Recently, I was on a call with a financial institution (FI) prospect for our GRC Spotlight, Powered by Lockpath® solution. This call was much like many of the other discovery calls we do with clients, where they provide us with our pain points, and we speak to how our solutions can solve for them. This client had a particularly hard time wrangling third party risk management and mapping internal controls to risks. Every institution struggles with mapping internal controls in some way.
After the usual fare of introductions, features and benefits and a glimpse into the philosophical idea behind the GRC spotlight solution went by, as next steps were starting to be introduced, I improved a little.
I interjected by asking a question, “Do you use Equifax?”
The client said, “Doesn’t everyone?”
Here’s Why This is Important
The former Equifax CEO has been called to Congress and interviewed extensively on how a breach of this magnitude happened, why the lack of urgency in contacting clients, and what course of action is being taken to resolve and ensure it doesn’t happen again. I would not be surprised that during the investigation the Fed find fault with every financial institution that provided Equifax with personal and identifiable information.
Because it’s very unfortunate that 143 million people, which is nearly one out of every two people in the United States have been impacted by this tragic set of events. A breach or theft of our personal financial data can also be life changing for those impacted due to the proactive measures we need to take to protect ourselves or the reactive measures you may have to take if you fall victim. With so much damage potentially done to the average American consumer, the Fed will want to hold businesses doing business with Equifax accountable as well.
Because every piece of data Equifax has is the result of obtaining it from the institutions themselves. Have you considered your own business risk in this situation?
If you’ve worked with Equifax, the following questions need to be considered:
- Have you read your contract with Equifax?
- Do you know where it is?
- Is it up to date?
- Does it contain a clause regarding a breach of information?
- Who is legally responsible?
- Does it outline a communication plan? Where is that? Has it been tested?
- What oversight did you as an FI provide to Equifax?
- Do you have a recent SOC I and SOC II form? Did you review it? Does it note vulnerabilities or exceptions?
- Does it note User Control Considerations?
- Where is your risk assessment document?
- What controls do you have in place?
- Where are your audit results? (Has your audit firm provided you with audit results? Has Equifax?)
After reviewing the above questions on the call with the client, I then asked,”How difficult will it be to pull all of this evidence together? Is it in various tools, spreadsheets, communications, folders, or do you even have it all?”
The client was speechless.
“My point being that this will be a tremendous task, and last week it was with Equifax, this week it was Deloitte, and next week who knows who it will be.” I said, “I am not saying the GRC Spotlight solution would have prevented this tragedy from happening, but it would certainly make things easier to manage and obtain for when the next one hits.”
Wouldn’t you agree?
See how your organization stacks up by using the checklist below.