Search Results

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page  and navigate to the November 2024 meeting recording.)   With insurance risk, it is crucial to evaluate whether coverage exists and if it can protect against potential liabilities. Furthermore, understanding the types of coverage available and the appropriate limits ensures that your organization is protected against unforeseen events.    How can you evaluate coverage types and limits to ensure they align with your risk tolerance and provide the necessary safeguards?  In this blog, we will cover:  Addressing Insurance Risk   What is Insurance   Insurance Risk   What To Evaluate   Insurance Types & Limits  What is Insurance   The primary purpose of insurance  is to mitigate the financial impact of unforeseen events or risks, providing individuals and businesses with a sense of security and stability. It is a transfer of financial risk when the likelihood of a risk occurring is low but the impact is high. If an organization is critical or high-risk, its insurance requirements should be specified in the contract.   There should be a pre-contract evaluation of the insurance coverage and policies held by a third party to ensure they have adequate coverage to mitigate potential risks and liabilities. This assessment aims to confirm that the third party’s insurance meets your organization’s expectations, risk methodology, and risk appetite, while also ensuring adequate protection for both parties in case of unforeseen events.  Insurance Risk   There are many different types of insurance risk that can occur, including but not limited to:  Insufficient Insurance Coverage   Lapse in Insurance Coverage   Irrelevant Coverage   Lack of Umbrella or Excess Liability   Out of Compliance w/ Contractual Requirements   Changes to Policy Terms and/or Limits   Failure to Address Emerging Risks What To Evaluate   Evaluating a third party's insurance involves examining several factors to ensure their policies meet your organization's requirements and mitigate potential risks effectively. Below, you can read about the key aspects to consider during this evaluation.  Coverage Types Evaluate the types of insurance coverage the third party holds, such as general liability insurance, professional liability insurance, cyber liability insurance, product liability insurance, workers' compensation insurance, and more.   Certificate of Insurance (COI) Obtain and review the third party's Certificate of Insurance to verify the details of their coverage, including policy numbers, effective dates, coverage types, and limits.   Coverage Limits Assess the coverage limits of the insurance policies to ensure they are sufficient to cover potential losses or liabilities that could arise from the third party's actions.  Scope of Coverage Review the policy language to understand the scope of coverage, exclusions, and limitations of the insurance policies.   Effective Dates Determine the renewal and cancellation terms of the third party's insurance policies to ensure continuous coverage during the contract period.  Additional Insured Determine if your organization is named as an additionally insured party on the third party's insurance policies. This provides your organization with coverage under their policies for specified liabilities.   Subcontractor Coverage Assess whether the third party's insurance extends to cover subcontractors or vendors that they may engage for services related to your business relationship.    Coverage Gaps Identify any gaps in coverage that could leave either party exposed to risks that are not adequately addressed by the third party's insurance. Deductibles and Self-Insured Retentions Review the deductibles or self-insured retentions associated with the insurance policies and assess whether they are reasonable.  Claims History  Inquire about the third party's claims history and any significant claims or incidents that may have occurred in the past.  Notification & Reporting Understand the third party's procedures for notifying the insurance carrier and relevant parties in the event of a claim.  Insurance Types & Limits   Below is a list of general guidelines for common insurance policies. Keep in mind that coverage needs can vary significantly, so always consult with insurance professionals and risk management experts to determine what’s appropriate for your specific situation. Disclaimer: The following is for informational purposes and does not represent insurance advice.   General Liability Insurance:    Coverage Purpose: Protects against claims of bodily injury, property damage, and personal injury due to your business operations.   Recommended Coverage Limit:  $1 million to $2 million per occurrence, with an aggregate limit (total limit for the policy period) of $2 million to $4 million.   Professional Liability (Errors & Omissions):    Coverage Purpose: Provides coverage for claims arising from mistakes, negligence, or failures in professional services or advice.  Recommended Coverage Limit: $1 million to $2 million per occurrence, with an aggregate of $2 million to $4 million.  Cyber Liability: Coverage Purpose: Protects against data breaches, cyberattacks, and related liabilities.   Recommended Coverage Limit: Varies depending on the size and nature of the organization, but coverage limits of $1 million to $10 million or more may be appropriate.  Umbrella or Excess Liability Insurance: Coverage Purpose: Provides additional coverage beyond the limits of the primary liability policies.   Recommended Coverage Limit: Should provide enough additional coverage to handle catastrophic events. It's often recommended to have a limit that matches your total assets or potential liabilities.   Workers Compensation:    Coverage Purpose: Provides medical and wage replacement benefits to employees injured on the job.   Coverage Limit: Determined by legal requirements in your jurisdiction. It typically provides benefits according to state laws.   Business Interruption: Coverage Purpose: Provides coverage for lost income and operating expenses if your business is unable to operate due to a covered event.  