Today banks are integrating more with fintechs and software providers are moving more towards SaaS delivery models to allow for greater levels of agility. Although collaboration is key to speed innovation this is also introduces multiple new parties into your digital supply chain. Regulators are increasingly focused on the risks associated with this, particularly in highly regulated industries like financial institutions, to address gaps that can lead to cyber incidents and business disruptions, causing severe damage to customer trust. In this session you will learn about best practices for managing third- and fourth-party risk in your hybrid cloud environments, how to maintain consistent visibility into your ecosystem as well as some of the hybrid cloud-based technology/tools to consider for third- and fourth-party risk management.
Transcript:
Aly Farooqui (00:07):
Thanks for coming. It is a little early for me. I am not a morning person. So when this at 7:45 AM breakfast briefing, like, well, if I was the attendee, I do not know if I would make it, but good thing I am a speaker, so I had to get up and be here for it. Well, thanks again for joining. Hopefully you are enjoying the American Banker Digital Banking Conference. What a beautiful facility. This is my first time coming here and it's just very nice, right? I was very surprised about how nice this whole area and property is. I am glad that they're doing this here. My name is Aly Farooqui. I am the Chief Risk Officer for financial services with IBM Cloud. Been with IBM now for two and a half years. Before IBM I spent 15 years with a company called Fiserv. Some of you might know about them, probably use them.
(01:01)
Financial services, tech and payments company had various different roles in that organization. But the last role I had was Head of Internal Audit, Chief Audit Executive and Head of Regulatory Affairs. At IBM I lead few different portfolios. One is around de-risking financial services transformation and journey to cloud. Second is I run our financial services cloud council program, which we'll talk about in a little bit more detail. And third is our regulatory outreach program. I am accompanied here by Dr. Nataraj Nagaratnam. He is IBM fellow CTO for cloud security. If you have not talked to him, I would highly encourage you to connect with him. Get becoming IBM fellow is not a easy thing and especially if you're an IBM fellow with a specialty in security, I always learn a lot every time I connect with Nataraj. If you get a chance, please do connect with him.
(02:00)
And Nataraj is going to be helping me provide you more context on what we're going to be talking about. So the discussion today is around third and fourth party risks. Now, I know the definition of third and fourth party varies slightly from one organization to the other. So maybe just to level set here, right, we are clearly seeing all of you transforming, enhancing your digital platforms with partners, right? So either you can build or you can partner, you can buy, and we are seeing a lot more of partnering and buying, right? I would say partnering probably more because buying can sometimes entail that you are getting a software and running it OnPrem, whereas the SaaS model is becoming far more dominant. And in that equation you've got three core elements or three core parties. One is yourself, the other is who you've got a contract with, the third party and the fourth party would be in this type of situation.
(03:04)
If a SaaS provider, who are they using as a cloud service provider or a delivery infrastructure provider underneath them. So that's the context of third and fourth party based on which we are going to have be having a discussion. Yesterday's sessions covered a lot around overall digital transformation innovation, what organizations all of you are doing to be able to meet your customer, consumers, clients needs and demands. Lot of exciting things are happening, right? Really, really a lot of innovation being pushed through by your own organizations. And when you are partnering with fintechs and service providers to provide great user experience, feature functionality that your customers demand. We at IBM have been seeing this journey over the past few years, evolve to what you're seeing on the screen, which is a hybrid cloud environment. Your organizations are already here, if you can think about it.
(04:04)
You are already partnering with SaaS organizations. We'll talk about where that is today. In the context of critical services and businesses, you already have cloud providers providing some level of infrastructure as a service. And obviously you have your on-prem environment and for your branches, your edge environment as well. Private clouds have been there and now organizations are looking to migrate to public cloud to fulfill their essentially needs for flexibility, agility, performance, and overall transformation. So we are seeing clearly a pattern here where you have to manage this environment now holistically, right before you had an on-prem environment, you had to manage that. You build your programs, policies, standards to protect your environment, to protect your consumers, your data. But with this type of a model now becoming the predominant delivery model, there is a lot more work to be done. Hopefully this resonates and makes sense.
