Last night, I watched a movie named “The Big Short.” While it was a complete dramatization of events that led to the financial market collapse of 2008, it seemed too good to be fiction. It was, in fact, not really a movie, but more a cataloging of events and warning signs which, if they were indeed seen at that time, were too good to be ignored. For those readers who haven’t seen the movie, the story started with the housing market boom by packaging of sub-prime loans by various lenders, which were then collateralized and sold in the most creative way: as Synthetic Collateralized Debt Obligations (CDOs). In very simple terms, these were bets placed on the ability of sub-prime mortgage payers to pay back their loans. Having said that, it should have been easy for anyone (banks, hedge funds, experienced pension funds that were investing in these CDOs) to understand that the basic securities (or the building blocks) were precariously placed, and could come down like a house of cards any time. Amazingly, very few of these astute investors saw the writing on the wall.
What then makes it interesting is that these CDOs were packaged and mixed with other AAA-rated securities in such a creative way that even the leading rating agencies gave them a AAA, or an investment grade rating. A dialogue from the movie sums it up, where a rating agency executive says “Well, if we don’t rate these junk bonds AAA, they will just go elsewhere for that rating.” What is truly astonishing is the fact that leading investment banks and hedge funds took this word as gospel, without really diving into the details. And who is to blame for that, other than themselves?
The story, of course, ended badly, with the huge financial market collapse of 2008. At the end of the day, inevitably, several small investors and homeowners lost everything – which is a tragedy that arose from these ill-conceived gambles.
What then, does “The Big Short” have to do with today’s world, and especially with third-party risk and security?
Think about it. The huge financial market interconnections are akin to the technology connections of today. With several organizations moving to the cloud, and a huge interdependency on network connectivity, data today is flowing at an unprecedented rate across organizations, just as money did then. Companies are now dependent on a behemoth of service providers – SaaS providers for the applications they use, PaaS for components and LaaS for infrastructure. And at each layer of the stack, your company data is being handled by a multitude of actors from within and outside the organization. Because of the many links in the chain, each one is even more vulnerable to attack, yet security is paramount, and regulatory penalties can be huge.
To be fair, companies have a range of tools in their armor to ensure their data is protected: audit rights, contractual clauses, risk assessments and ultimately the ISO/SOC2 reports. While an ISO 27001 certification provides a level of assurance, an SOC2 report allows more detailed analysis of controls operated by third parties. Both are extremely useful, but only when understood well.
Which is where the catch lies. Should a client merely rely on an unqualified opinion from a third-party organization’s auditors, or delve deep into the SOC2 report to arrive at its own analysis of the control environment and, more importantly, its own obligations under the complementary user entity controls?
The devil can be in the details. Just as investors might have taken AAA ratings at face value and invested billions in the synthetic CDOs, if a user organization were to take a report at face value, it might do so at its own peril because there is a lot below the surface to be scratched. The description of the third-party environment needs to be seen to understand if every element that needs to be in scope is indeed covered. Has the security audit report covered all the required environments, or have important areas been carved out – and, importantly, any exceptions noted during testing? Are they significant enough to warrant an additional risk assessment, or even a full-blown audit of the third-party supplier? Ultimately, how secure is the underlying data – crown jewels in today’s world?
There is, of course, a limit of how deep a user organization needs to go. Depending on the criticality of the supplier and the data that it handles, it should be easier to decide when to skim the surface, rely on a good SOC2/ISO report, and move on, versus when to go way deeper. Finally, it all comes down to the basics: “Know thy supplier, evaluate the risks carefully, and use their reports as useful benchmarks rather than the bible.” Use them judiciously, just as one should invest in a financial instrument with one’s own due diligence. Just as “Past performance is no guarantee of future growth” is the mantra for investments, “Security is only as good as the weakest link” is the ultimate truth in the chain of third-party risk management.
Author’s note: All opinions expressed in this blog are purely personal and should not be associated with any organization, or construed as the views of any organization that the author may be associated with. The author and her blog posts have no association with the “The Big Short,” or any other commercial production. The author does not derive any financial benefit from this blog post.