In this episode of Navigating Forward, Mike Halstead and J.R. Reed from Launch Consulting sit down with Mike Bochniarz, head of Third Party Risk Assessment at Cross River Bank, to talk about third-party and supply chain risk. Topics include the necessity of carefully identifying risks upfront, as well as ongoing lifecycle monitoring — and how tools and automation may help some organizations with these crucial tasks. They also touch on the impacts and learnings from major events like COVID and the SolarWinds intrusion, plus the additional thought that must be given to fourth-party (and beyond) risk.
To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.
Follow Mike Bochniarz at https://www.linkedin.com/in/michael-bochniarz-esq-a1a92542/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow J.R. Reed at https://www.linkedin.com/in/jrreed/
In this episode of Navigating Forward, Mike Halstead and J.R. Reed from Launch Consulting sit down with Mike Bochniarz, head of Third Party Risk Assessment at Cross River Bank, to talk about third-party and supply chain risk. Topics include the necessity of carefully identifying risks upfront, as well as ongoing lifecycle monitoring — and how tools and automation may help some organizations with these crucial tasks. They also touch on the impacts and learnings from major events like COVID and the SolarWinds intrusion, plus the additional thought that must be given to fourth-party (and beyond) risk.
To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.
Follow Mike Bochniarz at https://www.linkedin.com/in/michael-bochniarz-esq-a1a92542/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow J.R. Reed at https://www.linkedin.com/in/jrreed/
00:00:01:17 - 00:00:49:00
Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.
00:00:49:06 - 00:01:16:22
Mike Halstead
Hello and welcome to Launch Consulting's Navigating Forward Podcast. I'm your host, Michael Halstead. We feature guests from industry and our own internal experts to educate you on specific areas to better safeguard your organization. As you may be aware, 80% of cybersecurity is good hygiene. As part of good hygiene, you must understand the threats and risks to your attack surface. An attack surface not only includes your on premises data center and devices, but it also includes third-party components like libraries, plugins, websites, software, and data hosting services.
00:01:16:29 - 00:01:40:05
Mike Halstead
Today, we'll do a deep dive into best practices for understanding and managing third-party and supply chain risk. Supply chain ecosystem is an extremely interconnected network that only takes the weakest link to fail and impact the entire ecosystem. I'm pleased to be joined by our special guest, Mike Bochniarz. He leads third-party risk at Cross River Bank. Mike is a risk executive and advisor with experience at large international banking and Big Four.
00:01:40:13 - 00:02:04:06
Mike Halstead
Mike is also a licensed attorney in the state of New York. My Launch partner is J.R. Reed. J.R. is Director of Client Services at Launch Consulting. A little bit on myself. At Launch Consulting I’m Managing Director of Cybersecurity. Prior to Launch, I had a long career at an international bank, most recently as a cybersecurity executive. I was very actively involved in industry-changing third-party events, including Target, Equifax, and most recently SolarWinds and Log4j.
00:02:04:08 - 00:02:11:10
Mike Halstead
Living through those events has made me appreciate the importance of third-party management. J.R., a quick introduction on yourself.
00:02:11:12 - 00:02:37:09
J.R. Reed
Hey, everybody. I've been a consultant for over 20 years focusing on the intersection of data and analytics, large scale transformation, and the financial services industry. Got an interest and passion around novel approaches to measuring, reporting on, and managing risk. As part of Launch, I run our client services across banking, fintech, and insurance clients. Mike, you want to give a little bit on your background and areas of passion?
00:02:37:11 - 00:03:19:29
Mike Bochniarz
Sure, so Mike Bochniarz, as Mike mentioned in the introduction, I have spent most of my last ten years in financial services, a large global bank and Big Four. Have found my time advising business and functional teams across the industry with whether it's compliance, risk ,and touching into the third party risk space and mitigating risks, you know, through the different risk stewards, whether it be compliance, BSA/AML, your IT, you know, a standard and bringing those risk stewards together to look at holistic risk management principles and mitigating those risks through that third party reliance for your organization.
00:03:20:02 - 00:03:29:15
Mike Halstead
Great. Thank you, Mike. Well, let's get started then. Mike, to you. What is third party risk and how does supply chain risk fit into the broader topic?
00:03:29:17 - 00:03:52:16
Mike Bochniarz
Yeah, so when I get that question generally I like to start where third party risk management and the lifecycle that tie in to managing the risk, identifying the risk, and overseeing those risks. So, it really starts with when you think of the lifecycle, you have planning and due diligence activities that really identify and articulate what that inherent risk exposure could be for that third party relationship.
