CastleHill Managed Risk Solutions Blog

Do You Really Know Where Your Data Resides?

Posted by Michael Duggan on Aug 3, 2017 2:10:00 PM

Castlehill - Where Does Your Data Reside?.jpg

What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.   

Just like you, your third parties are looking for ways to reduce cost in their operations, and this could lead to the use of off-shore data centers.  Like a seductive travel brochure, these centers offer apparently comparable support and security with the promise of significant cost savings. The Federal Deposit Insurance Corporation (FDIC) has this to say: “…the use of offshore contractors has grown dramatically in the past few years due to the flexibility offered by new information technology (IT) and the prospect of lower costs.” In fact, the Deloitte 2016 Global Outsourcing Survey reports 59% of companies pursue international outsourcing primarily as a cost-cutting measure.

That flexibility is a two-edged sword. You’re likely unable to tell from accessing your data where it may be coming from. Not all contractors report their own third-party agreements, so instead of Tennessee, your data could just as well be residing in an offshore data center in Poland. Being in a cooperative business arrangement that extends across international borders brings with it increased risk exposure, including compliance and strategic risks due to different socio-economic, political, and legal climates overseas. Compound the picture with increased client awareness of the fragility of their own personal information in today’s increasingly complex third party and international data center climate, and you risk not only your data, but your revenue and reputation.

There are some simple steps you can take to better understand where your sensitive data is residing. Start with thorough risk assessments to include all vendor contracts which include:

  • Carefully examining all contracts to determine how subcontracting and subsequent outsourcing are addressed.
  • Determining whether your contractors have made their own outsourcing arrangements, within or outside the provisions of your contract.
  • Identifying any international compliance or strategic risks and appropriate mitigation.
  • Examining your procedures for initial vendor screening and ongoing management.

As experts in GRC and third-party risk management, we’d be happy to help you get the process started. We’ve put together a targeted Risk Capability Survey that will provide you a customized overview of your risk management picture. To learn more, simply call or email us to set up a time to talk with one of our risk management analysts about your GRC programs.

How Do Your Risk & Compliance Programs Stack Up?

Topics: GRC