(05:11)
Certainly what we are seeing from a workload migration perspective, you can see that SaaS and public cloud is going to be the dominant delivery model in 2025. We're already seeing a lot of that happening here, but as it relates to financial institutions and banking. So tell me if this chart doesn't resonate with you. I'll just take a second to explain it. What we have seen is mission critical services have not yet moved to cloud, public cloud. You may have SaaS solutions that can be considered as that that service is running in the cloud, but what we have seen is that they have been less complex or front office operations and applications. Now, do not take me wrong, I know some of you have probably core banking systems or critical systems in the back office also running in the cloud, but predominantly across the globe we have seen that mid-office and back office systems have not yet moved to the cloud. From a SaaS perspective, we are seeing CRM, HR systems, Salesforce, obviously Workday, Email systems, they are all, we've been on the journey for providing those services and systems through the public cloud model with a SaaS delivery solution for some time. Hopefully this resonates. If it doesn't, you guys think this chart is a little bit off from what you've seen or what your own organizations are experiencing. Would love to hear that, right? Please just stop me at any time you want to add something to this?
Dr. Nataraj Nagaratnam (06:48):
No, I think in terms of what is bragging the complexity more and more critical that we see that,
Aly Farooqui (07:14):
Yeah, I mean they are really nice, innovative offerings. As you go deeper in that box, right in the middle office and back office, maybe data analytics, we are already exploring options there, our organizations are, but the issue becomes, okay, who is running it? Who's operating it? Are they going to meet my requirements, my regulatory needs? And if they do, is the infrastructure provider underneath them will be doing the same or not? So do I have full stack visibility or not? So with that as a background, what we have been doing to give you a little bit insight into where the regulatory trend is going, right? IBM have the opportunity to meet with regular regulators across the globe. So most recently we've obviously met with the US Bank federal banking agencies. We do meet with them, I would say probably on a monthly basis now.
(08:11)
But we've also met with various organizations in Europe, potential regulatory authority in UK ECB, Australia, Singapore, and other jurisdictions. And these six themes have emerged as consistent items and areas of focus that we are seeing regulators essentially sharpening their pencils on. And what we saw last week in the US is on the second item, SaaS and FinTech and third party utilization where the federal banking agency, OCC, FDIC and Federal Reserve issued an updated guidance to third party oversight and risk management. Now, that guidance had existed for probably close to a decade, if not more, but they have refreshed it because seeing the FinTech propagation utilization increasing and their control over that is not at the level that they would want currently. So they're going to be putting more burden and a responsibility in the financial institutions. So we'll spend obviously a few minutes talking about the SaaS, FinTech, third party and third party utilization.
(09:30)
But some of the other areas that you'll find interesting is, especially as it relates to cloud, cloud solutions, SaaS solutions with third parties being delivered with a cloud infrastructure resiliency in cloud and demonstration of capability. So over the past, I would say five, six years, when regulators have asked the question, how is your DR going to be working for this particular system? Might it be fraud, fraud management system running on the cloud or wealth management component running on the cloud? And the answer I think we've given them as industry is DR in cloud is different. So you do not expect that we've got a DR like we do today on prem where we are shutting down a data center, bringing it live to the other data center. And I think over the past few years they've been okay with that type of an answer. But with the outages that have happened over the past 12 to 24 months, the appetite on that has been lost is the feeling and the sense we are getting right?
(10:30)
So demonstration of capability from your SaaS solution as well as cloud is going to be an area that you should pay attention to, especially as it relates to your regulatory supervision. Since we talked about that, the environment looks complex now, right? You've got on-prem environments, you've got SaaS solution, you've got public cloud. So the strategy around how are you going to manage this multi habit cloud environment in a way that meets your own standards and expectations, but also regulatory expectations is also an area of immense focus. Cloud misconfiguration, not a surprise. Systematic risk, workload and data placement and resiliency. So although it's listed as number five, this is not by order or priority, that item is probably going to be the most important for all of us to make decisions on how are we going to approach a particular workload if we are partnering with a FinTech or if you're partnering with a SaaS or ISV or if we have our own on-prem application that we are modernizing and making a decision on should I run it on public cloud, private cloud, or on-prem?
(11:43)
That area is going to become most important for us to make decisions. And then a cascading effect right around security risk performance, total cost of ownership, resiliency becomes all critical components associated with that data. Backups might become as a surprise given everything else is a little bit more strategic and thematic. Whereas data backups is a very tactical item. But we felt it is important to highlight here, especially as you think about SaaS solutions, fintechs and your own environment running in cloud or on on-prem. You've got probably have good controls over it, but this is around cyber resiliency special, especially in the wake of ransomware attacks, which are just continuing to increase. So that regulators certainly in the US but also in other jurisdictions, are asking for how are organizations providing recovery capability from immutable data storage. So these are six thematic items, obviously more focused on Technology, Cybersecurity and Outsourcing. Obviously regulators given the events of the past six, seven months, there are other areas on financial service, financial services, stability and financial strength that they are focused on. But we are obviously focusing on tech, cyber and outsourcing. Any questions so far? Does this resonate? Is there something that you're seeing here that comes as a surprise or there is something that may be missing from this list?
