Historically, Third Party Assurance meant evaluating the financial resilience of an organisation to determine whether they were viable enough to deliver what you needed.
Today, the Third-Party Assurance landscape has moved on significantly. Like the expanding Universe, Third Party Assurance regulation, legislation and requirements seem to be accelerating.
Anti-money laundering, Bribery and Corruption, Modern Slavery, Cyber Resilience, Business Resilience and Data Protection are all prominent requirements in law within the UK and in many other jurisdictions. The interconnected global business infrastructure ensures that compliance with legislation, regulation, standards and contractual commitments, make for a hugely complicated Assurance environment.
Each new law brings with it a requirement of oversight into your third party providers. This is passed on down the chain as an obligation on each supplier, to further assure their third parties.
The GDPR and NIS 2018
The latest drivers in this race to the top are data protection and cyber resilience.
As organisations and governments alike struggle with data breaches and potential nation-state cyber warfare, new laws like the GDPR and NIS 2018 (Network and Information Systems Act 2018) are trying to establish a new principle of protection through legislation rather than through the market forces.
In theory, market forces should have created an equilibrium around the safest providers of third party services. But this has not occurred in a timely enough manner to stop governments feeling the need to legislate to achieve a desired goal.
This desired goal is to ensure that investment into data protection and cyber is provided through a stick rather than carrot approach, with huge fines used to scare organisations into compliance.
The Marriott Starwood data breach
The recent Marriott Starwood data breach is a case in point. Starwood gave the management of their IT infrastructure to Accenture as part of an extensive IT Outsource prior to the merger, and Accenture were retained after the merger. This potentially represents a failure on both parties, as Starword clearly did not employ any third party assurance measures onto Accenture, and Accenture should have known better.
To manage an infrastructure for 4 years without adequate cyber security protections, could be seen as negligent and I’m sure that is what the court case between Marriott and Accenture will try to ascertain.
The UK Information Commissioners Office (ICO), acting as lead authority on behalf of all EU citizens, proposes to fine Marriott £99m ($124m) under the GDPR legislation in Europe.
That is quite a large fine and clearly highlights that Marriott, as the data controller, were lacking in their oversight of Accenture as a data processor.
So where does this leave Third-Party Assurance in general?
Along with deaths and taxes as the two certainties of life, we can now add data breaches and regulation.
- In the long term, supply chains are likely to shorten, as longer supply chains will become uneconomic from a regulatory perspective.
- The costs associated with third party assurance will rise, to cover all of the new regulatory requirements being handed down to organisations globally.
- Regulation is likely to create new barriers to entry in some markets.
- Service provision in some markets will consolidate, as stronger partners push out weaker ones.
- Fines may play a more pivotal role in the assessment of third parties than has been the case to date. Certainly, a regulated entity will come under greater scrutiny from their regulator if they are using a third-party with known failings.
- Data aggregators will come under increasing pressure from all angles, as clients look for the assurance that they need to be provided to them for the services being delivered.
- New standards will eventually appear, to encapsulate best practice into a common requirement across all markets.
So what can we learn today?
Third Party Assurance will mature steadily, until it provides the same set of controls as internal assurance. This is the only logical conclusion to the need for oversight.
Third Party Assurance will not stop maturing until the quality of data provided by third parties matches the quality of the data that is available internally to assess an organisations controls and compliance.
Let us think about this for a moment. If your third-party has 10 fourth parties, and those fourth parties each have 10 fifth parties, the assurance report returning to the client organisation will be a composite of 110 assurance reports.
Without some common basis for creating those reports, we will be comparing apples with oranges, and looking at a fruit salad from the top level.
This dynamic overlay is being hosted on a framework of commercial contracts that are very difficult to change and very difficult to untangle. Trying to change a service provider at short notice is a major business resilience event and will not be undertaken lightly.