N-Th Party Risk (Thierry ZOLLER)

The responsibilities of vendors, suppliers, and service providers have grown increasingly important in the dynamic digital economy. The growing digitalisation and reliance on third-party entities significantly enhances business operations while concurrently introducing a spectrum of security risks. 

Recognising these challenges, regulatory supervisors have been actively creating frameworks over the years to make sure that financial entities in particular appropriately handle and mitigate the risks of security incidents that could directly affect their operations.

The adoption of specific guidelines by the European Banking Authority (EBA) in marked a substantial acceleration of the shift towards a more security-conscious approach when interacting with third parties. These guidelines were a significant advancement in highlighting the important security aspects to take into account while working with third parties. 

However, with the recent final Regulatory Standards published, the Digital Operational Resilience Act (DORA) is further evolving the requirements and expectations in light of multiple high-profile breaches involving third parties and the supply chain. The entry into force of this European Regulation, which takes effect in January 2025, marks the beginning of a new era in third party security management. 

It signals a time when strict compliance and proactive risk management are more important than ever in third-party contacts, and it also emphasises the significance of operational resilience and indicates a heightened response to the changing threat landscape.

While researching the state of the Art in "Third Party" risk management I came across an Report recently published by Wade Baker, Ph.D. and the Cyentia Institute titled “Risk to the Nth-Party Degree: Parsing the Tangled Web".

In true Cyentia Institute fashion the report is a data driven and provides plenty of opportunity for the data science geeks amongst us to rejoice - for the others it's one of the first publicly available reports providing us with data analysis on the matter with.

The Report highlights a crucial aspect that is often overlooked in risk management: vendor risk extends beyond direct third parties.

What really is "third party" risk ?

I recently completed my studies at the Luxembourg School of Business and began exploring how to incorporate my newfound knowledge into my field of work. Specifically, I've been considering the application of Psychological Safety principles in the realm of Cyber/Information Security. 

What is Psychological Safety ?

Psychological safety is a concept that refers to an individual's perception of the consequences of taking an interpersonal risk in a work environment. It involves feeling safe to express oneself without fear of negative consequences to self-image, status, or career. In a psychologically safe team, members feel accepted and respected. This environment allows for open communication, creativity, and innovation, as individuals feel comfortable sharing their ideas, questions, concerns, and mistakes without fear of ridicule or retribution.

Amy Edmonson - TED Talk (Building a psychologically safe workplace)


Cybersecurity in M&A 

A Growing Priority for Decision Makers

In the dynamic landscape of mergers and acquisitions (M&A), decision-makers are increasingly prioritizing cybersecurity risks. 

A detailed survey by Forescout provides key insights into the current state of cybersecurity in mergers and acquisitions, the survey that involved nearly 3,000 IT and business decision makers reveals a growing emphasis on cybersecurity in M&As. 

The study found that 81% of respondents now prioritize a target's cybersecurity posture more than in the past with 62% agreeing cyber risk is their biggest concern post-acquisition.

This trend highlights the recognition of cyber risks as potential deal-breakers, capable of causing significant financial and reputational damages.

" Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut."

The study highlights this shift, noting the importance of continuous cyber assessment throughout the M&A process. It's no longer a one-time check but a critical, ongoing evaluation.

Key Findings

Transparency đźš« - An undisclosed data breach is a deal breaker for most companies: 73% percent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy

Plan for continuous assessments 🔄 - Decision makers sometimes feel they don’t get enough time to perform a cyber evaluation. Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes and protocols before their company acquires another company. The results emphasize the importance of proper evaluation and time in ensuring successful M&A outcomes.

Acquisition Regrets🤦- 65% of respondents regret their M&A decisions due to cybersecurity concerns. Failure to address cyber risk can lead to major acquisition regrets: Nearly two-thirds of respondents (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

Integration Delays⏲️- 49% encountered unknown or undisclosed cybersecurity issues, causing M&A timeline delays. 54% reported minor delays and losses under $1 million; 50% faced major delays with similar financial impact.

Significant Lossesđź’¸ - 22% experienced losses over $1 million due to cybersecurity incidents.

As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where the initial contract was signed) introduced the free flow of goods and people across the European Union. Many claim it to be on of the core backbone agreements of the European Union.

Germany decided to introduce border controls following the SARS-CoV-2 epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 

This blog post will be updated periodically as I come across new practical information and experiences. You can subscribe to my blog if you wish to be kept updated.

Updates : 
  • 24.07.2020: Added number of reported data breaches to Statistics
  • 25.07.2020: Added the Role of the DPA as captured within the GDPR and added references
  • 25.07.2020: Added the section "Parliamentary Oversight" capturing parlamentary enquiries
  • 26.07.2020: Corrected the part about getting a copy of your original complaint. In fact, I only have received parts of it and am still waiting to receive the rest.
  • 27.07.2020: Due to popular demand I added a section "Legal Procedure".

I thought it is useful for the general audience to summarise my experience working with the CNPD as a Data Subject. Aligned with many other administrative procedures in Luxembourg: they have a nice appearance at the frontend but are tilted against your interest in the backend.