AMHERST, NH — It is a new year like no other: wracked by an enduring pandemic, a divisive political season, and a world that remains largely remote, the advent of 2021 heralds more questions than answers.
“It’s been a very interesting time for everyone,” Tim Carbery, managing partner at CastleHill Managed Risk Solutions notes. In this week’s episode of Coffee Chat with CastleHill, Carbery sits down with VP of Business Development Joe Santangelo and Moderator Sam Riley to discuss emerging risk trends in 2021: where they originated, how they have developed, and where we might expect to see them go from here.
Risk Trends: 2020 versus Now
In January 2020, Risk.Net published a survey that placed Cybersecurity and IT Disruption at the top of emerging concerns in risk management. What the article could not have predicted was that its distribution predated the precipice of pandemic— and how the impending global shutdown would influence its estimations.
The impact of COVID-19 on initial predictions for 2020 risk trends is pronounced. Carbery points out that, “For pretty much all of 2020 through to today, we are operating in a business continuity mode. We are in a continuity exercise where most companies have had to be in a permanent state of their fail-over plan… the IT Disruption Risk has not manifested itself, because people have been in this business continuity plan.”
Rather, the focus has been on resiliency. With a tectonic turn to the remote, resilience capability and those operational processes dependent on an in-person workforce have been at the forefront of risk trends from 2020 forward. Third-Party Risk has gained prevalence along similar lines: office exoduses have increased third- and fourth-party demand globally, as remote workers are forced to rely on different vendors at an accelerated implementation rate.
In October 2020, the Operational Risk Data Exchange Association published its Top Risk Review, which kept Cyber Risk and Third-Party Risk in the top three most significant trends for 2021. In addition, Regulatory Risk and Business Continuity ranked high amongst current concerns, followed by Technology Risk.
Cybersecurity and the Business Hub
Santangelo points to a string of security breaches as culprit in corporations’ continued scrutiny of Cyber Risk. “If we think back on 2020, there were a number of major breaches that had the headlines, like Microsoft or Twitter, or even some of the cruise lines,” He explains. “One of the things that’s happening now, with government agencies such as the FBI and the NSA, and CISA, they’re starting to supply organizations with a lot of information, a lot of data to help them not only protect themselves from potential bad parties, but also to recover from them as quickly as possible.”
In the influx of all this new information, organizations are transforming; but this digital transformation comes with its own set of challenges. For one, companies may find themselves unprepared for such an onslaught of data, leaving archaic management platforms swamped. As overburdened internal teams struggle to process increased demand, the stakes regarding future hacks rise.
“Gartner is predicting that in four to five years, seventy-five to eighty percent of CEOS are going to be personally held responsible for breaches,” Warns Santangelo.
For Carbery, a crucial component to mitigating Cyber Risk is an integrated approach to risk management. He considers the Target breach of several years past, “where people got into the network though the air-conditioning company… and it turns out that the very popular software you’re using has a backdoor in it that is allowing people access to your network, or potentially allowing access to your network.”
While the impulse in such an example might be to zone in on Cybersecurity, Carbery argues that the threat extends across multiple platforms, including Cyber, Technology, People, a Process risk. The solution – and an organization’s strongest defense – will be similarly cross disciplinary.
“Where in the past, the Cybersecurity teams may have operated in their own… those risks are now really People or Process Risks, just as much as they are Technology Risks.” Carbery explains. “They need to bring that into the fold and understand that Cyber Risk is something that does not have to be segregated.”
CastleHill’s Business Hub exists to integrate that risk.
The Business Hub is a wholistic framework designed to demystify an organization’s risk management by unifying its risk information. “The Business Hub is all about having those consistent taxonomies, whether it’s simply describing your organization… even describing the organization is often different for those in IT Risk or Cybersecurity than they are for your Process or Third-Party Risk.”
Automation and Regulatory Risk
Unification, or standardization, of an organization’s risk model is crucial in creating a risk management environment able to adapt quickly to changes in regulation. From AI management to the SEC’s recent talks about climate risks, many businesses are caught trying to catch up with new regulations.
Take, for example, the SolarWinds hack, a breach that left upwards of ten-thousand customers’ data compromised. Carbery and Santangelo propose that companies have not yet begun to see the true ramifications of the hack reflected in regulatory oversight, nor are many of them prepared for the consequences that will continue to unfold.
Organizations with a greater risk management maturity are in a considerably better position to roll with the punches. “It’s not about interpreting the regulation at the point of the regulation being created,” Explains Carbery. “Get to a place where you’re actually leveraging a service that’s using technology to drive this information into your organization, and then actually get it into your GRC platform, into your Regulatory Compliance Risk Management Platform.”
