Third-parties are the weakest link in complying with rapidly expanding global data privacy and cybersecurity regulations. The baseline expectation is that all vendors (including law firms, legal service providers and other professional services organizations) are being risk profiled, not just a select group of vendors. As a Wholesale Mortgage Lender, Plaza is responsible for reporting to numerous Federal and State regulators.
Over the last two years, regulators have significantly increased the amount of questions regarding a company’s vendor management. Vendor risk profiling was a necessity for Plaza in order to comply with rapidly growing regulatory demands.
Plaza has several branches throughout the U.S.; each with their own numerous departments. Each branch had a plethora of third parties they had engaged on their own. Corporate had hundreds, if not thousands, of its own vendors. Understanding all these third-party relationships and consolidating the information was challenging.
Plaza felt legal should take responsibility for implementing a vendor risk profiling process to get their arms around third-party relationships and to meet regulatory obligations under New York’s Cybersecurity regulation (23 NYCRR 500). Who better to understand the risk?
Plaza decided to leverage the ACC Vendor Risk Service, which is powered by Exterro, to establish an effective, repeatable vendor risk profiling process. The amount of personal attention, availability, knowledge and guidance was unmatched.
The processes and standards in the ACC Vendor Risk Service enabled Plaza to risk profile all their third parties and surface which vendors required legal review and segment vendors by risk. In a matter of weeks, legal was able to get their arms around their third-party relationships and have confidence in Plaza’s compliance with New York’s 23 NYCRR 500.
The entire process is now streamlined and centralized in the ACC Vendor Risk Service platform. The technology in the system allows the legal department to manage cyber-risk while ensuring consistency in how the company collects information regarding third-party cyber protection practices. It distributes questionnaires to third parties that can be circulated internally to ensure more accurate responses. The system generates reports, including heat maps, to help the attorneys to quickly evaluate risk.
Vendor Risk Profiling
- All Vendors Risk Profiled
- Tier 1 Vendors Identified
- Tier 2 Vendors Identified
- Effective Assessment Process
- Confidence in Compliance
“With the ACC Vendor Risk Service platform, I feel confident in Plaza’s compliance, ability to monitor, and safeguard itself from the risks associated with third parties,” Scott Laughlin, Corporate Counsel & Chief Information Security Officer, Plaza Home Mortgage.