized program. You know all too well your organization’s time and resources are stretched. Centralizing your vendor-related communications, data, and reporting is more efficient and effective in surfacing potential issues before they become huge headaches. When you perform third party management as a series of individual tasks rather than an integrated, data-driven process, chances are you are wasting resources for an inferior result.

It pays to be curious. Screen your third-party providers carefully and make sure you are asking the right questions. Know when to dig deeper and know what to look for. In order to effectively and responsively function, your third-party risk management program should be integrated, transparent, accessible and automated.

Every company who uses 3rd party resources needs to understand assessing vendor risk is an operational and data-driven operation. Your process can only be as effective and efficient as the scope, currency, and accuracy of your information. We can all learn from the failures of others, and equip our third-party risk management programs to succeed where others fail.