Tackling third party risk in financial services

Cyber-attacks in the financial services sector continue to grow in frequency and sophistication, with firms’ losses totaling almost US$12 billion since 2004 and US$2.5 billion since 2020. This development is driven by several factors, including more active threats from nation-states and organized crime groups, an unprecedented digital transformation of the global financial system, as well as hard-won cybersecurity lessons from the COVID-19 pandemic. One additional area to fall under scrutiny from regulators is the growing reliance of firms on third-party providers (TPPs).

This article explores recent regulatory developments that aim to mitigate TPP risks at financial institutions.

Regulators increasingly see third-party risk as a potential source for systemic risk

In July 2024, the CrowdStrike incident affected an estimated 8.5 million systems across multiple countries and industries , including banks and stock markets. Although TPP cyber incidents have so far not been systemic, they could disrupt critical services, cause spillovers or erode confidence in the financial system and threaten financial stability, given their financial and technological interconnectedness with financial institutions. Regulators across jurisdictions therefor increasingly see TPP risk as a source for systemic risk.

Greater global coordination and harmonization in regulation and supervision across borders and sectors could help mitigate systemic risks associated with third-party relationships, especially at internationally active firms. Some authorities are already taking steps to boost coordination. Regionally, the EU, is improving the coordination between regulators during systemic cyber incidents and firms should begin aligning their cyber strategies, processes and procedures with this new framework. EU regulators are also strengthening TPP oversight and information sharing among each other , which come with increased reporting obligations for critical* TPPs from 17 January 2025 onward. Within countries, such as the UK , stronger collaboration between authorities may lead to a harmonization of standards on cyber-related matters. Yet, going forward, it will require global response coordination to mitigate systemic risk resulting from TPPs.

?

At the same time, regulators are balancing the broader risks and opportunities of emerging technology

The rapid adoption of advanced technologies has increased firms’ dependency on and interconnectedness with third parties, leaving regulators concerned about risks, such as data leakages or model poisoning** when leveraging technology of a third-party. In Singapore and the US for instance, firms were recently reminded to perform proper due diligence when using third-party generative artificial intelligence (GenAI) solutions and ensure they can continue to comply with existing regulations when using such tools.

Firms may also want to consider the use of emerging technologies to manage their TPRM. An area to consider is cyber risk quantification. This concept of converting risk to dollars will become more relevant as, for instance, EU regulators will require firms to report on the financial impact of significant ICT incidents from 11 January 2025 onward . Firms should also consider automating the identification of vulnerabilities (e.g., exposed databases, ransomware-related issues) at fourth- or even fifth-party service provider, as these could become critical, too.

?

Whilst evolving TPP regimes are broadly aligned, local differences of approach are causing compliance challenges and additional costs for firms

Global regulatory focus is moving from outsourcing to the broader concept of third-party arrangements, given an increasing reliance of firms on TPPs. The Basel Committee on Banking Supervision recently issued third-party risk management (TPRM) principles for banks that consider the size, complexity and risk profile of banks as well as the nature and duration of the TPP arrangements, and the delivery of critical services.

Across jurisdictions, third-party regimes are being enhanced to include more firms across sectors. In the US, for instance, regulators re-emphasized existing rules for banks and recently brought securities and investment advisors into the regulatory perimeter, expecting them to establish and maintain a supervisory system for any activities performed by TPPs. In the EU, the Digital Operational Resilience Act (DORA) will apply not only to financial institutions but also to certain TPPs (i.e., information and communications technology (ICT) providers, including cloud service providers, credit rating services and data analytics providers).

For internationally active firms it will become challenging and costly to comply, as evolving third-party regimes differ across jurisdictions:

-????????? US firms are advised to report any cybersecurity events at third parties as well as changes to third parties that support key systems. This advisory does not create new requirements but provides risk mitigation practices.

-????????? Whereas, under EU’s DORA, firms are required to actively manage ICT TPP risks from 17 January 2025 onward, with the scope being restricted to ICT TPPs. Firms that plan to outsource critical and important functions must negotiate contractual arrangements related to accessibility, integrity and security, audits, and exit strategies, among others. They will also need to map their third-party ICT dependencies and ensure their critical and important functions are not too concentrated with a single or small group of TPPs.?

-????????? In the UK TPPs will be covered by a new critical third-party-regime (CTPP) expected end of 2024, which will be broader than the EU’s regime under DORA as it applies to the provision of any service by a TPP deemed to be sufficiently critical to financial stability or confidence.

In the UK, the operational resilience regime has been in place for some time, but details of the CTPP regime are yet to emerge. What is likely though is that overlapping obligations and implementation timelines with EU’s DORA are likely to cause compliance challenges and costs for internationally active firms. Firms should plan for coordinated strategies and look for synergies when implementing the regimes.

?

Best practices for firms’ effective TPRM:

1.????? Engage with regulators: Stay updated on third-party regulatory regimes, identify potential compliance gaps and determine risk appetite and focus.

2.????? Identify, assess and prioritize risks: Conduct thorough risk assessments to identify potential impacts of third-party relationships on the firm’s business and regularly review these.

3.????? Set up clear contracts: Contracts with third parties should define expectations, responsibilities and compliance requirements and consider topics around accessibility, integrity and security during and at termination of a contract.

4.????? Implement controls: Establish firm-wide policies and procedures for TPRM and use automated tools and systems to continuously monitor TPP activities in real time, enabling quick issue identification and response.

5.????? Conduct initial and ongoing due diligence on third parties: Perform regular periodic security audits, vulnerability assessments and penetration testing on TPP systems that interact with the firm’s business and review TPPs’ security policies and practices regularly.

6.????? Ensure the TPP is not just resilient but sufficiently resilient to enable the firm's critical or important services: Make sure to understand the risks a TPP is bringing into your organization, its concept of operational resilience and its contingency plans. A tick box approach will not suffice, instead specific testing of critical or important business services should be considered.

7.????? Protect data privacy and security: Establish protocols for data sharing, encryptions and secure disposal of sensitive data shared with or accessed by third parties.

8.????? Establish continuity and incident response plans: Develop and regularly test plans to ensure business continuity and effective incident response in case of disruption or security breaches at TPPs.

9.????? Foster entity-wide compliance strategy and training: Constantly evolve and refine TPRM strategies, policies and procedures considering emerging risks, lessons learned and a change of business environment. Regularly train employees on TPRM and ensure they have a clear understanding of their roles and responsibilities.

10.? Use emerging technology to improve third-party risk management.

?

Footnotes:

*A third-party provider (TPP) can be designated as “critical,” based on criteria such as the number and systemic character of financial entities that rely on it and the TPP's degree of substitutability.

**Model poisoning: unauthorized modifications to inject falsified information into the model.

?

The views reflected in this article are views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

?