OSFI of Canada Guideline B-13 Compliance

Prevalent experts collaborate with your team on defining and implementing TPRM processes and solutions in the context of your overall risk management approach; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence to termination and offboarding.

As part of this process, Prevalent helps you define:

• Clear roles and responsibilities (e.g., RACI).
• Third-party inventories.
• Risk scoring and thresholds based on your organization’s risk tolerance.
• Assessment and monitoring methodologies based on third-party criticality.
• Fourth-party mapping to understand risk in your extended vendor ecosystem.
• Sources of continuous monitoring data (cyber, business, reputational, financial).
• Key performance indicators (KPIs) and key risk indicators (KRIs).
• Governing policies, standards, systems and processes to protect data.
• Compliance and contractual reporting requirements against service levels.
• Incident response requirements.
• Risk and internal stakeholder reporting.
• Risk mitigation and remediation strategies.

The Prevalent TPRM Platform features a large library of framework-specific risk assessments – such as ISO, NIST, or others. Leverage pre-built, framework-specific risk assessments to simplify controls mapping and reporting. A chosen framework should align with enterprise-level risk management requirements.

As part of the due diligence process, Prevalent can help your team analyze software bills of materials (SBOMs) for third party software products. This will help you identify any potential vulnerabilities or licensing issues that may impact your organization's security and compliance posture.

Prevalent continuously track and analyze external threats to third parties. As part of this, Prevalent monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Monitoring sources include:

• Criminal forums; onion pages; dark web special access forums; threat feeds; and paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases.
• Databases containing several years of data breach history for thousands of companies around the world.

All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

Once all assessment and monitoring data is correlated into a central risk register, Prevalent applies risk scoring and prioritization according to a likelihood and impact model. This model should frame risks into a matrix, so you can easily see the highest impact risks and can prioritize remediation efforts on those.

Finally, with Prevalent you can assign owners and track risks and remediations to a level acceptable to the business.

With Prevalent you can continually evaluate the effectiveness of your TPRM program according to changing business needs and priorities, measuring third-party vendor key performance indicators (KPIs) and key risk indicators (KRIs) through the relationship lifecycle.

The Prevalent TPRM Platform features a large library of pre-built templates for third-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Assessments should be managed centrally and be backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, Prevalent continuously tracks and analyzes external threats to third parties. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation and response initiatives.

As part of your broader incident management strategy, Prevalent ensures that your third-party incident response program enables your team to rapidly identify, respond to, report on, and mitigate the impact of third-party vendor security incidents.

Key capabilities in a third-party incident response service include:

• Continuously updated and customizable event and incident management questionnaires.
• Real-time questionnaire completion progress tracking.
• Defined risk owners with automated chasing reminders to keep surveys on schedule.
• Proactive vendor reporting.
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor.
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact on the business.
• Built-in reporting templates for internal and external stakeholders.
• Guidance from built-in remediation recommendations to reduce risk.
• Data and relationship mapping to identify relationships between your organization and third, fourth or Nth parties to visualize information paths and reveal at-risk data.

Also, Prevalent leverages databases that contain several years of data breach history for thousands of companies around the world – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

Armed with these insights, your team can better understand the scope and impact of the incident; what data was involved; whether the third party’s operations were impacted; and when remediations have been completed – all by leveraging Prevalent experts.