Deloitte conducts regular surveys on third-party risk management (TPRM), and just concluded a survey on (English warning) “the rise of AI in TPRM to maximise opportunities while managing the risks.”
One of the key findings:
“Despite low maturity levels, leadership teams are ambitious about embracing intelligent automation, while managing both the risks of AI in their organisations and those arising from third-party AI usage.”
I’ve talked about maturity levels before and their importance in cybersecurity. While ad hoc approaches to TPRM just won’t cut it in terms of protection, a managed or defined level or better will yield a positive return on investment.
(Imagen 3)
And one more thing…
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
An interesting variant on fraudulent deepfake scams.
Kenny Li of Manta fame was sucked into a scam attempt, but was able to perceive the scam before any damage was done.
Li responded to a message from a known contact, which resulted in a Telegram conversation, which resulted in a Zoom call.
“In the call, there were team members who had their cameras on, and [the] Manta founder could see their faces. He mentioned that “Everything looked very real. But I couldn’t hear them.” Then came the “Zoom update required” prompt…”
Li didn’t fall for it.
(Imagen 3)
And one more thing…
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
(With a special message at the end for facial recognition and cybersecurity marketing leaders)
Years ago, when I was in Mexico City on a business trip, one of my coworkers stated that he never uses biometrics to protect the data on his smartphone.
His rationale?
Government officials can compel you to use your biometrics to unlock your smartphone. They can’t compel you to provide your passcode to government officials.
Ironically, we both worked for a biometric company at the time.
But my former coworker isn’t the only one making this statement. With the recent protests, and with the recent searches of people crossing the U.S. border by plane or otherwise, this same advice is echoed everywhere.
ZDNET quotes law firm managing partner Ignacio Alvarez on passcodes:
“But the majority of the courts have found that being required by law enforcement to give your code to your devices violates your Fifth Amendment right against self-incrimination.”
Note what Alvarez said: the MAJORITY of the courts. So if you end up before the “wrong” court, you might have to provide your passcode anyway.
ZDNET also quotes attorney Joseph Rosenbaum:
“Passwords or passcodes, because they represent information contained in a person’s mind, seem to generally be considered the same as requiring someone to testify against themselves in court or in a deposition,” he told ZDNET. “That information is more likely to be legally protected under the Fifth Amendment as potentially self-incriminating.”
Notice his “seem to generally be” and “more likely to be” language. Again, you could still be compelled to give your passcode.
But that’s the easy part.
Biometrics: it’s complicated
But passcodes are the easy part. Biometrics are much more of a gray area.
The rationale behind not giving up your biometric is similar to the rationale behind the Miranda warning. As Dragnet fans know, “Anything you say can and will be used against you in a court of law.” Regarding passcodes, the courts…well, some of the courts, hold that since a passcode can be “spoken,” it’s covered under Miranda and therefore can’t be given without violating your Fifth Amendment rights.
What about biometrics? (Excluding voice biometrics for the moment.)
“…since a biometric isn’t spoken, production of that biometric may not legally qualify as the act of testifying against yourself and therefore, you can be compelled to unlock a phone or an app without necessarily having your rights violated.”
Again, note the use of the words “may not.” It isn’t clear here either.
And even these wishy-washy definitions may change.
“This area of law is a seriously moving target. Over time, things could favor passcodes being non-testimonial or biometrics being testimonial.”
In other words, a few years from now lawyers may advise you to use biometrics rather than passcodes to protect your private data on your smartphone.
Or maybe they’ll say both methods protect you equally.
Or maybe they’ll say neither method protects you, and your private data is no longer private.
But most likely they’ll say “It depends.” In the same way that our 18,000 law enforcement agencies have 18,000 different definitions of forensic science, they could have 18,000 different definitions of Miranda rights.
And one more thing…
Bredemarket has two openings!
The formal announcement is embargoed until Monday, but Bredemarket has TWO openings to act as your on-demand marketing muscle for facial recognition or cybersecurity:
…how the fragmented, decentralized nature of American law enforcement and forensic practice creates a landscape where what counts as science (and possibly what counts as justice) can vary wildly depending on where you happen to be.
There are about 18,000 police agencies in the United States at all levels of government, and 400 separate forensic laboratories.
But we have standards, right?
Do Even when national scientific bodies like ASTM or NIST’s OSAC develop well-reasoned, consensus-based forensic standards, adoption is purely voluntary. Some laboratories fully integrate these standards, using them to validate methods, structure protocols, and train staff. Most others ignore them, modify them, or apply them selectively based on local preference or operational convenience. There is no enforcement mechanism, no unified system of oversight. The science exists, but whether it is followed depends on where you are.
Houck’s article details many other issues that plague forensic science, but the main issues arise because there are 18,000 different authorities on the matter. Because this is a structural issue, deeply rooted in how Americans think of governing ourselves, Houck doesn’t see an easy solution.
Reforming this system will not be easy. It runs up against the powerful American instincts toward local control, political independence, and legal precedent. Federal mandates for forensic accreditation, national licensing of analysts, or the establishment of an independent forensic science* oversight body (all ideas floated over the years) face stiff political and logistical resistance. I don’t give these ideas much of a chance.
Even Houck’s minimal suggestions for reform are questionable. In fact, if you read the list of his solutions at the bottom of his article, you’ll see that he’s already crossed one of them out.
Federal funding could be tied to meaningful accreditation and quality assurance requirements.
Why? Because the facial recognition software the agency has is not accurate enough.
Note “the facial recognition software the agency has.” There’s a story here.
Police and Counter-terrorism Minister Yasmin Catley clarifies that Cognitec has released numerous updates to the product since its deployment, but the police did not purchase them. As with other developers, Cognitec’s legacy algorithms have higher error rates for various demographic groups.