Recommended Coverage Limit: Should cover your anticipated revenue and necessary ongoing expenses during the interruption period.  Product Liability Insurance:  Coverage Purpose: Protects against claims arising from defective products causing bodily injury or property damage.   Recommended Coverage Limit: Depends on the type of products, industry, and size of the organization. Limits could range from $1 million to several million dollars.  Commercial Property Insurance: Coverage Purpose: Protects against damage or loss of physical assets, such as buildings, equipment, inventory, and furnishings.   Recommended Coverage Limit: The limit should be sufficient to cover the replacement or repair costs of your assets. Consider the value of your property and potential rebuilding costs.  Employment Practices Liability Insurance (EPLI): Coverage Purpose: Protects against claims related to employment-related practices, such as discrimination, harassment, wrongful termination, etc.   Recommended Coverage Limit: Varies based on the size of the organization and potential risks, but coverage limits of $1 million to $5 million are common.  Directors and Officers (D&O) Insurance:    Coverage Purpose: Protects the personal assets of directors and officers from claims related to their management decisions.   Recommended Coverage Limit: Varies based on the size of the organization, industry, and exposure, but limits of $1 million to $5 million are typical. Conclusion   Evaluating insurance risk is an important aspect of third party risk management. By carefully assessing the coverage types, limits, and terms, organizations can ensure that both their own operations and their third party relationships are protected against potential liabilities. This comprehensive approach to insurance risk helps to ensure your organization is prepared and protected against potential challenges.  Resources:   Guidebook

Introduction  In this post, we’ll answer the essential question: What is Third Party Risk Management (TPRM)?  Drawing from our Third Party Risk Management 101 Guidebook ,  this blog can be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. We’ll introduce you to the foundations of TPRM and why it’s critical for organizations today.  We’ll break down the basics, including key definitions , the various types of risk  posed by third parties, how to assess and measure  these risks, and the first steps  to managing and mitigating third party risk exposure. Whether you're new to TPRM or looking to enhance your program, this post will guide you through the essentials.  Definitions   What is a  Third Party ?   For our purposes, Third Party  will be broadly defined to include all entities that can or do provide products and/or services to an organization regardless as to whether a contract is in place or monies are exchanged. Such entities can include, but not be limited to: Affiliates, Subsidiaries, Consultants, Contractors, Subcontractors, Vendors, Service and Solution Providers, Fourth parties, and more.  Historically, organizations procured services from third parties for cost-efficiency purposes. Today, the purpose of procuring third party products and services has greatly evolved. Now, it includes, but is not limited to:  Outsourcing critical processes  Quickly scaling services to reach global markets  Focusing on more strategic priorities  Reaching niche markets  Gaining additional expertise and functionality   As this evolution occurs, the risk and impact posed by third parties to organizations increases.   Therefore,  Third Party Risk  is the possibility of an adverse impact on an organization’s data, financials, operations, regulatory compliance, reputation, or other business objectives, as a direct or indirect result of an organization’s third party.   So, how do you properly mitigate third party risk?  By having a strong TPRM program.  But what does TPRM  entail?  Third Party Risk Management (TPRM)  is the framework that consists of policies and procedures, controls , governance and oversight; established to identify and address risks presented to an organization by their third parties.   A Control  is a process and/or activity used to monitor, review, and/or address a specific risk.   What is TPRM?  Third Party Risk Management is not a new concept, but its importance continues to grow due to:   The threat landscape growing in complexity  Organizations having a greater reliance on third parties to support critical services  Digital transformation projects growing in momentum  Increasing regulations  Environmental impacts  In addition, there has been an increase in regulatory scrutiny of organizations, to ensure they are aware of the risks and impacts their third parties have on their organization. Gone are the days when organizations could simply attest that they have a compliance program in place. Regulators now require organizations to demonstrate that their third parties have effective controls and compliance programs in place.  To ensure that third parties operate securely and effectively, an organization must implement and maintain an effective Third Party Risk Management (TPRM) program to identify, assess, monitor, and mitigate risks related to the outsourced data and processes. Customers, board members, and regulators have significant expectations that organizations will maintain effective TPRM programs. These stakeholders seek assurance that the organization is appropriately identifying and managing third party risks to protect their interests and uphold compliance standards.  But what risks specifically should a TPRM program consider?  Potential Risks with Third Party Relationships  Organizations that hire third party services frequently share data and intellectual property with those providers.  