To Improve the Risk Management Process and Document Compliance with Regulatory Requirements
For more than 30 years, CAPTRUST has earned the confidence and respect of its clients and has been entrusted with investors’ highly confidential information. While data security has always taken center stage at CAPTRUST, the program needed to evolve to help reduce the manual burden of complying with Securities and Exchange Commission (SEC) requirements.
As regulations and their requirements for compliance expand, companies are often driven to optimize their risk management processes. Thus, CAPTRUST began the process of creating a more mature third-party security and supplier due diligence program, which included the need for greater collaboration between both internal teams and external suppliers. Such collaboration can be difficult to achieve without a centralized place to streamline communication, engagement and risk remediation, often causing friction between suppliers and companies.
As with any business relationship, vendors introduce risk into the companies they serve. Jon Atchison, Lead of IT Governance, Risk and Compliance at CAPTRUST, summed it up as follows:
In the dynamic world that we live in, it is very important to know where your third parties bring risk to your network and to your client data.”
What was needed was a way to ensure that new suppliers could be onboarded securely without introducing more risk than the company was willing to take on, along with a way to monitor all vendors for evolving risk. But how could that be accomplished?
An Automated Third-Party Security Risk Management Platform for Fast Supplier Due Diligence
CAPTRUST set specific criteria to mature their third-party security and supplier due diligence program. They believed their program goals could be achieved through solutions that offered automation, enhanced visibility, quantification of risk, improved collaboration and continuous monitoring. After a careful evaluation of potential partners, CAPTRUST selected Panorays.
“We felt the platform was easy to use and offered superior collaboration features that would help us speed up decision making,” Atchison said.
As the only third-party security solution that allows in-platform engagement, Panorays allowed stakeholders to communicate findings and risks in a manner that was formalized and mutually understood, while encouraging deeper collaboration, shared accountability and risk reduction. As a result, Panorays enabled CAPTRUST to quickly make more informed decisions about its third-party suppliers.
“Working with a third-party security platform is essential to achieving coordinated due diligence through communication, collaboration, monitoring and reporting,” explained Atchison.
“The Panorays platform was the catalyst for third-party collaboration.”
In fact, the platform led to greater engagement between CAPTRUST and its suppliers. CAPTRUST could now bring relevant identified risks to the supplier in the form of objective data, so both parties had the opportunity for deeper, broader conversations about their relationship, security posture and policy controls. This also gave the vendors the opportunity to take a closer look at their own security posture, enabling them to reduce vulnerabilities and bolster their own systems.
Lastly, utilizing Panorays’ automated third-party security risk management platform for supplier due diligence, CAPTRUST was also able to continuously monitor for any new issues. That’s an important element of any risk management program, because having a point-in-time view of suppliers doesn’t keep up with the evolving risk landscape. Risk can change by the second, and continuous visibility through automation is the only way to keep up with those fast-paced changes.
An Upgraded Risk Management Program with Enhanced Communication
Atchison is pleased with the maturation of CAPTRUST’s third-party security and supplier due diligence program. Using Panorays has helped to create better internal and external collaboration and provided actionable insights about suppliers. It has also given CAPTRUST the ability to adapt its existing vendor security questionnaires to elicit the right information required for compliance and to ensure alignment with the company’s security policies and risk appetite.
In addition, with Panorays’ continuous monitoring and live alerts, CAPTRUST is kept informed of any third-party security breaches or changes.
“Our third-party program maturity certainly improved through the continuous monitoring of supplier relationships,” Atchison concluded.