Keith Koo on A Horizon View of Third Party Risk and Cyber-Risk
May 21st, 2018
posted by Aravo
Sometimes, in the world of third party risk, we spend a lot of time looking at what is directly in front of us (or re-actively, what’s behind us), or even with our heads in the sand. Industry expert, Keith Koo, spends a lot of time looking to the horizon. When you meet Keith – you are immediately struck by the energy and enthusiasm he brings to the topics near and dear to his heart: disruptive technology, digital innovation and cyber-security, and the intersection of all these trends with third party risk.
Not only has Keith had significant experience in managing large third party risk programs for large banks and enterprise technology companies, he now advises companies with the most complex and pressing third party management challenges as a Managing Partner at Guardian Insight Group.
However, it’s been his experience working in the Silicon Valley, that also spurred Keith’s long-term interest in digital innovation, cyber-security and emerging, disruptive technologies such as cryptocurrencies and blockchain.
He’s brought his experience and passion together in the form of a Radio Show and Podcast series “Silicon Valley Insider” where Keith and other leading innovators in the industry discuss “what’s hot” in the digital world, best practices and big concepts for innovation, disruption and pivoting in the Silicon Valley.
We recently sat down with Keith to discuss third party risk, emerging technology, and what organizations should have on their horizon view.
How do you think third-party relationships will evolve over the next two-to-three years? In particular the role that third parties may play within a company’s business model.
The role of third parties will continue to evolve – they will become even more important to companies, who will continue to become more strategically dependent on them. Technologies such as artificial intelligence, machine learning, and big data will strengthen this trend, because companies will choose to work with third parties who have existing expertise in these areas, rather than develop the expertise themselves.
However, that does not mean that companies can outsource their understanding of the technologies being used by third parties in the process. Executives must keep current in their awareness of how third parties are delivering on their contracts and with what kind of technologies. They need to understand the risks these technologies could bring to the relationship and how their very business model could be damaged by those risks.
The Facebook/Cambridge Analytica scandal has shown the dangers of not taking these issues into account. Following the scandal, Facebook announced plans to end the company’s consumer-tracking program that allows data brokers such as Acxiom, Oracle Data Cloud, Experian, Epsilon and others to target the social media platform’s users based on their shopping habits or other data profiles. Facebook, which is a third party to these companies, announced a shift in business strategy. Now their own business models will have to pivot to change the way they target customers, and their revenues may take a hit. The question is – how aware were companies of the technologies and dependencies that were driving this part of their third party ecosystem?
Now, it will not be possible to predict every impact like a Facebook/ Cambridge Analytica event. But this is where having a business model that recognizes that you can’t know everything, and therefore has resilience and responsiveness built into it, that is important. When it comes to third party risk management, companies need to embrace the understanding that they don’t know what they don’t know. This is where resilience comes in – does the company have the right incident management and change management in place? Does it have the ability to bounce back once a vulnerability is realized? This resiliency needs to be incorporated into the business model and into their approach to third party risk management.
How could blockchain or cryptocurrencies change the shape or dynamic of third-party relationships
Ultimately blockchain could disrupt or change the shape of third party relationships because it will disintermediate the need for a middle person. Firms will seek to simplify their supply chains because what blockchain inherently strives to do is cut out all middle parties.
However, this is not going to happen for a while. I like to say that blockchain technology is really at the stage where we just invented the wheel and we’ve not invented a bicycle or a car yet. The utopian stage of disintermediation that people are excited about is some way off, but it still may come sooner than some people think.
It is very much the same with cryptocurrencies. It will be a long time before these replace fiat currencies for day-to-day transactions in most economies. However, this sort of use for cryptocurrencies may come sooner in underdeveloped countries where individuals cannot rely on their fiat currency.
Are companies finally waking up to the danger posed by cyber-risk within their third-party relationships? Why or why not?
I think, yes and no. I believe that everyone is fully aware of the dangers of cyber-risk. Having run a TPRM team – third party risk is a microcosm of every operational risk, including cyber. I have seen how people are becoming more and more aware that there is an infinite number of threat vectors in cyber-risk or information security. It’s not a question of whether or not you are going to get hacked, it’s a question of when.
Most large banks face 50,000-100,000 attempted hacks a day. And what’s great about financial institutions that many people overlook, is that with that volume of attacks, we rarely hear of an incident or a breach.
With large banks, if they do get hacked, the spot of vulnerability is basically a soft underbelly. Companies know this, and regulated entities like financial services, insurance, healthcare – these kinds of companies have to be more aware by design, because regulators expect that of them.
However, no one wants to admit vulnerability on their watch. Here, industries can be like a herd of ostriches with their heads in the sand. So, by in large, companies are not using security services that could actively find potential areas of breach, that could show where a system is vulnerable. People say, “we cannot use something like that because the moment you identify a potential source of a breach for us we’d have to disclose that to the regulator and our auditors”.
Regulated companies need to start having conversations with their regulators about these issues – they need to bring their risk analysis to their regulators and come to an understanding about how they can test using these new technologies.
If they do not, there could be the potential for significant systemic risk – on a scale as damaging or more damaging than the Atlanta, Georgia attack, for instance, where more than 10 days after the incident public sector employees still could not use their computers. Suppose something like that happened to an entire financial institution, or several?
What shape could this risk – cyber-risk within third-party relationships – take over the next two or three years? How is it going to evolve?
Whether you are a purchaser of technology or a seller of technology, that ecosystem is becoming more complex. In TPRM, we are now talking a lot about fourth party risk, which is the risks posed by the supplier’s supplier. Companies simply don’t know all the different layers of organizations and technologies supporting them.