(13:24)
Okay, I'll take that as a, this is a comprehensive and you're believing everything I am saying. Excellent. Alright. So I am not going to spend too much time on this chart, but obviously from a regulatory supervision perspective, especially as new guidance come out or guidance are updated, that translates into more scrutiny on examinations, more scrutiny on overall supervision and typically results in matter requiring attentions more work and burden on your teams. So the time is now to make sure as you are innovating, we're bringing new products to life, serving your customer base, you're doing it in a way that gives you success for the long run. You do not want to be in the boardroom explaining why you have four MRAs associated with this new product that you launched in the market today. And some of the civil penalties that you see are publicly, publicly available information certainly want to avoid being on that list.
(14:25)
So Penny mentioned this yesterday at the opening remarks, the federal banking agencies updated their guidance on third party, third party risk management and governance and oversight. Now the federal banking agencies can essentially says third party, but they are talking about digital partners and overall supply chain. So if we have to make sure we are considering fourth party element to it and to have a comprehensive solution and comprehensive approach from a governance standpoint there planning, due diligence, contract negotiations, not a surprise. There are enhanced expectations associated with those areas. Please do pay attention to those. Termination and governance, same thing. There are enhanced expectations, but where I want to maybe spend a few minutes is ongoing monitoring. So this has been an expectation for some years now from the federal banking agencies on who are your critical service providers, you know may have a hundred service providers.
(15:30)
You have to be able to differentiate between who are your critical service providers and what type of oversight you have on them. And typically we have given the answer in my previous life when I was asked those questions, we've given the answer. We do periodic audits. We send our security team, we send our vendor management team, we send our audit team out to the various different vendors. We get their SOC reports, the whole due diligence. So that answer is depending upon the type of service and a type of part partner you have in your ecosystem, that answer may not be fully sufficient, right? Because the expectations as you can see over here are increasing from having periodic touch points to ongoing monitoring, especially as it relates to controls that affect an impact, your environment, performance and effectiveness of control, insights on operational issues, regular testing of your own controls that impact the third party and fourth party relationships and testing of the controls in the whole holistic environment on own, in your own environment, as well as third parties from an ongoing perspective in certain cases where that is a mission critical service.
(16:51)
So that's a lot, right? Especially if as you think about you are yesterday, I do not know who all attended the award ceremony. Really good by the way, really, really nicely done event and was very impressed by some of the innovation that's happening in the industry. One of the individuals who received the award had a mobile application that they created for their financial institution, which really increased their customer satisfaction and retention. But I was just thinking about when they mentioned how many fintechs they had to partner to be able to deliver that solution. I think they mentioned at least six or seven for the mobile app. They've, I mean it's more than a mobile app clearly, but it's that type of essentially ecosystem and an environment where we have to think about how am I going to be able to de-risk this platform, this new solution, this product that I am bringing to the market by meeting the regulatory expectations. Because they're going to come and say, okay, those six or seven fintechs and SaaS solutions that you have integrated into your platform, what are you doing to get level of in insights assurance to yourselves, to your board, and to us as regulators?
(18:22)
So a different approach is required, and we at IBM have been on this journey now for I would say a little over three years. We've seen how organizations are continuing to solve this problem with same practices over the years and have not been successful. So we felt it was needed to have a different approach to solve this problem in the industry, especially as it picking up more momentum as we are partnering with more SaaS solutions, fintechs and ISVs. So four key recommendations and then I am going to talk a little bit about what we are doing at IBM Cloud for financial services. Four key recommendations. Number one, as I said before, make informed decisions on workload and data placement. That means if you're looking at a particular product, you're partnering with somebody, where is that product going to be hosted? Who are you partnering with and what are the criteria that you're utilizing to make those decisions? Criticality of service resiliency requirements, the list is exhaustive. These are just examples. Performance, user experience, all of that becomes critical. But if those decisions are not being made and we are making decisions based on whatever the FinTech is telling us or whatever the SaaS provider is telling us and the application looks nice, I think we'll be in for a little bit of a surprise later down the journey. So make sure we are doing workload and data placement decisions based on defined criteria, foundational controls framework.