00:03:52:18 - 00:04:30:04
Mike Bochniarz
That will also tie in to identifying the risks that you would want to mitigate through your contracting and onboarding related activities. You might have data considerations that you want to bake into that contract, data destruction. You could have all the regulatory and compliance requirements that you may want to build into that contract. And then through onboarding activities, you may identify, you know, through exit strategy perspectives if you were to need to exit that relationship, identifying really before you contract and as you’re onboarding, what components you'd want to tee up for consideration as you move through more on the ongoing monitoring.
00:04:30:04 - 00:05:04:05
Mike Bochniarz
So that really third and fourth lifecycle component, monitoring that relationship risk that might be exposed through that relationship, you know, two or three years in that you might want to evaluate, reconsider, amend the contract that ties into your really fourth and fifth life cycles for amending a contract, looking at offboarding and exiting that relationship, picking back up on the risks that you identified upfront, maybe some of the contractual provisions that you would actually use as your guide for exiting that relationship or needing to go back to the table and renegotiate.
00:05:04:09 - 00:05:27:09
Mike Bochniarz
Given current events, as you mentioned in the beginning of the introduction, there might be an occurrence that occurs, a cyber incident. It could be another regulatory compliance matter that you really want to go back to the drawing board with your third party and reevaluate the risks that are, you know, exposed through that relationship and perhaps implement new controls or renegotiate the contract.
00:05:27:11 - 00:06:21:27
Mike Bochniarz
And if that third party is not willing to negotiate, evaluating whether or not you need to terminate that relationship. That's really looking at that lifecycle, the key components across that and tying in to, you know, where you could have disruption of services. So, the inherent risks that you identify early on in that lifecycle through the ongoing monitoring relationship and seeing where there could be a disruption on that third party providing the product or service back to you, whether it's a software provider or a vendor related service or a third party that's providing marketing related services. If they have your customer information, if their fourth parties, well your fourth party, their third parties, or maybe their fourth parties could also have an impact to your overall risk exposure as an organization and looking through the lens of how you mitigate that upfront, monitor those risks so you can be proactive and quickly react to a current event.
00:06:22:00 - 00:06:54:16
Mike Halstead
Thanks for that, Mike. That reminds me of, Mike and I worked in the previous international bank together and we had an a trigger event, was actually a credit bureau who had a very large breach that as a result, Mike, right, we had to redo the reviews, right. And do a much more deeper dive due diligence and to the services that were being offered as a kind of example of that. It sounds like that the monitoring is pretty critical for keeping that risk posture or understand the risk posture.
00:06:54:18 - 00:07:24:29
Mike Bochniarz
Absolutely. And identifying those risks upfront. Right. And that's where that third party risk management lifecycle of having that TPRM framework that incorporates all your different risk stewards across your organization, where your risk exposure could be to weigh in and provide that guidance and advisory support to identify what controls, what do you need to monitor on an ongoing basis, whether it's daily, weekly or monthly, quarterly, yearly, and reevaluating that risk appetite within your organization should an event occur.
00:07:25:02 - 00:07:49:25
Mike Halstead
Excellent. We'll get into some of the best practices for organizations in a little bit. But first, I'd like to touch on what are some recent examples. I mentioned the HVAC vendor have an impact on the major retailer. Log4j. I guess what are some of the recent industry products service supplier impacts on the supply chain geopolitical risk or concentration risk?
00:07:49:27 - 00:08:23:15
Mike Bochniarz
Yeah, I think you hit on the Log4j, credit bureau impact that was front and center a couple of years ago. I think COVID also showed us some insights on the business resiliency and the dependency on supplier risk and supply chain risk and logistics. You could have a third-party vendor provided services that's reliant upon an area that's impacted through, you know, geopolitical risk or current events such as COVID, where certain regions were being impacted and having a disruption downstream impact across the globe.
00:08:23:15 - 00:09:06:21
Mike Bochniarz
And it was a trickle down, it was regionally, and that was more continental. And then it became more global spread depending on those impacts and where those supplier risks exposures are, where those third parties sit geographically can impact significantly on, you know, concentration risk. If you're heavily reliant on a certain region, whether it's in the Asia Pacific piece or, you know, other areas where the vendor is a foreign based service provider and not based in the US and different parameters, having those impacts and knowing where those are can certainly have a detriment on your overall supply chain view and the risk exposures through that geopolitical concentration or current events.