For our purposes, Organizational Data  will refer to all proprietary and restricted data a company holds, processes, and/or secures, including their customer’s personal data  Third parties often access, transfer, manipulate, and store organizational data, which increases the risk for the organization that owns this data. While third parties share some responsibility for protecting this information, the primary responsibility lies with the organization itself. It is crucial for the owning organization to ensure that third parties are properly safeguarding both their data and their customers’ data. An organization is only as strong as its weakest link, which may be a third party.  The risk of engaging with a third party depends on the type of relationship between an organization and the third party, as well as the controls that the third party has in place. While there is no way to completely eliminate the risk of a data breach or verified incident, there are security measures that can be taken by the organization to ensure they understand the risk of working with the third party and take appropriate steps to mitigate the risk.    Failing to properly identify, assess, and manage the risks associated with an organization’s relationship with third parties can lead to significant consequences. It can attract scrutiny from regulators, result in fines and other legal repercussions, and pose serious reputational or financial risks to the organization’s relationship with its customers.  What Types of Risk Are There?  A third party relationship can introduce many different types of risk to an organization. TPRM programs are no longer focusing on only cyber risk, as there is an increased need to expand their risk view. Now, TPRM programs must review an organization’s financials, operations, and even environmental and social impacts.   Social Impacts  relate to labor practices, environmental controls, and organizational governance practices.    Here are just a few types of risks a third party could present to your organization:  Reputational Risk Results from a negative public view related to dissatisfied customers, interactions not consistent with institutional policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and/or violations of law and regulations. Operational Risk Results from inadequate or failed internal processes, people, and/or systems. Strategic Risk Results from failing to align strategic goals to business objectives and/or an activity that jeopardizes an organization’s strategic objectives. Transaction Risk Results from issues with service and/or product delivery, or a third party’s failure to perform as expected by customers. An organization can also be exposed to transaction risk through inadequate capacity, technological failure, human error, and fraud. Financial Risk Results from a third party’s failure to meet or align with an organization’s monetary requirements and expectations. Cybersecurity Risk Results from the probability of exposure or loss of organizational data, due to a technical failure, event, or incident (to include a breach). Environmental Social Governance (ESG) Risk The risk resulting from an organization's environmental, social, and governance impacts, based on its decisions and daily activities. Compliance Risk Results from a violation of laws, rules, and regulations, or from non-compliance with internal policies or procedures. Other types of risk vary based on businesses' use of third parties, the efficacy of third party internal controls, and the locations in which they operate.     Organizations must carefully evaluate the controls of their third parties to ensure that risks are avoided, mitigated, shared, transferred, or accepted according to their risk management framework, which is guided by their risk appetite.  An organization’s risk appetite refers to the level of risk that it is willing to accept or reject. Every organization possesses a risk appetite, even if it is not formally documented. If your organization doesn’t have a formal risk appetite statement, it’s important to closely monitor the third-party risks that are accepted or overlooked, as these choices can provide an informal understanding of the company’s risk appetite. Essentially, paying attention to how your organization handles these risks can help clarify its risk tolerance.  The Evaluation of Third Party Risk  Assessing third party risks and the controls in place to mitigate those risks is crucial when deciding whether to contract with a third party provider. It is also important to how the organization will conduct ongoing monitoring of the relationship. Understanding the nature of the services that the third party will provide is essential to grasping their potential impact on your organization. This knowledge enables businesses to proactively prepare for any challenges that may arise if the third party fails to deliver the promised products or services.  The key to effectively leveraging the products and services of a third party, in any capacity, is for an organization to properly identify, assess, mitigate, and monitor  risks  associated with doing business with their third party.   There are two types of risk: inherent risk and residual risk.    Inherent risk refers to the level of risk associated with a third party product or service. An inherent risk assessment does not consider any third party controls that may be implemented to mitigate these risks. When assessing inherent risk, several factors are considered, including the nature of the product or service offered, the type of data accessed or transferred, the geographical location of the third party, and the financial amount involved. Importantly, it does not include any protective measures the third party may have established to reduce those risks.  Inherent Risk Inherent risk  is usually assessed before conducting any detailed evaluations of the third party. This assessment offers a worst-case scenario of the third party's potential risks if all controls have failed. It helps categorize the third party and determine the required due diligence efforts, as well as the timing of future assessments based on the level of risk they pose to your organization.  Residual Risk Residual risk refers to the level of inherent risk that remains after controls have been evaluated and any identified risks have been addressed. This concept gives a clearer understanding of the risk landscape associated with a third party by assessing the adequacy and effectiveness of the controls in place.  