New York Life

Transcript:

Andy Abananti – Corporate Vice President at New York Life

I’m Andy Abananti. I am Corporate Vice President at New York Life in charge of our third-party lifecycle management, which is part of our overall third-party risk management program.

We are a large, mutually owned life insurance company, but we have a diversified portfolio that also has some what we call strategic insurance businesses and also an investment side. With that, we’ve got a variety of third parties that support our traditional life insurance business as well as some of those others.

Some of the basic table stakes are just knowing who our third parties are and having them rated appropriately. Where I think we’re defining success beyond just the metrics, though, is the partnerships that we have with our business. For me, the big success is when somebody’s coming to us for information as opposed to us going out with an ask.

There was one of our business areas that had a contract directly with Scorecard and was using it for their benefit, and we just realized that it was a tool that we could scale up and use across the company. As I said, we have several different areas of business within the company, so we just thought it was a great opportunity to centralize it now that there was an organization that was going to focus on third-party risk and bring it on board and sort of use that across all of our different businesses.

When we kick off assessments, we provide a pretty robust profile of our third party, which includes some external views before we go in to do our traditional assessment. We’ve gotten requests more frequently now from our procurement teams looking to get a profile, which includes the Scorecard results for prospective third parties because they want to have some due diligence before they even make a selection. So that’s been a big win as well.

Having something that is a pretty straightforward methodology that you can start with a score and then take that discussion from there has been really helpful. It just normalized things across our inventory for us to be able to have them do even some comparisons amongst the third parties that they use.

We’ve actually recently taken the initiative to map some of the domains within SecurityScorecard to our questionnaires so we can start to see some potential patterns and some vulnerabilities and exposure that we might have with some of our third parties. Nobody’s fully protected from it, so we feel like we can be a little more proactive now and be more specific around matching our inventory. It’s important for us not just to match the scores and the third parties, but what they’re doing for us as a company—to kind of align all that and have this matrix view. Then it helps us focus in on what’s most important for us today. What is our biggest concern today? What process may be affected? It just allows us to use our resources in a more targeted approach.

Certainly, being able to have robust reporting across our portfolio and detect some trending, being able to speak confidently about what we know—we’re always aware of what we don’t know, right? Because that’s going to happen every day. We’re going to find out something we didn’t know the day before. But just being able to share with different levels of audiences, from an executive level to more of an operating level, a level of reporting that is something we can pull together relatively quickly and convey.

We’ve had the requests come in to say, “Hey, we’re looking at these third parties. We don’t have them in our current inventory. What can you tell us?” And there was an instance where we had gotten our results, and they weren’t very good. And so it did prompt our procurement leads to want to have that follow-up discussion with the prospective third party. It really opened a good dialogue because they understood the need to remediate. We brought in SecurityScorecard as part of the conversation and talked through some of the potential root causes, and there were about three or four that they had to work through. Ultimately, the score was cleaned up, and it just promoted a pretty transparent dialogue with the prospective third party.

It normalizes a lot of information that would be hard to consume and then share back out. So it’s a very easy way for us to kick off a discussion with some of our business partners, give them, along with the security score, some other salient data points that resonate. It makes our job of bringing something out to the business so much easier. It’s always much easier when you go out with a value proposition than going out asking for somebody to do something for you, right? That’s where things are changing. We can go out with information that people find valuable.

Fortunately or unfortunately, however you want to look at it, because of the awareness now of the cyber breaches that are happening more routinely, people understand it more. They’re seeing it more. It’s impactful. It’s just easier for us now to go out and start that conversation with something that people understand.