CastleHill helps companies to develop an effective approach to automation, leaving them better positioned to monitor change than firms dependent on manual methods.
The Trouble with Third-Parties
Organizations have long relied on third parties for additional capacity and tools. But with great power comes great responsibility— and those in the field of Third-Party Risk Management have been hit with a regulatory triple whammy.
The Federal Trade Commission announced its intention to pursue enforcement for inadequate Third-Party Risk Management practices under the GLBA’s Safeguards Rule. The Safeguards Rule expands an organization’s responsibility to protect not only their own data, but any affiliated third-party’s data.
The Office of the Comptroller of Currency took it a step further: in its 2020-10 Bulletin, the OCC indicated that management should investigate whether its third parties adequately oversee their own subcontractors, effectively expanding the initial organization’s purview over both third and fourth parties.
Can a company conduct an initial review when onboarding a third party and consider themselves covered? Pressure from the Department of Justice means that an organization is responsible for its third parties throughout the entirety of their working relationship— and a lack of resources for that level of management will not be an acceptable reason for non-compliance under DOJ review.
“You need to manage the risk for that third party over the entire lifecycle that you’re doing business with them,” stresses Santangelo. “You have to do it continuously. And you have to make sure that they are providing the services securely that you’re asking and managing risks.”
Carbery highlights the necessity of businesses monitoring their third-party risks with an example especially salient to remote workers: package delivery.
“Most folks have had some sort of a delivery from a major organization in the past several months… and if you notice, those companies are often taking a picture, because of the risk of peoples’ packages being stolen, right?” He explains. “As a business owner myself, we ship materials to our employees. We ship things to different people. Am I responsible for the picture that the driver took, which is sensitive data, it may have that person’s address on it, or maybe it is geo-located for that person going through an insecure email… what is my level of risk relative to that?
Rather than leave organizations to succumb to the dizzying breadth of potential Third-Party risks, CastleHill offers its customers a lifeline: CastleHill’s GRC as a Service offering. GRC as a Service is a simple, effective solution that allows companies to outsource their Third-Party monitoring to CastleHill’s team of experts.
What makes CastleHill unique to other risk management services is its ability to balance unique platforms with standardized processes. “The belief has been in the industry that we can all get to a place where we can just all share data,” says Carbery. “But that’s actually a really big challenge, because most companies have a level of uniqueness to their relationships with those third parties. We don’t all have standardized contracts. We don’t all have the same exact contract with every single third party or every single fourth party where we have no contractual obligations with them… I think it’s been a little bit of a red herring for people to feel that they can go out and just get information and sort of have the blue seal of approval on a third party and be able to hand it off and say, well, we didn’t need to do anything further than that.”
The difference is in the process. While an individual company may have unique requirements for managing their risk appetite, the process of performing the tasks remains the same. “You’re going to do further due diligence of a high-risk vendor versus a low-risk vendor, but the process of actually asking the questions, evaluating the responses, is identical and can be reproduced.”
CastleHill exists in the sweet spot: a team of professionals with the experience necessary to support a unique risk platform while improving its overall efficacy through a reproducible process.
“Our GRC as a Service for Third-Party Risk Management is the kind of solution that is going to help people get this,” Carbery concludes, “Where we have the capacity, the expertise, and the understanding to know what level of risk is engendered by having a photo of one of your employees’ front doors.”
Business Continuity in 2021
In early 2020, organizations around the world deployed long-term contingency plans. Now, at the beginning of 2021, few have emerged. With offices standing empty and the global workforce moved remote en masse, Carbery muses on the long-term impact the coronavirus pandemic will have on business continuity. “From an operational risk perspective, I expect this to be a deep focus of regulators, a deep focus of audit, and a deep focus of risk committees, to look at: how did we do in this business continuity environment that we’ve been in?”
While it is likely that a slew of new policies will crop up in the wake of the COVID-19 pandemic, Carbery urges businesses to get ahead of the curve by turning a critical eye to their own risk platforms. “Fundamentally, organizations are going to need to be able to look at how they survive this, how well they offered those services to their employees, and what they are going to do in the future— and then, as they make those decisions about what they’re going to do in the future, they need to make sure that their risk management platform accounts for it.”
Annual reviews will no longer cut it. A company’s rate of internal change must accelerate to be able to react in close to real-time to their critical activities and employment locations.
“Companies are going to have to think long and hard about how they’re going to do that, whether they’re going to do that, and what it means to the risk posture that they have, to their risk appetite that they have as a company.” Carbery adds. “Doing that with a disjointed or poorly integrated risk management platform… it’s going to be a real challenge for companies.”
To learn more about what risk trends CastleHill is tracking in 2021, tune in to Coffee Chat with CastleHill