New risks are emerging all the time at third parties, and fourth parties. For example, a few months ago, a major new technology vulnerability was announced called the Meltdown and Spectre chip flaws. These flaws effected nearly every modern CPU in a PC, server or smartphone. It is a 20-year-old design flaw that programmers thought (many years later) was an untapped resource to increase CPU performance. Those programmers then starting using the flaw in their code they wrote, so it became a feature. Through the flaw, hackers can essentially see everything that people do on their computers. The chip was, of course, made by third parties that the computer manufacturers worked with, but the problematic element of the chip was delivered to the third-party by a fourth-party. (Keith points out that he and other experts used to hypothesize that the microcode in CPUs is the one example he could think of where the industry wouldn’t need to audit fourth parties. He laughingly admits he is now proven wrong).
Another new issue is disposing of data when a firm stops working with a third party. What people don’t realize is that lots of hardware devices store the data and there is no way of getting rid of it without codifying the procedures with the third party ahead of time. It’s not designed into the hardware to be able to proactively get rid of that data. Another very recent example is Google’s decision as the third party to push all data risk onto the publishers (i.e. their customers).
People need to stop thinking about cyber-risk and third party risk as an academic exercise. They need to realize they need to start doing this – not think about it because the auditors and regulators want them to – they need to embrace keeping themselves secure, otherwise they won’t be around as a business.
How could blockchain support third party risk management – or is it simply just another risk?
One way blockchain can support third party risk management is simply by what we call a smart contract, a feature built into a blockchain. Blockchain in itself is an open public ledger that is a distributed ledger, so it is not controlled by any one computer or company, and it keeps an immutable record of everything that ever happened. So, it provides a strength of governance that regulators and auditors care about.
On the other hand, blockchain in itself is completely opposed to today’s data privacy requirements. So, HR system transactions, healthcare records, and financial transactions, for example, that carry PII won’t work at all in a blockchain environment right now. People have not yet architected how “permissionless” blockchains can transport a transaction without sharing sensitive data information.
A private, permissioned, or consortium blockchain, which is what 90% of all banks and insurance companies are doing right now, is an entirely controlled system or closed system. The problem with these is that they don’t give the end-user the same confidence in the immutability of the data.
Certainly, blockchain will revolutionize entire industries – but we are not there yet. Some of the technology doesn’t exist yet.
Given this outlook, are regulators moving fast enough to head off systemic risk implications of blockchain, cryptocurrency, and/or cyber-risk issues?
Regulators are doing everything they can to quickly come up to speed on what these technologies are. With blockchain, there are at least six US regulators that are devoting a lot of effort to the area. There is no doubt in my mind that regulators are moving as fast as they can. But to the question, are they moving fast enough – I don’t think they can move fast enough because they are trying to cover everything about blockchain. They are trying to keep consumers and businesses safe, which is good, but the technology is maturing too fast.
It may be that, ultimately, a new type of regulator will be needed to effectively oversee a technology like blockchain.
There is financial risk – in the US, the regulators have made it difficult to do initial coin offerings (ICOs), because they want to prevent “pump and dump” schemes and other forms of fraud. There were over 900 ICOs in the world last year, 2017 and by February of this year, already almost 50% had collapsed, either because they were fake or because they were inherently flawed.
There is also operational risk. People believe that blockchain isn’t hackable, and truthfully it is virtually unhackable. However, there are hackers trying to hack into the entire network and if they were successful, it would collapse the entire chain that was hacked. (As of the timing of this interview, a research group discovered a flaw in Ethereum, the most prolific enterprise blockchain that was patched very soon after the vulnerability was announced. If exploited, the entire Ethereum ecosystem could have been compromised).
What should organizations be doing today to either better manage the risks posed by these three trends – or potentially profit from the upside? And what role could third parties play?
We’ve gone full circle. The first thing is don’t be a herd of ostriches. Take your head out of the sand, educate yourself, get the training you need. Don’t rely on just internal experts – even the most seasoned technology folks in your institution – nobody can know everything that is going on right now, it’s all too new and dynamic. Keep an open mind and educate yourself and your organization on what these emerging technologies are, and what they can do both in terms of benefits and risks.
Companies should also consider working with organizations that are developing solutions in these spaces that could potentially be disruptive competitors. Many financial institutions are doing this at the moment, for example. The more enterprises can clearly articulate how they could use a nascent aspect of blockchain to further their own products, the more potential upside there could be for them. Companies, and their third parties, will also need to be able to pivot when change occurs.
Finally, there are big, unanswered questions still out there. For instance, while blockchain may disintermediate third parties – is it a third party itself? How will organizations list blockchain as a third party? How would you bring it into your system and conduct due-diligence?
About Keith Koo
Managing Partner, Guardian Insight Group / Host “Silicon Valley Insider” Radio Show and Podcast
Keith is a Founder and Managing Partner of Guardian Insight Group (GIG), a Technology Risk advisory firm dedicated to identifying, assessing, controlling, and mitigating risks associated with doing business with technology companies and vendors such as: financial, blockchain, pricing/cost, cyber, information security, business resiliency, disaster recovery, regulatory and compliance.
Before founding GIG, Keith was the Managing Director/Head of Third-Party Risk Management for the Mitsubishi Financial Group (MUFG) and was responsible for ensuring that the Bank had the proper framework, policies and controls to meet regulatory standards for effective oversight of third parties/vendors.
Keith is also the creator and Host of the “Silicon Valley Insider” Radio show and Podcast which focuses on innovation, disruption and the risks associated with doing business. Keith is also an adviser to fortune 1000 companies and startups.
Previously he held leadership roles at Cisco Systems, Hewlett Packard, and other technology and financial service companies in Mergers and Acquisitions, Divestitures, Technology and Risk Management. Keith is a frequent speaker, emcee, and moderator.
Keith Koo on LinkedIn
Keith Koo on Twitter
Keith Koo on Facebook
email Keith Koo