00:09:06:24 - 00:09:27:03
J.R. Reed
Hey Mike, I really like your approach around the lifecycle management aspect. Maybe just kind of on the early stages on the identification, just given that, you know, it sounds cliche, but the world is so different now. How do you get started? How does that early phase of identification, how should that work in a mature organization or in an immature one?
00:09:27:04 - 00:09:55:05
Mike Bochniarz
No one size fits all approach, right? I'm generally, you know, when you see different organizations and the reliance on those third parties, the third party classification and the types and the scope of that third party service is really key in that planning and due diligence phase, identifying a particular third party, having a detailed question set up front to really hone in on where are the services being provided, what are the extent of those services that you're going to be reliant upon.
00:09:55:07 - 00:10:18:13
Mike Bochniarz
A vendor may be known for providing an end-to-end solution, but perhaps you only need one component of it. So having some questions that really drill in and guide that contract owner or relationship owner down a path of where is my risk and what is my exposure here really helps set you up for what level of due diligence you would need to do in that due diligence phase.
00:10:18:21 - 00:10:38:00
Mike Bochniarz
It might be a very carved out portion, or if you are relying on that third party for more of an end-to-end you know, relationship identifying, well, do they rely on other third parties, is it cloud based, where their servers? Is that a large, big three cloud provider or is that a mom-and-pop cloud service provider?
00:10:38:00 - 00:10:57:12
Mike Bochniarz
And what are their controls? Do they have a SOC report? You know, and really diving into the details based on your use case. And that's where that planning due diligence really go hand in hand. And you may, through that due diligence activity, need to go back to the drawing board on planning. We thought this was the right business to move forward with cost benefit analysis.
00:10:57:12 - 00:11:09:09
Mike Bochniarz
Actually, it's going to create know additional uplift on the control and ongoing monitoring activities. Maybe we need to reevaluate that from the overall scoping perspective before we move into contracting.
11:10:00 - 00:11:25:09
J.R. Reed
That's really interesting. Overall, I mean, I think I get the broad strokes of, you know, the risk reduction name brand, etc.. But I guess, what are the other benefits of overall kind of third-party management to, you know, both the organization and, you know, its stakeholders, its customers and partners?
00:11:25:09 - 00:12:00:14
Mike Bochniarz
I think Key is, you know, it identifies and mitigates those inherent risks. It provides clear roles and responsibilities where you have established frameworks for managing those third-party risks. The greater and clearer that framework is, the better ownership there is across the organization to really own and move forward those third-party risk management principles throughout that lifecycle, whether it's pre or post contracting related activities. It also enables the organization to incorporate key considerations in that contracting phase, as I mentioned earlier.
00:12:00:22 - 00:12:17:22
Mike Bochniarz
But then also through that, you know, ongoing relationship and ongoing monitoring, knowing who really drives that day-to-day oversight activity is key and critical for, you know, that overall TPRM embeddedness within an organization.
12:18:00 - 00:12:19:22
J.R. Reed
Thank you, makes a lot of sense to me.
00:12:19:24 - 00:12:32:04
Mike Halstead
So, you've touched on this a little bit already around best practices, Mike. How would an organization know if they're doing well in third party risk management?
00:12:32:06 - 00:13:02:15
Mike Bochniarz
So, you like to rely on, you know, upfront risk identification, the key controls that you have identified through that planning and due diligence activity and through onboarding of that third party relationship. So, what you would expect to see across the industry is your ongoing monitoring activities is really monitoring that control effectiveness for what's mitigating those risks and then also having tools and systems in place that help automate some of that oversight activity.
00:13:02:17 - 00:13:41:17
Mike Bochniarz
Looking at industry trends, being on, you know, the boards that are out there that, you know, give you key insights on, you know, what are the current trends? What are the exposures to your third party risks and being proactive in implementing enhancements to those controls that maybe you have already identified, but because of a recent current event, you need to pivot, looking at industry trends, reaching out to your network that may be involved in the same areas, and looking and learning about what are the, you know, next the up and coming enhancements that can be done within, you know, the third party space.
00:13:41:20 - 00:13:50:12
Mike Halstead
Makes sense. Turning over to the government and or regulators. How do they get involved with third party management?