Formula for Risk: Risk = Impact of Risk x Likelihood Risk Will Occur   Risk is calculated by multiplying the level of risk (meaning the impact it could have on the organization) by the likelihood that it will occur. The velocity at which risk could occur may also be considered when calculating likelihood.  What to do with Discovered Risks  After an organization calculates the risk associated with a third party, it may choose to accept, remediate, share, transfer, or avoid the identified risk. The following outlines how each of these options functions.  Accept When organizations accept risk, they acknowledge that the potential loss or impact from a risk is at a level that the organization is willing to accept and/or not treat immediately. Risk acceptance should be temporary until the risk can be appropriately mitigated or a secondary control can be put in place.   Remediate To remediate risk, organizations work with a third party to create and implement an achievable action plan to add or enhance controls. Risk remediation can lessen the likelihood of occurrence or the risk's impact on an organization.   Share Risk sharing allows an organization to distribute the responsibility of a risk across multiple organizations and/or individuals. This ensures that the impact of the risk isn’t felt by one organization and/or individual. Risks can be shared by implementing controls across organizations to address the risk and/or contractually sharing the responsibility of risk impact should it be realized.     Transfer A risk transfer often occurs in instances where the impact of risk is high but the likelihood of the risk occurring is low. Organizations can then transfer the risk to another organization, such as an insurance company, that is better suited to handle large-scale risk.   Avoid Organizations can choose to avoid a risk by not taking on it or avoiding actions that cause it. From a third party risk perspective, this usually involves disengaging with a third party and/or terminating services.   Regardless of how an organization chooses to address risk, it must first have processes in place to discover and assess it. This is accomplished through the implementation of a strong Third Party Risk Management Program.   Conclusion   In conclusion, Third Party Risk Management (TPRM) is a crucial aspect of ensuring an organization's security, compliance, and overall resilience. As reliance on third parties increases and the threat landscape becomes more complex, implementing a well-structured TPRM program is essential. By identifying, assessing, and managing the various risks presented by third parties—such as operational, regulatory, reputational, financial, and cyber risks—organizations can proactively mitigate potential threats. Through effective TPRM practices, businesses can better protect their operations, maintain regulatory compliance, and preserve their reputation in an ever-evolving risk environment.  Related Resources:  TPRM 101 Guidebook   What is TPRM Video

This blog was inspired by the meeting facilitated by Julie Gaiaschi, CEO & Co-Founder of TPRA, at TPRA’s November 2024 Practitioner Member Roundtable. (To watch the full presentation, TPRA Members can visit our Previous Meetings page  and navigate to the November 2024 meeting recording noted on the On Demand tab.)   Being a TPRM practitioner means being vigilant and prepared for third party risks. A way to ensure that you are creating a strong risk management foundation is through strategic planning and careful oversight of contractual agreements.   With contracts, it is important to know that they do more than just set up relationship expectations. For TPRM practitioners, understanding their full purpose and how they can limit an organization’s impact on risk is essential for successful risk management.   In this blog, we will cover:  The Purpose of Contracts  Note Several Types of Contract Risks  Discuss How We Can Address Contract Risk  Provide Tips on the Right to Review vs. Right to Audit Clause  The Purpose of Contracts  Contracts not only establish and document relationship expectations but also help ensure proper risk management. Here’s how:  Contracts allow TPRM practitioners to obtain necessary evidence items to  complete their assessments . A best practice is to include a clause that notes the third party will respond to questionnaires from time to time, as well as provide evidence items in relation to this agreement upon request.  Contracts can ensure that  due diligence   findings  are  addressed  in a timely manner. For example, if high-risk findings are discovered during the pre-contract phase, then it is best practice to have clauses noted in the contract in relation to the remediation of said high-risk findings.  Contracts can establish  non-compliance triggers  in the event a third party fails to meet its obligations under the agreement. Many contracts only have a clause to terminate the relationship if it fails to meet your organization’s expectations, which is not always feasible or desired by the organization. Instead, have a step-by-step course of action noted within the agreement in the event the third party fails to meet obligations. This will help ensure progress is made and provide more teeth to the contract than just terminating the third party. Non-compliance triggers may include, but not be limited to:  Withholding payment of the next invoice should the third party not provide your organization with necessary documentation within a defined period of time and in order to perform TPRM reviews.   Performing an onsite visit if the third party is not making cadence on the remediation of confirmed findings.   The third party assisting with the transition of your organization’s data from the third party’s data center to another data center of your organization’s choosing should the onsite visit result in additional confirmed findings, as well as limited remediation of current findings.  