MOVEit Transfer Vulnerability: Lack of Supply Chain Visibility Exacerbates Breach View Post

Supply Chain Risk Management Case Study: Schroders Personal Wealth

Who are Schroders Personal Wealth (SPW)?

Schroders Personal Wealth (SPW) is a joint venture between Lloyds Banking Group and investment management business Schroders, built on a 400-year foundation. Trust, transparency and personal relationships are at the heart of the business. SPW has over £13.3 billion in funds under management and serves its clients through 11 regional hubs and 270+ financial advisers around the UK.

Why did they choose Risk Ledger?

With over £13 billion of funds under management, it was imperative to have a security programme that would be robust enough to ensure compliance with GDPR, the Financial Conduct Authority Handbook and evolving regulations governing the financial sector as well as the ever more critical and obligatory environmental, social and governance (ESG) principles. In the words of Yohann, Information Security Manager at SPW:

We are a cloud-first organisation, which means one of the biggest security risks for SPW - if not the biggest risk - is the potential vulnerabilities in our supply chain. We have about 200 suppliers, some of which are critical to our infrastructure and daily operations. To effectively manage these risks on an ongoing basis, automation and efficiency are critically important.

Yohann L., Information Security Manager, Schroders Personal Wealth (SPW).

“A data breach or malware attack in a third-party connection could have a significant impact on us if we didn’t have the programme in place to manage it.” says Yohann.

“Our CISO at the time saw Risk Ledger give a demo of their product at an event and was impressed with its simplicity, efficiency and model that facilitates a level of collaboration and communication with an organisation’s supply chain that just wasn’t available elsewhere on the market.”

How does Risk Ledger help?

With Risk Ledger, each supplier is required to create a profile that is built within a standard framework covering common security controls as well as key questions relating to ESG and financial risk.

As the process is automated, third-party non-compliance with specific priority criteria is flagged immediately to SPW procurement, saving months of manually sifting through spreadsheets to assess questionnaire responses. With Risk Ledger, SPW’s third-party risk management processes are now incredibly more efficient; what used to require several FTE now only requires 1 FTE, which means the expert security team can focus their time on other things. Automation also eliminates human error from the process of onboarding.

Risk Ledger’s social network model gives SPW unprecedented visibility in real-time over their entire supply chain beyond third parties, to fourth, fifth and even sixth parties, facilitating the swift uncovering of vulnerabilities even in the smallest suppliers that would otherwise have likely gone unnoticed.

SPW has implemented a clause in all supplier contracts which mandates that suppliers must maintain all controls as indicated through Risk Ledger and this acts like a dynamic security schedule, updated in real-time - a far more robust approach than a once-a-year review, which is quickly out of date.

As Risk Ledger gives its clients continuous monitoring of suppliers’ internal security controls, we are able to identify any non-compliance in real-time as soon as a supplier’s control level changes.

“Risk Ledger are continually developing their product to help us comply with changing regulations,” says Yohann. “Being able to identify concentration risk and critical dependencies through Risk Ledger’s live mapping functionality means that when new regulation is introduced, we will be well prepared.”

“I enjoy being able to work together with Risk Ledger as a supportive partner rather than a supplier. We are both at the beginning of our journeys and both of us have business models with an exciting future.”

Biggest win so far

Reduction in time to onboard suppliers and exponential uplift in coverage of their third party risk management programme.

A Risk Ledger profile can be easily completed in a day. One SPW supplier did it in two hours. That level of speed in the onboarding process combined with the simplicity of the platform is a game changer for SPW procurement and risk management’s workload. Meanwhile, the SPW team has said that Risk Ledger gives unprecedented visibility into their supply chain’s risks – they now have visibility into 95% of their suppliers - enabling an enormous reduction in the risk of cyber incidents in the SPW supply chain.

Suppliers of SPW have given them feedback on how user-friendly the Risk Ledger platform is, which Yohann and his team say is encouraging since it’s the collaborative aspect of the Risk Ledger model that strengthens its ability to detect early and defend against cyber attacks.

A number of SPW suppliers are using Risk Ledger to manage their own supply chains, which supports the “network effect” principle of the platform, where connected organisations work together to share data about security activity and “defend-as-one”.

We are big supporters of Risk Ledger and their product, which is unique and fills a massive gap in the cyber security market. Risk Ledger gives us an instant snapshot of where risks lie in our supply chain. It is quite unbelievable that before Risk Ledger, the only third- party risk management programmes out there were still relying on manual onboarding and annual reviews – so outdated in a digital- first economy and not fit for purpose in light of much stricter financial regulations.

Suppliers love working with Risk Ledger! We regularly receive comments on how easy the process is.

Yohann L., Information Security Manager, Schroders Personal Wealth (SPW).

We’re really enjoying working with SPW to build the future of Defend-as-One, where organisations work together to improve the security of the global supply chain for consumers and companies alike. SPW has been a fantastic champion of this, working collaboratively with their suppliers to improve security for everyone.

-Haydn Brooks, CEO of Risk Ledger

Book a demo - or request an invite

Interested in joining the thousands of organisations that are using Risk Ledger as a client, a supplier, or both? Get in touch with us today.