00:13:50:14 - 00:14:56:25
Mike Bochniarz
Yeah. So traditionally obviously you have your regulatory reviews, whether it's existing management activities that are planned for, whether it's, you know, any one of the large federal regulators like FDIC, OCC, FRB, you have various handbooks that are out there from FFIEC and other regulatory bodies. You also have your state agencies as well that are out there. And so, it's a matter of mitigating it, you're looking at, you know, the regulatory enforcement actions that are out there that may come out of those exams and looking at where perhaps you need to look at other practices within your organization based on those enforcement actions, as that may be the next up and coming question that's coming to your organization. You also have executive orders and legislative agendas based on current trends, public affairs, heavily engaged in, you know, looking at what's going on the Hill, what's going on in your state capitol as far as current legislative directives that perhaps based on consumer input or, you know, feedback or complaints, what is the next up and coming area or trend that could potentially impact your organization?
00:14:56:25 - 00:15:32:07
Mike Bochniarz
And then also you have that out of the reach through to your, if you're a regulated entity, those third parties can become part of that review based on, you know, that regulatory oversight review for exam management purposes. And it really expands the reach of the regulatory bodies. And I think that's one area where a lot of third-party service providers, they may not be federally regulated or state regulated, but they do come under the purview and they could be, you know, asked certain questions from the regulators that would come directly to the bank as well.
00:15:32:10 - 00:15:39:24
Mike Halstead
That makes sense. And maybe if we can pivot over to to the tooling a little bit and around automation.
00:15:39:26 - 00:16:07:07
J.R. Reed
Real quick, can I squeeze in just a follow-up there. Like, Mike, from a somewhat external advisor or external perspective, my hunch is that this the activity around the government expectations on third party risk are going to be continuing to ramp up and accelerate. Is that a safe bet? Are we going to see more and more regulatory requests and demands for show me the work behind this or is it leveled off, do you know?
00:16:07:07 - 00:16:54:03
Mike Bochniarz
I think you'll continue to see that uptick. I think you see that in a lot of the news events that are occurring across our industry. And it's not just financial services companies. It's larger companies that are out there that have an impact on the wider customer base of using that product or service. And you see a big push from a large number of the regulators looking at nonfinancial services related entities and trying to look at the third-party risk management principles and guidelines that are out there that have traditionally governed, you know, the financial services market, but then expanding that into nonfinancial services markets that might have a quasi-touch within financial services or just the broader spectrum across our U.S. population.
00:16:54:23 - 00:17:05:00
J.R. Reed
That's a really interesting point, just especially around the kind of the new players within the regulatory domain and in having to come to agreement with those. It's a great point.
00:17:05:03 - 00:17:20:15
Mike Halstead
To start on the tooling side and automating the management of third-party risks, have you found that there's, you know, good products out there and how would how would you evaluate that for your your organization?
00:17:20:18 - 00:18:01:24
Mike Bochniarz
Yeah, I can say there are a number of growing tools that continue to hit the market. Personally, I think that evaluating what your use cases and looking at your business model for leveraging some of those tools that are on the market without going into names, but there are tools out there that will help you relieve some of the manual burden of monitoring, you know, really the planning and due diligence, onboarding activities of a traditional vendor looking at industry inputs that calculate, you know, risk scoring and some of the risk evaluations for that third party relationship, as well as ongoing monitoring related activities.
00:18:01:24 - 00:18:35:22
Mike Bochniarz
I would say from a internal perspective, working at various organizations, you need to also have in to place some internal control mechanisms that validate some of that industry knowledge and some of those tools. It's only so good as what the information that's being put into those tools or those newer companies that are trying to hit the market. Great ideas, great way to mitigate some of the manual-ness of, you know, third party risk management that historically has hit organizations trying to manage the third party risk space.
00:18:35:25 - 00:18:58:14
Mike Bochniarz
But again, you do need to show a level of due diligence on your own organization, making sure that what you're relying upon can be trusted is accurate. And some of the processes that you may have had internally may be more robust than what perhaps is out there on the market. So, it's really trying to evaluate where you are in your third-party risk management lifecycle journey and where you are in that maturity scale.
00:18:58:14 - 00:19:22:03
Mike Bochniarz
If you're a newer company and trying to mitigate the third-party risk space and you don't have a lot of bandwidth and resourcing, great use of tooling out there to, you know, get your program up and running. But then it's a matter of keeping it in times as your organization grows and maturity scale of, you know, where you might need to put into place your own practices and perspectives.
00:19:22:06 - 00:19:34:18
J.R. Reed
It's fascinating, I guess, outside of the tooling dimension from kind of where they're on the maturity curve, what should organizations be doing now versus in the future to help mitigate third party and supply chain risk?