(20:05)
So the opportunity that we saw here was having a standard approach that is applicable to your FinTech SaaS providers, ISVs and the underlaying infrastructure provider, the cloud provider. So that has not happened yet in the industry. We've done something on IBM, we'll talk about that here in a second. But we've seen where there is an opportunity to have a full stack standardization from a controlled security and risk standpoint that the industry has not really been able to leverage. So utilization of foundational controls framework, we have a framework, you can use it today wherever your workloads operate. And automation associated with that is going to be critical conformity to bank's own requirements. So even though you have a foundational framework that you can say I am using something from IBM, the regulators will always say, well, what are your standards and how are those standards being met?
(21:06)
So making an alignment associated with that is going to be important and continuous monitoring and automation. So I would challenge all of you to go back to your third party risk management teams, your security teams and say, how are you doing ongoing monitoring of my critical service provider that are delivering me these solutions? And if the answer to that is we are completing a supplier information gathering document every six months or a year, that answer is probably not going to be good enough. It is important that exercise needs to be done to have some level of base due diligence, but that's not ongoing monitoring or continuous monitoring and automation. So at IBM Cloud for financial services, we started with addressing these problems with developing the foundational control framework because we saw that there was no standard in the industry that was applicable to the full stack from a IS, Pass and SaaS layer standpoint.
(22:08)
So we worked with various different organizations to develop a cloud framework for financial services that is essentially a guide specific set of control requirements that are applicable to your own essentially products and services that you may be moving from a DevOps perspective into the cloud, but also to your ecosystem. SaaS providers, fintechs that are running on IBM cloud for financial services. The way we developed this framework was we looked at global regulations, certainly in the us, the FDIC specific regulation, N Y D F S specific state regulations. We have IBM Promontory that provides us regulatory watch and that essentially helps cultivate the framework, keeps it nurtured and growing from a controlled standpoint. But we all cover more than just us. Obviously, as you can see, over 80 regulators and 263 regulations covered. We partnered with industry consortiums and standard setting bodies.
(23:13)
NIST was the primary foundation based on which we've developed this framework. And then the financial services cloud council that I mentioned in my opening remarks. So the idea was that we cannot solve this industry problem without the industry. So we brought together CIOs and CTOs from the excuse me, G-SIB, that you would imagine the top five 10 banks, their CIOs, CTOs, their CSOs and risk officers and said, we need your control frameworks. And they did give those to us and we essentially incorporated those control frameworks into what you see as IBM cloud for financial services. But then we expanded to regional banks, super regional and community banks and credit unions and said, how can we partner together to create a ecosystem of essentially organizations that can keep this framework current and up to date. So very pleased to share with you, we have over 85 financial institutions as part of the council program.
(24:18)
Now obviously when you get to 85 banks and 140 members, it's not a council anymore, it's a community. And we'll share a link with you on the community if you would like to join that. And the idea there is how do we collectively de-risk some of the biggest problems in the financial services industry, especially as it relates to security risk and compliance. So this is one of the initiatives of the council. We also, we released a white paper on cloud metrics, which we are working with MIT on doing benchmarking if you're interested in that as well as concentration risk and number of other areas that we are collectively working on. Nataraj your thoughts on the framework that you would like to share.
Dr. Nataraj Nagaratnam (25:00):
Yeah, one of the key things that we have observed is most, when it comes to frameworks, all of you will have your own framework. And when you think about standard frameworks and so on support, what we have found working with the bank we co-created it is it's about the implementation being prescriptive so that your policy in order to implement need to be very specific. How do you protect your data? How do you big key management use, what do you require in terms of network battery protection and so forth That's saying, Hey, make sure data is protected. That uber level policy didn't work when you bring CSOs and CIOs and CEOs into the room and to actually implement it. So that prescriptive implementation has become the goal of what we have built, co-created with these banks. And when we work with all and team, we work with social security for example, mapping these standards and the value that organization also see is the extra mile that we have gone to make it more prescriptive. So that's a core part of this because more you get prescriptive, you can actually implement and automate so that the CISO and the compliance officers as you talk about controls the framework for your implementation teams, your developers to actually understand and implement and automate it becomes easier. So that's where the core of this whole framework to Aly just talked about that we co-created makes a transition from just being a policy to all the ways that is something that can be automated that you were showing in the previous chart.
