Aflac’s Tim Callahan presses hard line on managing third-party risk

Ask 100 people to define risk and you’ll get 100 definitions (if not more), but all typically agree on one thing: identifying and managing risk is extremely important to an organization’s livelihood and resilience. It can make a difference in curbing, mitigating and/or recovering from cybersecurity incidents.

Recently, that resilience and the ability to manage risk have been put to the test for many companies as they cope with accommodating remote workforces and operations during the Covid-19 pandemic.

Understanding where risk lurks – not to mention how to reduce and manage it – requires incorporating multiple perspectives both within and outside's one organization (think vendors, business partners and links of the supply chain) into a comprehensive strategy. Those are the issues that the Privacy & Risk track at InfoSec World 2020 will tackle next week.

Noting that third-party vendor risk assessments are time consuming -- with the Standard Information Gathering (SIG) Questionnaire fielding 1,200 questions -- Tim Callahan, senior vice president and global CSO at Aflac, says his company set out to develop a reasonable, defensible standard of care addressing those issues.

The company has pledged that “no third-party services pertaining to the handling, hosting, processing, accessing or transfer of customer or Aflac information may be activated without written approval from Aflac’s Global Security Division.”

Callahan will explain Aflac's policy further in his upcoming session, "An Offensive Approach to Managing Your Third-Party Risk."

The vendor-enterprise relationship should be sacrosanct, but according to the Ponemon Institute, 37 percent of organizations don’t believe vendors would notify them of a data breach, notes Randy Ferree from OneTrust Vendorpedia, who will lead the InfoSec World presentation "Risk Exchanges: The Key to Vendor Risk Management Efficiency."

New technology like the cloud, an uptick in breaches at every type of organization from Target to Equifax, and greater consequences for security incidents are driving the need for vendor risk management. If the sheer volume and growing sophistication of attacks and the wicked intent of miscreants aren’t enough to convince organizations to invest in resiliency, then the costs that they must somehow absorb or offset as a result of those attacks should. An IBM/Ponemon study says the average cost of a data breach in organizations where more than 50,000 records are compromised tops $6.3 million. And a breached U.S. company on average loses $4.13 million in business globally.

With that in mind, organizations are using assessments, exchanges and assessments as a service to manage vendor risk, says Ferree says, who recommends monitoring risk with granularity.

Party City attributes the success of its global enterprise IT Risk Assessment program to a number of factors, including C-level sponsorship​; experienced, skilled partners; identification of required resources; proper planning, including accurate scoping; and partnerships with business.

The core team consisted of specialists in information security, internal auditing, and risk and controls plus a third-party vendor, according to Angie Negron-Nieves, director risk and controls at Party City, and Rolando Espinoza, director of governance risk and compliance at Security Validation LLC. And management included both corporate and local business as well as IT senior leadership.

Negron-Nieves and Espinoza will offer addition details on their program in their session "Case Study: Performing a Global IT Risk Assessment."

Companies aren’t just dealing with cybersecurity risk – privacy risk, too, keeps members of the C-suite up at night. Organizations can bring the two together through use of NIST privacy and cyber frameworks, both of which are set up in a similar structure, says Kelly Hood, cybersecurity engineer at Optic Cyber Solutions, who will spearhead the session "Bringing Cybersecurity & Privacy Together through NIST Frameworks."

Organizations don’t have to bear the brunt of risk management alone. A growing number of organizations are opting for cyber insurance as a risk transfer mechanism as part of a larger risk management program, according to Sean Scranton and Shelly Thomas from RLI Insurance Company. “Residual risk is transferred, which minimizes severity,” say the pair of speakers, who will present the session "Cracking the Cyber Liability Code."

To ink appropriate coverage, it’s important that companies understand the cyber liability market, identify common coverages and exclusions, understand the reasons that cyber insurance claims are denied, and understand how to fill out an application, identifying key factors to determine how much insurance is needed.

To learn more about managing risk, check out the privacy and risk track at InfoSec World 2020.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.