00:19:34:21 - 00:20:22:08
Mike Bochniarz
Yeah, I think one of the key pieces is understanding your third-party profile. So that's organization wide, you know, knowing how many third parties you rely upon, what type of services they're providing to you as an organization where you could maybe expand that relationship to help from an overall efficiency perspective or where you might need to back off that reliance and rely on either a) another third party to reduce your concentration risk. You know, where you have overreliance on, say, a handful of third-party providers and then also looking at your, you know, really no one size fits all approach, and understanding your fourth party risk exposure is really key. And probably the three core components that I would recommend to any organization is get a good grasp on your third-party risk portfolio.
00:20:22:15 - 00:20:39:24
Mike Bochniarz
The number, the volume, where your risk exposures are. Critical, you know, reliances, you know, for the services being provided to you that, you know, fourth party reliance and then also just understanding not every third party needs to have the same level of due diligence across the board.
00:20:39:26 - 00:21:01:00
Mike Halstead
Just stepping back a little bit around the tooling and it sounds like it makes sense to have partnerships right, that that adds value, but you'd need to do your own internal due diligence. But there's also tooling that's out in the marketplace around it gives a lens of your organization and many times it gives you a score A to F.
00:21:01:03 - 00:21:18:11
Mike Halstead
And you know, many organizations are finding that they may be a D or an F with little information to understand why. And just to get your perspective on that type of tooling. And do you see a place in the market for that? And how should organizations use that?
00:21:18:14 - 00:22:23:29
Mike Bochniarz
Yeah, I think it's a good way to reflect upon your organization and maybe how other organizations are looking at you that may be a third party provider back to them, or a partnership relationship where you're going to market together for a particular product or service, and they have a reliance on you and you have a reliance on them and being able to self-reflect on what maybe some of those tooling mechanisms are saying about your own organization so that you can, number one, backtrack and understand, you know, are there some areas where perhaps that full scope of knowledge is not necessarily articulated that may recalculate that scoring and being able to work with that specific tool or provider and then also to look at how others might view you as an organization to better understand and have those conversations of, yes, that might have a particular rating or scoring out there. However, let me show you our internal control framework, as we mitigate certain risks and come into a more comfort level on where that may be.
00:22:24:01 - 00:22:48:27
Mike Halstead
For sure. Going back to events that happened, of course, a lot of us also lived through SolarWinds, where malware is actually implemented into the actual binary that was then distributed to government and non-government organizations, had a huge impact on the industry. There's been a lot of focus around SBOM, also known as the software bill of materials, has been an executive order around that.
00:22:48:27 - 00:23:15:15
Mike Halstead
And that's really just kind of looking at what's the inventory, what's the list of ingredients that make up the software components, because each of them can be vulnerable within different phases of the software or the supply chain side of things. And so, I guess from that, and I know you were part of that, do you think that industry is heading in the right direction since SolarWinds that, you know, are we getting more secure, just like to know your opinion.
00:23:15:18 - 00:24:39:08
Mike Bochniarz
Yeah, I think the events like Log4j, SolarWinds, the executive orders that have come out, in addition to COVID has really pushed the needle in organizations better understanding third party risk exposure, and also understanding the resource that is required to truly mitigate the risks that are exposed through that third party, you know, relationship. And I think I've seen over the last probably eight years a growing trend in the right direction of organizations putting greater emphasis on establishing third party risk management frameworks, ensuring that your third-party risk management framework is aligned with your wider organization's risk management framework, whether it's enterprise risk management framework or an operational risk management framework tying in those key considerations and principles. I don't think we saw that five, six, seven years ago to the same degree that we see today. And really putting greater emphasis on resource capacity and planning and making sure that third-party risk domains are across the organization, it's embedded and there are sufficient resources to really mitigate proactively those third-party risk exposures like what COVID has showcased along with those cyber incidents that you spoke of.
00:24:39:11 - 00:24:46:26
Mike Halstead
Thanks for that, Mike. Would you be able to give us an overview of Cross River Bank and kind of what you've seen across the industry in managing third party risks?
00:24:46:28 - 00:25:18:05
Mike Bochniarz
Sure. So, a little bit about Cross River Bank. It's a state-chartered, FDIC insured financial institution. We merge innovative offerings of technology company with established expertise of a licensed and federally regulated bank. We have API driven technology and proprietary banking core that provides a comprehensive one stop shop platform and helps deliver innovative and scalable embedded payment cards and lending solutions to millions of customers.