Aly Farooqui (26:39):
Correct. And as to Nataraj's point, one of the things that we came across was if you are working with your security and risk teams, they all have preferences, right? They'll say, well, I think you should be using Cloud Security Alliance CCM metrics. Somebody say, well what about the PCI environment? And that obviously have specific requirements, but CRI is another organization that we want to use that organization. So we, rather than getting into the battle of frameworks, we essentially said, how do we align and nurture the cloud framework with all of these control sets? That's what you're seeing on the screen from an alignment perspective. And then to Raja's point, having a framework is great, but how does that help me with my third and fourth party risk and how does that help me with transformation of my products and services?
(27:34)
So two core elements there. One, from as you are developing your applications or migrating or transforming them, right on IBM cloud for financial services or for that matter, any other cloud, we've got some specific products and solutions such as IBM Cloud satellite that extends the capability into a hybrid multi-cloud standpoint using Red Hat OpenShift. But the idea is how do we provide the guardrails to our developers in-house to be able to develop the products and services with controls prebuilt so that they are not leaving a cost bucket left unprotected that is found six months or two years later. And then you are on the list of the penalties I was showing earlier. So that's on the DevSecOps standpoint. On the runs side of things, also important to say, okay, I developed it, I migrated this application, but how is it performing now?
(28:32)
And that's where IBM Cloud Security and Compliance Center comes into play where this control framework is fully embedded and is providing real time, ongoing monitoring of the drift associated with the control framework. So if you've got a TLS unsupported TLS version, it notifies you if you've got a cause bucket left, unprotected, it notifies you, and obviously from a DevSecOps standpoint prevents you from doing that. From the go, from the start. From a FinTech standpoint and SaaS solutions standpoint, those organizations are coming over to IBM Cloud for financial services because of the value proposition that we showed you primarily because they want to work with you. So I think somebody mentioned yesterday that to get a new FinTech or SaaS provider, it takes about 12 to 18 months, which by the way is pretty close to the number we have.
(29:32)
We say 18 months, and those organizations that are 20% strong, 50%, a hundred percent strong, do not have the capacity or the skillset right to be able to do all the control implementations, the risk and governance side of things compared to your organizations that may have dedicated individuals overseeing that environment. So we build this program for financial services organizations, but also for the fintechs and SaaS providers that are coming onto IBM Cloud for financial services. They adopt the framework with specific reference architectures so that it's very consistently deployed. So if you've got one FinTech for your mobile app, one FinTech for lending, one FinTech or SaaS solution for fraud management system, they're running on IBM cloud for financial services. They have the same reference architecture deployed, same control framework deployed, and they go through a rigorous validation process to show conformity to the framework that I mentioned before, which has been developed by the industry, different approach to the problem that has exist existed today.
(30:40)
Not a checklist approach. Essentially demonstration of that you've applied those controls by default and are maintaining them through the security and compliance center that we just talked about. So the ecosystem is growing. This is a representative list. We are seeing smaller fintechs along with the larger SaaS providers and ISVs that have existed for decades because they're also struggling with how do I provide this particular service that I used to do as a software on-prem deployment or host it at my own data center, but I want to use it to the move it to the cloud. And we are seeing an organization such as SAP, Infor, Cloudflare, and others, doing those SaaS solution delivery utilizing the offering that we have developed. Again, this is not a comprehensive list, but the list includes core account banking systems, lending solutions, wealth management products such as Marco Polo, and it's a whole array of solutions and services. So when you adopt these services, you get these SaaS providers and software delivery providers utilizing the same framework. You have IBM Cloud for financial services use, utilizing the same framework and your own develop DevSecOps team utilizing the same work, same framework, hence creating parity of controls to manage your risk security and compliance in your full stack.
(32:16)
So that's what I wanted to share with you. It is been a hard work, right? Over the past three, four years, we've been working with some of you in this room along with globally significant financial institutions, regulators, as well as fintechs and SaaS providers across the globe. We think this is the way to solve for the biggest problems in the industry that we face today, which will become more prominent as we have more SaaS and FinTech integration into our solutions. We'd be happy to take any questions. The team IBM team is here for the duration of this conference. We'd be happy to have more discussions and share more insights with you. I would encourage you to take full utilization of the community portal that we have. You'll see a lot of material out there that you can use and take back to your organizations. If you do have any access logging into it, please send us an email and we'll get you registered. I appreciate your time. Hopefully you'll have a great rest of your conference and please do let us know if we can help you with anything. Thank you.
From blind spots to best defense – Addressing 3rd and 4th party risks
June 28, 2023 4:22 PM
33:29