Contracts reflect an organization’s risk tolerance . For example, you can establish parameters on specific expectations such as the time it should take your third party to patch a critical/high/medium-risk vulnerability. You can also set key performance indicators related to specific activities, such as responding to inquiries.  Contracts can allow for a smooth transition away from a third party by ensuring that verbiage around termination timelines and expectations is included. In addition, the contract can be used to keep track of what logical and physical access is provided to the third party to ensure that it is terminated promptly.  What Is Contract Risk?  Contract risk is the possibility of a risk arising when a contract is created. There are different types of risks to be aware of that should be discussed during the pre-contract phase, including but not limited to:  Not including specific control expectations  within the agreement, or a separate addendum, that will ensure your data is appropriately safeguarded and your organization’s strategic objectives are met. For example, if you are working with a critical- or high-inherent risk third party, make sure that you call out at least your top 10, 15, or 20 information security controls that you expect them to have in place before you send them any data.   Not including/reviewing sufficient contract terms . It is important to make sure that you are at least reviewing what the third party is redlining or approving in your contract. In addition, compare it to what you are reviewing from an assessment perspective.   Not including safeguards  within the contract should a third party risk be realized. This would include things like incident response, breach notification, or non-compliance triggers.   Not reviewing contract templates on a regular basis to incorporate emerging risks related to performance risk, termination and transition risk, intellectual risk, artificial intelligence risk, cost escalation risk, insurance risk, and so on. With this, it is important to understand where potential risks can arise and have a discussion on these topics to minimize the extent of each risk.   Addressing Contract Risk  Now that we have discussed the different ways contract risk can arise, here are a few ways to address said risk.    Contract risk can be addressed by working closely with Legal and Procurement teams  to ensure contracts align closely with your organization’s risk management strategy, including its risk appetite.   Have templates for cybersecurity requirements  drafted to ensure they provide sufficient coverage of key controls. This should not be an exhaustive list of controls, but your top 10 to 20 controls need to be in place in order for you to send data to the third party. Furthermore, templates should detail appropriate remedies (non-compliance triggers) if and when the third party fails to meet its obligations under the agreement.  Include expectations for participating in risk assessment activities (i.e., responding to questionnaires and providing evidence items upon request).   TPRM practitioners should have a seat at the table when reviewing redlines  within specific clauses related to cybersecurity terms, as well as terms that would allow a practitioner to perform their duties (such as a “Right to Audit or Review” and/or “Termination” clauses).   Practitioners should ensure any  high-risk findings  noted during the pre-contract due diligence phase are  noted within contractual terms . Practitioners should work closely with legal counsel to ensure that the contractual language is clear, specific, and enforceable.  Tips on the Right to Review vs. Right to Audit Clause  Typically, the “Right to Audit” clause allows an organization to “audit” the third party once per year. Historically, this clause was specific to Internal Audit. Over time, TPRM programs have adopted this clause to perform their annual due diligence assessments.  However, the clause does not provide flexibility or allow for the depth needed to perform continuous monitoring of the third party.  A tip for ensuring your organization can review the third party on a regular cadence (more than once per year) is to include a "Right to Review" clause within the cybersecurity addendum and in addition to the "Right to Audit" clause usually noted within the Master Services Agreement (MSA).  A "Right to Review" clause may include language such as "The third party may be required to complete due diligence questionnaires and/or surveys from time to time and shall respond to such questionnaires and surveys no later than the due date, as defined within this agreement. Upon request, the third party shall provide evidence to support responses to such questionnaires and surveys. Failure to do so may enact escalation procedures and/or non-compliance triggers noted within this agreement.”  When compared to the “Right to Audit” clause, the “Right to Review” clause is specific to ensuring that your security addendum is being executed appropriately.  Conclusion  Incorporating comprehensive contractual safeguards is essential for TPRM practitioners aiming to mitigate third party risks effectively. By understanding contract risk, organizations can establish strong contract clauses that protect against potential liabilities and align with their organization’s risk tolerance.  Resources:  AI/ML Questionnaire   Guidebook

TPRM Job Listings Searching for a TPRM-specific job? Check out the listings below from organizations looking for talented TPRM professionals! Note: TPRA reserves the right to remove any job listing for any reason and without communication to the contact. Post a Job Manager Vendor Risk Management 1LoD RBC View Job Vendor Security Lead Pinterest View Job Third Party Risk Manager Blue Ridge Bank View Job Third-Party Risk Management Analyst Sungrow Power Supply Co., Ltd View Job Vendor Risk Consultant SecurityScorecard View Job Third Party Risk Specialist Yubico View Job Director - Third Party Risk Management St. Jude Children's Research Hospital View Job TPRM Specialist Selby Jennings View Job Third Party Risk Management, Analyst BitGo View Job Senior Compliance Risk Manager - Vendor Management Trustmark Bank View Job Events Coordinator NContracts View Job Third Party Risk Sr Analyst Citizens View Job LOAD MORE