Important clarification.
Now perhaps the agency had its reasons for not upgrading the Cognitec software, and for using other software instead.
But governments and enterprises should not use old facial recognition software. Unless they have to run the software on computers running PC-DOS. Then they have other problems.
(A little aside: when I prompted Google Gemini to create the Imagen 3 image for this post, I asked it to create an image of a 1980s IBM PC running MS-DOS. Those in the know realize my prompt was incorrect. I should have requested a 1980s IBM PC running PC-DOS, not MS-DOS. PC-DOS was the version of MS-DOS that IBM licensed for its own computers, leaving Microsoft able to provide MS-DOS to the “clone computers” that eventually eclipsed IBM’s own offering.)
There are some things that I don’t bother to share in the Bredemarket blog, but instead just share to my socials.
This morning, I shared a story about the third-party risk management firm Whistic to LinkedIn’s Bredemarket Technology Firm Services page.
From LinkedIn.
You can see an oft-used Bredemarket technique: rather than sharing everything from a third party (geddit?) article, I only share a bit of it, then encourage the reader to click on the link to see the rest of the content. Makes everybody happy. What could go wrong?
Then I shared the same story to Facebook’s Bredemarket Technology Firm Services page.
Or tried to.
First attempt to share to Facebook
Facebook removed the post, accusing me of using “misleading links or content to trick people.”
I’m so devious that even I couldn’t figure out what I did.
Until I re-read the post and noticed this parenthetical comment.
(And one more key finding. Read the article.)
Doesn’t seem like a trick to me, but I explicitly urged people to leave Facebook’s walled garden and read something.
I do this all the time—Facebook is the second most popular traffic source for Bredemarket, after Google—but apparently the way I did it in the Whistic post was a trick to Facebook’s readers.
Second attempt to share to Facebook
The solution was simple: repost the article WITHOUT the offensive parenthetical comment.
So I did.
And Facebook removed the post again.
This isn’t the first time Facebook has rejected content that other platforms accepted without question…including other Meta platforms such as Instagram, Threads, and WhatsApp.
I was this close to ceasing content sharing on Facebook altogether.
But then I had an idea.
Now I’m engaging in real trickery
If I am offending Zuck by using text to supposedly trick people into clicking on a link…
…what would happen if I ONLY posted a link with no text at all?
And rather than posting the text of interest in Facebook’s walled garden…
…I put the text of interest in the Bredemarket blog, along with the Whistic link that offended Facebook so much?
Then I could share it on character-limited platforms such as Threads and Bluesky.
You see the irony here. For a while I’ve strived to place social content natively on each platform. Now the platforms are forcing me to place the real content on a platform I control.
And the text would look something like this:
What I tried to say this morning
Every year, Whistic surveys hundreds of Risk-Management and Information Security leaders to understand the trends, challenges, and opportunities that are actively shaping the third-party risk management (TPRM) industry.
In 2025, the average company in our survey works with 286 vendors—up by 21% versus last year….That increased demand comes with increased risk.
[C]ompanies are spending more time, more money, and more resources on TPRM, but still not meeting their own risk standards or reducing security events.
I recently discussed some proposed changes to the way in which beneficial ownership information (BOI) is collected. However, even after the changes are made, FinCEN will still collect BOI for foreign firms.
Hungary, facial recognition, and geolocation
Biometric Update recently published a story about facial recognition in Hungary, and its use to identify people who display rainbows and dress in ways “that diverge from the gender they were assigned at birth.” I’m going to zero in on one portion of the story: the facial recognition provider involved.
The company FaceKom has been around under different names since 2010 but has seen significant growth during the past few years thanks to investments from the Central European Opportunity Private Equity Fund (CEOM). The fund has no direct links with [Prime Minister Orbán’s son-in-law, István] Tiborcz. However, it is registered on the same address in Budapest where several companies owned by Orbán ‘s son-in-law operate.
Well, that’s enough to drive some conspiracy theorists crazy.
Beneficial ownership and legal ownership
So I didn’t find the smoking gun, but I do want to take this opportunity to point out what BENEFICIAL ownership is. Investopedia:
A beneficial owner is a person who enjoys the benefits of ownership even though the title to some form of property is in another name.
Using the Hungarian example (without the Western Union part), it’s not enough to say that CEOM and/or Chi Fu Investment Fund Management Zrt. (I don’t know enough Hungarian to confirm they are one and the same) does not list István Tiborcz (or Victor Orbán) as an official owner or co-owner.
As Unit21 points out, you don’t have to literally own (either on your own or through a trust) 25% of an entity to be a beneficial owner. Here’s another criterion of a beneficial owner:
Any individual that holds a significant ability to control, manage, or direct the legal entity
De facto control without de jure control could very well be wielded by a powerful politician, or his son-in-law.
You can bet that I paid attention to AKings’ latest post after I saw how it began:
“Indiana. The Crossroads of America. A place where colossal semi-trucks roar in from the north, south, east, west, and every conceivable direction in between, like a great migration of diesel-belching wildebeests on their way to deliver vital supplies.”
Bredemarket’s self-promotional content is replete with wildebeests, iguanas, and wombats. Much of this was from an urge to differentiate from those who eat their own dog food. So Bredemarket ate its own iguana food, then its own wildebeest food.
But “wildebeest trucker” is a new one on me.
How do you differentiate your marketing content from that of your competitors?
Or do you eat their dog food?
But goin’ back to Indiana, AKings’ post is a literal tour of the state over a year, including an encounter with angry union members in Kokomo (not that Kokomo). Recommended reading.
Bredemarket 