As we close out 2019, we reflect on a number of trends and developments that third-party risk professionals should pay heed to. From increased State-level data-privacy and cybersecurity regulations, through to record FCPA fines, 2019 was a year of significant focus on third-party risk. Here we outline six of the top trends for the year:
1. Continued regulatory focus on data privacy
The data privacy regulatory revolution gained momentum over the past 12 months. Having only just recovered from the May 2018 deadline for compliance with the EU’s General Data Protection Regulation (GDPR), organizations found themselves gearing up for the California Consumer Privacy Act (CCPA) due date of January 1, 2020. More new rules are expected to be finalized in 2020, including privacy laws in more individual US states. This reflects a trend of increased State-level regulation for both data privacy and cybersecurity, data security and data breach notification (see below).
State data privacy laws include:
- California Consumer Privacy Act (CCPA)
- Nevada Senate Bill 220 Online Privacy Law
- Maine Act to Protect the Privacy of Online Consumer Information
For a list of states actively pursuing consumer privacy laws, visit National Conference Of State Legislatures.
2. Business and government focus on cyber risk
The level of cyber risk within third party relationships is a growing concern for both organizations and regulators. For example, a breach at the American Medical Collection Agency, which supplied billing and collections services to health care companies, came to light in May. Overall, the breach impacted 23 healthcare organizations, three professional services firms, two business support businesses, and a manufacturing company – and shortly afterwards the American Medical had to file for bankruptcy, leading to further disruption for its clients. Data privacy breaches often receive the most attention, but a cyberattack on a third party can have other effects too, including customer service failures and theft of trade secrets.
Regulatory interest in this area continued to grow in 2019. Compliance with New York State’s cybersecurity law for banks was required in March 2019, and US federal banking regulators continued to work on draft guidance.
The UK’s FCA is also very active, publishing an industry insights report in March. According to the FCA’s 2019/2020 business plan, “Between October 2017 and September 2018, 17% of the incidents firms reported to us were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services.”
In the US, state level cybersecurity, data security and data breach notification laws continued to expand and now include:
- New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)
- New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
- New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
- Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
- Oregon Consumer Information Protection Act (OCIPA) SB 684
- Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
- Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)
3. An increased emphasis on operational resilience
The concept has been around for a while, but financial services rule-makers have propelled the phrase into the headlines. In the US, the FDIC published a financial institution letter which asked banks to make sure contracts with third parties had requirements around business continuity baked in, and the Federal Financial Institutions Examination Council (FFIEC) has revised the Business Continuity Management section of the FFIEC Information Technology Examination Handbook. The UK’s Financial Conduct Authority and Bank of England are due to publish a new paper on the topic before the end of 2019. Other highly-regulated industries are also seeing an increase in focus on the level of resilience within third party relationships, such as joint business continuity programs and cyber-attack planning.
4. The EU’s Outsourcing Directive deadline hit
Financial institutions based in the EU scrambled to hit the end-September deadline to comply with the European Banking Authority’s new outsourcing rules. Banks must have a list of third party contracts, and implement new contract requirements for future relationships. However, September wasn’t the end – now firms have to amend contracts within existing third party relationships. The final deadline for this is 31 December 2021.
5. Third-parties a common denominator in ABAC enforcements
Big companies continued to fall foul of anti-bribery and anti-corruption (ABAC) laws, usually as a result of working with a third party. This month Swedish telecom Ericsson agreed to pay the DOJ and SEC over $1 billion in one of the biggest Foreign Corrupt Practices Act enforcement actions ever. Ericsson used third party agents and consultants to make bribe payments to government officials and/or to manage off-the-books slush funds. These agents were often engaged through sham contracts and paid pursuant to false invoices, and the payments to them were improperly accounted for in Ericsson’s books and records.
Prosecutors also continued to press enforcement actions against individuals as well as companies. In the EU, a new law to protect whistle blowers was finalized in October, which could result in more ABAC cases being brought forward. Individual EU countries have two years to implement the law.
6. Enforcement actions continue
Financial services regulators, in particular, are starting to flex their muscles around poorly managed third party relationships. For example, in June JP Morgan was fined €1.6 million by the Irish financial services regulator for failures around how it had outsourced its fund administration activities in that country. In the UK, Raphaels Bank was fined £1.89 million for outsourcing failings that were made worse by an IT failure at the third party. This resulted in the breakdown of its payments authorisation and processing services for eight hours on Christmas Eve. Organizations in highly-regulated industries can generally expect TPRM enforcement to gain momentum, going forward.
All of these trends and developments underline the need for a more sophisticated approach to TPRM within organizations. The operating environment is becoming more complex, and so improved awareness of potential risks and of control effectiveness is now essential.
See how Aravo for Third-Party Risk Management can support your evolving program requirements.