Join TPRA on April 7 - 9, 2025 for our annual TPRM conference! "Navigating Risky TPRM Waters" will be held in Myrtle Beach, NC. Register now! TPRA's 2025 THIRD PARTY RISK MANAGEMENT CONFERENCE NAVIGATING RISKY TPRM WATERS MONDAY, APRIL 7 - WEDNESDAY, APRIL 9, 2025 MARRIOTT MYRTLE BEACH RESORT & SPA MYRTLE BEACH, SOUTH CAROLINA REGISTER NOW ABOUT SPONSORS SPEAKERS REGISTER AGENDA VENUE Set Sail for Success at "Navigating Risky TPRM Waters"! Ahoy, TPRM Professionals! Prepare to embark on an unforgettable voyage at the "Navigating Risky TPRM Waters" conference, hosted by the Third Party Risk Association (TPRA). From Monday, April 7 to Wednesday, April 9, 2025 , chart your course to the beautiful shores of Myrtle Beach, South Carolina , and drop anchor at the luxurious Marriott Myrtle Beach Resort & Spa at Grande Dunes . 4 TRACKS 47 SESSIONS 2 KEYNOTES 8 ROUNDTABLES 2 NETWORK EVENTS Explore a Treasure Trove of Knowledge Dive into the depths of Third-Party Risk Management with expert-led sessions, interactive roundtables, and cutting-edge strategies to get your TPRM program into shipshape! Our 2025 conference will feature four speaking tracks and up to 47 different sessions , including 44 breakout sessions , 2 keynotes , 8 roundtables , and 5 sponsor demo sessions . Also included are 2 network events , sponsor booths, games, raffles, live entertainment, and more! Network with Fellow Buccaneers Connect with fellow TPRM professionals and industry leaders, sharing insights and building valuable relationships on this high-seas adventure. Participate in two pirate-themed network events , complete with privateer-approved treasure hunts, appetizers, deluxe beverages, and more! Enjoy breakfast meet-and-greets , roundtable discussions , and other social events designed to foster meaningful connections and collaborations. Keynote Speakers Hear from renowned TPRM experts who will share their treasure maps for navigating the complex waters of third-party risk. Learn from industry leaders and innovators who will provide actionable insights and future trends in TPRM. Exhibit Hall Explore the latest tools and solutions from leading TPRM service providers, offering you the best treasure to safeguard your organization. Discover new technologies, software, and services that can enhance your TPRM processes and strategies. Relax & Unwind Enjoy the stunning ocean views and top-notch amenities at the Marriott Myrtle Beach Resort & Spa at Grande Dunes . Take advantage of the resort’s spa services, pools, and beachfront access to relax and rejuvenate between sessions. Ready to Set Sail? Don't miss the opportunity to steer your TPRM career toward new horizons. Secure your spot today and join us for an extraordinary journey filled with discovery, adventure, and invaluable learning at "Navigating Risky TPRM Waters"! REGISTER NOW Justification for Attendance Interested in getting certified through the TPRA? Register for TPCRA in-person training , to be held April 7-8, 2025, and attend the last day of conference sessions at no additional cost! View instructions below . THANK YOU TO OUR SPONSORS Apply to Sponsor ADMIRAL SPONSORS (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) RiskRecon Admiral Sponsor (Level 1) Black Kite Admiral Sponsor (Level 1) ProcessUnity Admiral Sponsor (Level 1) Aravo Admiral Sponsor (Level 1) CAPTAIN SPONSORS (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) Certa Captain (Level 2) Global Resilience Federation (GRF) Captain (Level 2) S&P Global Captain (Level 2) SecurityScorecard Captain (Level 2) Venminder, an Ncontracts Company Captain (Level 2) QUARTERMASTER SPONSORS (Level 3) PromptArmor Quartermaster (Level 3) + Keynote Mirato Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) PromptArmor Quartermaster (Level 3) + Keynote Mirato Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) PromptArmor Quartermaster (Level 3) + Keynote Mirato Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) PromptArmor Quartermaster (Level 3) + Keynote Mirato Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) PromptArmor Quartermaster (Level 3) + Keynote Mirato Quartermaster (Level 3) Whistic Quartermaster (Level 3) Supply Wisdom Quartermaster (Level 3) Lema Quartermaster (Level 3) Coverbase Quartermaster (Level 3) FIRST MATE SPONSORS (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) OneTrust First Mate (Level 4) Mitratech First Mate (Level 4) Exiger First Mate (Level 4) FAIR Institute First Mate (Level 4) Cloud Security Alliance First Mate (Level 4) SEAFARING SPONSORS RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor RapidRatings Panel Sponsor Locktivity Network Event Bartender Sponsor SPEAKERS Commander Kirk Lippold Authority on Leadership, Global Security; Former Commander of the USS Cole, Former USNA Adjunct Professor on Leadership & Ethics USN (Ret.) Valmiki Mukherjee Chairman CyberFuture Foundation Vrushali Lakhpati VP, Head of Global Third Party Due Diligence Program AmTrust Financial Services Clarence Chio CEO & Co-founder Coverbase Kaih Taylor Manager Third-Party Risk Management AgFirst Farm Credit Bank Aidan Thaggard Senior Solutions Engineer Supply Wisdom LOAD MORE AGENDA AT A GLANCE View Full Agenda All sessions are subject to change. Date Time Compact Agenda Location 04/07/2025 3:00 - 5:00 PM Early Check-In Group Registration Alcove, Main Level 04/07/2025 6:00 - 8:00 PM Pirate Parley Network Event Oceanfront Courtyard, Main Level 04/08/2025 7:30 - 8:45 AM Breakfast & Check-In Atlantic Ballroom 4-8, Main Level 04/08/2025 8:45 - 9:00 AM Welcome & Kick-Off Atlantic Ballroom 4-8, Main Level 04/08/2025 9:00 - 9:55 AM Morning Keynote: "Leadership and Accountability When It Matters" Commander Kirk Lippold, USN (Ret.) Atlantic Ballroom 4-8, Main Level 04/08/2025 10:00 - 10:50 AM "DEMO: RiskRecon – Risk to the Nth-Party Degree" Austin Starowicz, RiskRecon Atlantic Ballroom 1 04/08/2025 10:00 - 10:50 AM "Supply Chain Resilience: Enhancing Detection and Response