It’s fair to say that 2023 presented its share of complex challenges. From significant regulatory updates to third-party data breaches, to new supply chain risks, third-party risk management (TPRM) programs were tasked with navigating a constantly evolving landscape. Experienced TPRM professionals know there’s no such thing as an easy year in this line of work, thanks to the constant emergence and evolution of new risks.
As this year comes to a close, let’s get prepared for some of the TPRM challenges that lie ahead in 2024.
3 Key Concerns for TPRM in 2024
1. Meeting regulatory expectations: As the final Interagency Guidance on Third Party Relationships: Risk Management, the SEC Notifications Rule, and multiple state and international privacy acts became effective in 2023, institutions should ensure compliance by doing the following:
- Audit your TPRM program to ensure it complies with the Interagency Guidance. Be sure your policy is compliant and that your processes align with the policy. Document any exceptions to your processes, so they can be presented to examiners.
- Map and evaluate regulatory and state requirements against your institution’s current TPRM practices and processes.
- Document any gaps and determine and document appropriate remediation plans that include timing and accountability. Make sure to track your progress and report to senior management and the board.
2. Increased cyberattacks: The technology landscape has undergone significant transformations, and while it’s created new opportunities for innovation, it’s also increased the digital attack surface. This trend is expected to continue in 2024 as cybercrime also evolves.
Here are two practices to stay alert:
- Enforce contractual cybersecurity practices. Ensure your contract has key terms and conditions such as a right to audit and breach notifications; and permissible use of data can help reduce risk and protect your customers.
- Test third-party disaster and recovery plans. In the event of a data breach, be sure your data is protected and recoverable. Ensure qualified subject matter experts review third-party BC/DR plans. Plans should be tested within a reasonable time frame with acceptable results.
3. Fourth and nth parties: Your third parties’ subcontractors (your fourth parties) should be on your radar, especially if they’re critical to the third party’s ability to provide products and services to your institution or customers. Cybercriminals are targeting the weakest links further down the supply chain.
Here are two best practices for fourth parties:
- Request a list of fourth and nth parties. Require your third parties to disclose a list of any vendors instrumental in providing products and service to your organization. Some of this data may be disclosed in a third party’s SOC 2 Type II report.
- Review your third parties’ TPRM practices. Review your third parties' TPRM policy, program, and procedures. Confirm that their TPRM practices and processes are sufficient to identify, assess, monitor, and manage third-party risks. Ask for evidence and key documentation such as their compliance policies, inherent risk assessments, and due diligence.
As we look ahead to 2024, it’s essential for TPRM programs to maintain diligence towards regulatory compliance, cybersecurity, and fourth-party risks. Addressing these concerns will play a critical role in protecting the institution’s reputation, confidential information, and overall operations.
As you head into 2024, a best practice for a successful third-party risk management program is to follow the lifecycle. To help, this Third-Party Risk Management Lifecycle Toolkit has an eBook, infographic, PowerPoint template, and printable 1-page PDF.
Learn more about how you can assess, monitor, and manage third-party risks to your bank with Venminder by requesting a personalized demo.
