Regulations and standards are changing radically. The last two or three years have included many more regulatory requirements for supplier risk management, but several other factors have had an additive impact on this. We discuss these, and the impact these requirements have when choosing your application vendors.
There are various legislative changes in progress which are behind the regulatory pressures, and these have consequences for both the client and the supplier. For example, the Digital Operational Resilience Act (DORA) is now being implemented and is designed to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The latest in choosing an information security management system
There are standards to consider such as ISO 27001:2022. This latest version of the standard for an information security management system has undergone some significant changes to reflect operational changes in the last 10 years. These include the grouping of controls into 4 ‘themes’ rather than 14 clauses: People, Organizational, Technological and Physical.
New and renewed focus on ESG
The world is also a very changed place and there is now much more focus on how we operate ethically and sustainably. This is commonly called ESG or Environmental, Social and Governance, and we are applying these non-financial factors as part of our analysis to identify material risks and growth opportunities. That relates both to the products we sell and to the suppliers we engage to fulfil our business needs.
Effects on the supply chain
The consequences of these factors for our clients mean that the supply chain is now subject to closer examination, and how we are selected as vendors is more important than ever. Ultimately, the business needs should guide the selection of a vendor, but it’s crucial to consider all of these factors to ensure that the vendor aligns with the organization’s broader goals and meets external stakeholders’ compliance standards.
The risk and security changes in the industry have a significant impact on our fintech organization. However, we have observed that advancements in technology often align with our products and drive innovation, leading to better solutions and continuous improvement.
Cloud underpins SaaS offerings
None of these changes have been more impactful than Cloud computing, which has commoditized services that underpin our applications. We no longer have a bespoke infrastructure base for each client, it follows a standard and shared responsibility model for its use. That shared responsibility model is what now matters. In analogous terms, we don’t do due diligence on the power company when we buy electrical goods, we just make sure the goods are correctly set up and adopt proper usage standards like plugs and fuses.
Keeping up with the new ways of working
Coming up a close second however, is remote working and the “new normal” in a post pandemic world. A lot more people are back at work in offices but nothing like the number that we based security policies on in the past. We have shifted from perimeter security to Zero Trust as one smart way to address this changing landscape. We now employ advanced detection agents on our internal systems (EDR/XDR/NDR) to monitor issues that may result in security breaches rather than trust only in traditional firewalls.
Staying ahead of cyber threats
Cyber threats remain a persistent issue. However, these follow trends and patterns. Certain types of organizations are targeted often. These tend to be ones that do not have good security posture and we see this on our monthly Security Scorecard reports. Not only do businesses with low security scores suffer most, there is a trend which has been apparent for many years that is also relevant here. Analysis of security breaches by Verizon, shows that 82% of breaches are related to the “Human Element” and that malware, ransomware and social engineering have overtaken software hacking. Physical security accounts for very few breaches today.
Auditors working on supply chain risk and due diligence need to adapt quickly to all of this so that we remeasure and evaluate according to the new regulation and standards. If not, due diligence assessments will not align with supplier posture, and this could lead to problems in choosing suppliers and the cost of products and services they provide.
One valuable source of advice on this comes in this recent blog article from Deloitte which sets out many useful tips for internal audit focus in 2023. We would advocate that this is not limited just to internal audits but also reflected in changing approaches to external auditing of suppliers. This is both necessary from the perspective of legislation but also from the need to embrace supplier initiatives and their adoption of best practices.
We are hopeful that auditors will give thoughtful consideration to the organizational culture and its approach to change control, software deployment and patching, education programs, and incident management, instead of just focusing on classical security measures like physical security.
Taking a fresh approach and adopting the new control objectives outlined here can provide a sense of freedom and result in safer, more resilient business decisions.