Strategies" Steve Cobb SecurityScorecard Atlantic Ballroom 2 04/08/2025 10:00 - 10:50 AM "The Next AI Wave is on its Way: Are You Ready?" Dean Alms & Loren Johnson, Aravo Atlantic Ballroom 3 04/08/2025 10:00 - 10:50 AM "Essentials for Effective Third Party Risk Management" Jodi Daniels, Red Clover Advisors Tides 1 & 2 04/08/2025 11:00 - 11:50 AM "Designing a Comprehensive TPRM Framework: Essential Elements for Success" Chris Phillips, Lendmark Financial Services Atlantic Ballroom 1 04/08/2025 11:00 - 11:50 AM "Collective Resilience: Elevating Third-Party Risk Management" Mark Orsi & Charlie Tupitza, Global Resilience Federation (GRF) Atlantic Ballroom 2 04/08/2025 11:00 - 11:50 AM "Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM" Ed Thomas, ProcessUnity Atlantic Ballroom 3 04/08/2025 11:00 - 11:50 AM "DEMO: Black Kite Solutions for Streamlining Vendor Assessments" Michael Gall, Black Kite Tides 1 & 2 04/08/2025 11:50 AM - 1:00 PM Lunch Atlantic Ballroom 4-8, Main Level 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Finance" Paul Kurtz, First Century Bank Atlantic Ballroom 1 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Retail & Manufacturing" Mark Dunaisky Atlantic Ballroom 2 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Insurance (Life, Health, Auto, etc.)" Christopher Strazishar, Corebridge Financial & Andy Fiumefreddo, American Family Insurance Atlantic Ballroom 3 04/08/2025 1:00 - 1:50 PM "Industry Roundtable: Technology & FinTech" Tides 1 & 2 04/08/2025 1:50 - 2:10 PM Snack Break North & East Pre-Function Lobby 04/08/2025 2:10 - 3:00 PM "The Future of TPRM: Securing the Advantage in an Era of Regulatory Uncertainty" Jared Howe, Miratech Atlantic Ballroom 1 04/08/2025 2:10 - 3:00 PM "Practical Solutions for Scaling Third Party Risk Management" Courtney Turner, John Deere Atlantic Ballroom 2 04/08/2025 2:10 - 3:00 PM "Guiding GenAI Technology Providers Using CSA AI Controls Framework" Troy Leach & John Yeoh, Cloud Security Alliance (CSA) Atlantic Ballroom 3 04/08/2025 2:10 - 3:00 PM "Decoding Risk: ERM, IRM, GRC and Everything in Between" Rafael DeLeon & Chinyere Watson, Venminder, an Ncontracts Company Tides 1 & 2 04/08/2025 3:10 - 4:00 PM "How to Mature Your TPRM Program" Kaih Taylor, AgFirst Credit Bank Atlantic Ballroom 1 04/08/2025 3:10 - 4:00 PM "Learning from the Titanic: Dealing with Operational Resilience in TPRM" Vrushali Lakhpati, AmTrust Financial Services Atlantic Ballroom 2 04/08/2025 3:10 - 4:00 PM "Third Party Risk is First Party Risk: From Process to Decisions" Pankaj Goyal, FAIR Institute Atlantic Ballroom 3 04/08/2025 3:10 - 4:00 PM "Threading the Needle in a Haystack: Using Big Data to Pinpoint Real Risk in Third-Party Management" Luke Nordlie, S&P Global Tides 1 & 2 04/08/2025 4:10 - 5:00 PM "PANEL: Metrics & Reporting" Julia Yuabov, KPMG; Andrew Moyad, Shared Assessments; Laura Arnott, Vigilant LLC; Jenn Wilkinson, Cenlar FSB; Jon Sternstein, Stern Security Atlantic Ballroom 1 04/08/2025 4:10 - 5:00 PM "From Silos to Synergy: Partnering with Procurement while streamlining Risk" Ryan Bradford, The New York Times Atlantic Ballroom 2 04/08/2025 4:10 - 5:00 PM "Mastering the Vendor Tango: Navigating Third-Party Risk from Both Sides" Blake Hoge, Airbnb & Garret Close, Amplitude Atlantic Ballroom 3 04/08/2025 4:10 - 5:00 PM Navigating the Insurance Waters Mark Ewert, Penn National Insurance & Mary Granville, Arthur J Gallagher & Co (AJG) Tides 1 & 2 04/08/2025 5:30 - 7:30 PM Treasure Trove Network Event North & East Pre-Function Lobby 04/09/2025 7:30 - 8:45 AM Registration & Breakfast Atlantic Ballroom 4-8, Main Level 04/09/2025 8:45 - 9:00 AM Opening Remarks Atlantic Ballroom 4-8, Main Level 04/09/2025 9:00 - 9:55 AM "Empowering Tomorrow: Responsible AI Frameworks, Community Impact, and the Vision of the Cyber Future Foundation" Valmiki Mukherjee, Chairman, CyberFuture Foundation Atlantic Ballroom 4-8, Main Level 04/09/2025 10:00 - 10:50 AM "Setting Sail with Confidence: Establishing Strong TPRM Foundations for Smooth Sailing" Morgan Binder, Brian Howell, Jake Mitchell from Stripe Atlantic Ballroom 1 04/09/2025 10:00 - 10:50 AM "Navigating the High Seas of Third-Party Risk: A Swashbuckling Approach to TPRM" Jonathan Ehret, RiskRecon by Mastercard Atlantic Ballroom 2 04/09/2025 10:00 - 10:50 AM "Steering Through Uncharted Waters: How Agile AI Governance and Ethical Frameworks Can Enhance Third-Party Risk Management (TPRM)" Bob Maley, Black Kite Atlantic Ballroom 3 04/09/2025 10:00 - 10:50 AM "DEMO: Aravo Solutions" Daniel Philemon, Senior Solutions Consultant Tides 1 & 2 04/09/2025 11:00 - 11:50 AM "Stop the Pirate Raids! Get the Contiuous Monitoring Cannons!" Gregory Rasner, Third Party Threat Hunting LLC Atlantic Ballroom 1 04/09/2025 11:00 - 11:50 AM "DEMO: ProcessUnity" John Tondreau & Kristi Kuhns, ProcessUnity Atlantic Ballroom 2 04/09/2025 11:00 - 11:50 AM "Navigating the Interconnected Risk Waters Through Data and Advanced Modeling of Risk" Bob Kolasky, Exiger Atlantic Ballroom 3 04/09/2025 11:00 - 11:50 AM "Operational Resiliency: Best Practices to Enhance Your Program & Ensure Regulatory Compliance" Chris Paterson, OneTrust & Michael Duggan, CastleHill Risk Solutions Tides 1 & 2 04/09/2025 11:50 AM - 1:00 PM Lunch Atlantic Ballroom 4-8, Main Level 04/09/2025 1:00 - 1:50 PM "Risk Assessment Techniques Identifying and Evaluating Third-Party Risks" Rob Sheehan, 10X National Security Atlantic Ballroom 1 04/09/2025 1:00 - 1:50 PM "Key Trends & Insights from Supply Wisdom’s 2nd Annual Risk Management Survey" Aidan Thaggard, Supply Wisdom Tides 1 & 2 04/09/2025 1:00 - 1:50 PM "Roundtable: Incident Response" Kelly Felder, Trane Technologies Atlantic Ballroom 2 04/09/2025 1:00 - 1:50 PM "Roundtable: AI/ML, including Mapping Strategies" Vincent Scales, Verizon Atlantic Ballroom 3 04/09/2025 1:50 - 2:10 PM Snack Break North & East Pre-Function Lobby 04/09/2025 2:10 - 3:00 PM "Roundtable: Nth Parties" Eric Rosendaul, VP Citizens Atlantic Ballroom 1 04/09/2025 2:10 - 3:00 PM "Weaponized Convenience: Inside the Rise of Remote Tool Abuse" Nader Zaveri, Mandiant/Google Atlantic