KPMG with Royal Bank of Scotland
The words 'data loss' send a shiver down the spine of companies, government departments and civil servants alike, and no wonder: absent-mindedly leaving your work laptop in a taxi or on a train can be a career-limiting mistake, these days.
The Royal Bank of Scotland Group (RBS) depends on a large and extended network of thousands of business partners, third parties and customers around the world - from sole traders to multinationals, bank statement printers to computer hardware providers, from publishers and payroll processors to cash logistics firms, security companies and lawyers. Ensuring that every one of them adhered to the bank's policies and procedures was proving difficult - RBS needed to create and implement a methodology that would manage and monitor this more effectively.
Aware of an ever-increasing number of emerging risks and a more concentrated regulatory focus on data security, RBS asked KPMG to help it reduce the risk of data security breaches. All high-risk third parties were to be identified, and a comprehensive data security review of each undertaken.
Because of the size and complexity of organisations such as RBS, there is always a risk that third parties and associated relationship managers will change, and the risk classification of the data being handled by third parties may also vary. Given the sheer number and geographical spread of third parties, KPMG's first task was to therefore create a third-party list that would be manageable for years to come. It was a challenging project, made more so by the unexpected telescoping of the initial six months' timescale to just five weeks, on the instruction of a senior RBS executive.
But KPMG rose to the task, and in a few days had mobilised a global team of more than 400 security, IT audit and risk management specialists, setting up operational hubs in the UK, Europe, the US and Asia, and creating a dedicated call centre in its South Africa office to support the project.
The sheer complexity of the data involved meant that the security review was a lengthy process involving several thousand calls. In some cases, the third party was unwilling to take part, so KPMG had to present a compelling case for how participating in the review would benefit them. And even third parties that no longer had a relationship with RBS had to be contacted, to provide assurances that they had fulfilled any contractual requirements on termination, and disposed of any data satisfactorily.
The roles performed by each third party and the type of data they held were established by means of a telephone questionnaire, and the overall level of data security risk posed by them was assessed.
KPMG had hoped these calls would help screen out a large number of organisations as low-risk and therefore not worthy of a site visit. However, it quickly became clear that the information gained from these interviews was not a sufficient basis to make such a judgment. So every single third party on the list had to be visited. KPMG staff were dispatched to carry out detailed one-day site visits in more than 50 countries, including Argentina, Colombia, Chile, Uruguay, Venezuela, the Dutch Antilles, Liechtenstein, Tunisia, Pakistan, Kazakhstan, China and Indonesia.
On site, the KPMG assessor requested hard evidence of security controls and procedures. The subsequent reports were then submitted to RBS, along with recommendations, where appropriate. A robust and detailed quality review of these reports was carried out before they were submitted to the relevant RBS senior executive for sign-off.
Within the five weeks - indeed, with a day to spare - KPMG had carried out comprehensive reviews into the data security of 360 of RBS's third parties and enabled the bank to demonstrate a focused and robust approach to data security.
The success of the programme - which was given the highest level of priority by RBS management - led to KPMG being awarded a second phase of work - a further 500 data security reviews over an eight-week period.
The consultancy has since implemented a standard process across RBS for data security reviews and assessments of any new and existing third parties. Says Emma Smith, head of group information security at RBS: 'We have moved from a blank sheet of paper to being recognised as industry-leading in third-party security, in the space of just five weeks.'
Worried about the risk of data loss among the bewildering array of third parties with which it has had dealings, RBS commissioned KPMG to conduct a full data security review. Mobilising an international team of 400-plus specialists, KPMG launched an urgent phone questionnaire, later upgraded to 360 site visits in 50 countries, to ensure a robust check on the data practices of all third parties. This mighty endeavour was accomplished in just five weeks. KPMG has now put in place a standing review process for RBS.
- Get networking - access to a global pool of specialists and experts enables rapid mobilisation.
- Encourage can-do attitudes - a positive outlook can bring seemingly impossible deadlines within reach.
- Create a clear reporting process to get the necessary metrics to monitor progress and ensure issues are highlighted and resolved.