00:25:18:05 - 00:25:45:25
Mike Bochniarz
So, we are on the verge of blending fintech banking with the backing of a licensed state-chartered bank, and you can visit us at crossriver.com. As far as what I've seen across the industry, come from a big financial services bank, global ten, as well as did some consultancy at a big four, looking at the third-party management space.
00:25:45:25 - 00:26:30:27
Mike Bochniarz
Again, I talked just briefly a few minutes ago on the, you know, organization risk management and operational risk management and really looking at how third-party risk management is embedded within the overall organizational framework to be able to speak to what are your risks across the organization and how those risks then internal controls are monitored and managed to give your residual risk rating for your organization, and that is key to being able to say, now we're going to rely upon a third-party service provider or product service provider or software. Where across my process is do I have an internal control that now I'm going to rely upon a third party to mitigate some component of that identified risks?
00:26:31:00 - 00:26:56:18
Mike Bochniarz
I think that's what we're seeing, is a growing trend in blending the, you know, operational risk framework with a TPRM framework to really articulate across your processes is those controls where you have a transfer or handoff in that control or process, where your risk exposure is enhanced through your reliance on that third party or fourth party relationship.
00:26:56:20 - 00:27:04:22
Mike Halstead
Fourth party just always kind of brings up the right to audit fourth parties and have you found resistance around that?
00:27:04:25 - 00:27:38:01
Mike Bochniarz
I think the industry has always tried to tackle that and it's been a uphill effort to be able to really manage your fourth party or nth party relationships and a lot of that can tie in to your direct relationship with your third party, your contractual provisions that you have in there, how they notify you of that subcontractor relationship and identifying upfront what their reliance on those third parties are that might be core or critical to the service that they're providing back to you.
00:27:38:01 - 00:28:10:17
Mike Bochniarz
And I think that's where you come into an area where it's hard if you don't ask the right questions upfront. Through that, bringing us back to the third party risk management lifecycle, those planning and due diligence phase and those activities really identifying and honing in on, okay, you say you have 100 third party service providers that you rely upon, but really picking out what are those that are most central to the services that are being provided back to you as an organization and really then trying to dive into what’s your third party risk management framework.
00:28:10:17 - 00:28:34:28
Mike Bochniarz
What's your policy, what's your procedures, how do you conduct risk assessment activities on those third parties? And you might be comfortable based on what you see there and being able to monitor through your third party and their program the controls that they have in place for mitigating the risk on your behalf. And again, it ties into that contractual component as well and making sure that you're able to mitigate those risks upfront.
00:28:35:00 - 00:29:09:18
Mike Bochniarz
And then secondly, being able to provide some level of oversight for your fourth party relationships where you might be able to, through your own third-party risk management program, you might already be engaged with that third party so you can leverage some of the due diligence. You know, you think of a cloud service provider, you may not need to go into the nth degree on that cloud provider because you've already done the due diligence for your own internal process, or you might be able to rely on some of that tooling and system knowledge outside of the your four walls to be able to gain comfort on that fourth party.
00:29:09:18 - 00:29:27:20
Mike Bochniarz
So, there's a definitely different flavors and flairs of how you can mitigate that fourth party risk. But I think it really ties into knowing what those fourth parties are and being able to in the event that you need to pull upon that list, dive into it and provide that adequate oversight that you need based on that relationship.
00:29:27:22 - 00:29:32:03
Mike Halstead
Thanks for that, Mike. J.R., any other questions from yourself?
00:29:32:05 - 00:29:40:18
J.R. Reed
No, I think that's great. Mike, I really appreciate you spending the time. Thanks for sharing your opinions and perspectives on third party risk.
00:29:40:25 - 00:29:41:18
Mike Bochniarz
Absolutely. This has been a great conversation.
00:29:41:18 - 00:29:42:07
Mike Halstead
Yeah. Thanks, Mike.
00:29:42:14 - 00:29:42:23
Mike Bochniarz
Thank you Mike.
00:29:42:23 - 00:30:03:28
Mike Halstead
Thanks everyone for joining us for today's episode of Navigating Forward the Cybersecurity Series. Come back next week to get pointers for next steps on your cyber roadmap. And just a reminder that cybersecurity is 80% good habits and hygiene. But to start improving your health, you need a baseline. To learn more about how to develop your organization's future state of cybersecurity, go to launchconsulting.com/cyber.