Ballroom 2 04/09/2025 2:10 - 3:00 PM Session TBD – Certa.ai Atlantic Ballroom 3 04/09/2025 2:10 - 3:00 PM Roundtable: MIT Research "Securing the Fleet: Collaborative Cybersecurity Strategies for Large Firms and their Small and Medium Suppliers" Jillian Kwong, MIT Sloan School of Management Tides 1 & 2 04/09/2025 3:10 - 4:00 PM "How to Assess Your Vendors' SSAE 18 SOC Report for Comprehensive Consistent and Security-Focused Due Diligence" Lisa Mae Hill, Independent Contractor Atlantic Ballroom 1 04/09/2025 3:10 - 4:00 PM "Resilience and Upskilling in AI Infested Waters: You’re Gonna Need a Bigger Boat" Donna Speckhard, Fannie Mae Atlantic Ballroom 2 04/09/2025 3:10 - 4:00 PM "Overcoming Obstacles" Naomi Ward, Commonwealth of Massachusetts EOTTS - ERM Atlantic Ballroom 3 04/09/2025 3:10 - 4:00 PM "PANEL: Relationship Management/Collaboration" Stacey Custeau, Unum; Elizabeth Blosh-Myers, First Internet Bank; Keith Frantz, Prosper Marketplace; Angela Appleby, Plante Moran; Everett Weston, RapidRatings Tides 1 & 2 04/09/2025 4:10 - 5:00 PM "General Session" Julie Gaiaschi, CEO & Co-founder of the Third Party Risk Association (TPRA) Atlantic Ballroom 4-8, Main Level THE VENUE Join us at the Marriott Myrtle Beach Resort & Spa at Grande Dunes , where the ocean meets luxury and pirates meet risk management! Experience the perfect blend of business and adventure as we chart a course through the latest in TPRM while enjoying breathtaking views and top-notch amenities in beautiful Myrtle Beach, SC. Our discounted hotel room block ended March 8, but feel free to book directly via the Marriott Myrtle Beach Resort & Spa. BOOK NOW 1/14 ADDITIONAL HOTEL OPTIONS Marriott's OceanWatch Villas at Grande Dunes 8550 Costa Verde Dr, Myrtle Beach, SC 29572 Located on the same property, 0.1 mile, 3 min walk, 1 min drive Around $380/night Horizon at 77th 215 77th Ave N, Myrtle Beach, SC 29572 0.8 mile, 3 min drive, 13 min walk Around $158/night Grande Shores Ocean Resort 201 77th Ave N, Myrtle Beach, SC 29572 0.7 mile, 16 min walk Around $100/night Carolina Winds 200 76th Ave N, Myrtle Beach, SC 29572 0.8 mile, 18 min walk Around $90/night Hampton Inn Myrtle Beach-Northwood 620 75th Ave N, Myrtle Beach, SC 29572 1.1 miles, 4 min drive, 22 min walk Around $160/night Get Certified Third Party Cyber Risk Assessor (TPCRA) In-Person Training Interesting in getting TPCRA certified through the TPRA? We are pleased to offer in-person training during our conference! Training will be held Monday, April 7 to Tuesday, April 8, 2025 , from 9 AM - 4 PM Eastern . Trainees will be able to attend the last day of conference sessions (April 9th) at no additional cost. Registering is easy! Just follow the steps below: 1. Complete Registration & Payment for TPCRA Certification Fill out and submit the TPCRA Registration form , select the Training or Exam & Training Bundle option, and complete payment. 2. Receive Automated Email with Instructions Upon completing payment, you will receive an email with instructions on how to select your TPCRA training dates and times. Please select the TPCRA training in Myrtle Beach, SC. 3. Book Travel & Lodging If needed, book your travel and lodging for In-Person Training at the Marriott Myrtle Beach Resort & Spa at Grande Dunes in Myrtle Beach, South Carolina. Book Hotel Room > For any additional questions, email Julie at julie@tprassociation.org .

View the agenda for our 2025 In-Person Conference, "Navigating Risky TPRM Waters"! Main Page Conference Agenda Filter by Track Select Track Early Check-In Monday, April 7, 2025 3:00 - 5:00 PM Group Registration Alcove, Main Level Check-In Drop anchor early and get a head start on your TPRM voyage with early check-in for "Navigating Risky TPRM Waters." Learn More Pirate Parley Network Event Monday, April 7, 2025 6:00 - 8:00 PM Oceanfront Courtyard, Main Level Network Event Join us for the first network event of the conference! Learn More Breakfast & Check-In Tuesday, April 8, 2025 7:30 - 8:45 AM Atlantic Ballroom 4-8, Main Level Meal Fuel Up for the TPRM Voyage! Learn More Welcome & Kick-Off Tuesday, April 8, 2025 8:45 - 9:00 AM Atlantic Ballroom 4-8, Main Level General Session Welcome & Kick-Off with TPRA Captain Julie Gaiaschi Learn More Leadership and Accountability When It Matters Tuesday, April 8, 2025 9:00 - 9:55 AM Atlantic Ballroom 4-8, Main Level Keynote Commander Kirk Lippold, USN (Ret.) Learn More DEMO: RiskRecon – Risk to the Nth-Party Degree Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 1 Track 1: Anchoring TPRM Essentials & Best Practices Austin Starowicz, Director, Solutions Consulting, RiskRecon Learn More Supply Chain Resilience: Enhancing Detection and Response Strategies Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 2 Track 2: Fortifying the Shoreline (Operational Risk & Resilience) Steve Cobb, CISO, SecurityScorecard Learn More The Next AI Wave is on its Way: Are You Ready? Tuesday, April 8, 2025 10:00 - 10:50 AM Atlantic Ballroom 3 Track 3: Surfing the Waves of Innovation & Automation Dean Alms & Loren Johnson, Aravo Learn More Essentials for Effective Third-Party Risk Management Tuesday, April 8, 2025 10:00 - 10:50 AM Tides 1 & 2 Track 4: Charting the Course (Regulation & Compliance) Jodi Daniels, CEO & Privacy Consultant, Red Clover Advisors Learn More Designing a Comprehensive TPRM Framework: Essential Elements for Success Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 1 Track 1: Anchoring TPRM Essentials & Best Practices Chris Phillips, VP, Procurement and Vendor Risk, Lendmark Financial Services Learn More Collective Resilience: Elevating Third-Party Risk Management Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 2 Track 2: Fortifying the Shoreline (Operational Risk & Resilience) Mark Orsi, CEO & Charlie Tupitza, Director of Community Development, Global Resilience Federation (GRF) | Business Resilience Council (BRC) Learn More Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach to TPRM Tuesday, April 8, 2025 11:00 - 11:50 AM Atlantic Ballroom 3 Track 3: Surfing the Waves of Innovation & Automation Ed Thomas, ProcessUnity Learn More Load More