Your risk exposure isn’t just yours anymore. The risk posture of your partners is now part and parcel of your risk posture. Increasingly, organizations are shifting their operations to third parties – this includes storing and processing of data, and highly critical operational functions. This is happening across all verticals, but the risk in financial services and banking is amongst the highest of all industries, for obvious reasons – a recent ransomware attack at ION Trading UK resulted in significant disruptions of options trading at numerous banks in the EU.
While outsourcing services to third-party vendors can be beneficial, it exposes financial institutions to risks, including but not limited to operational disruption, data breaches, and reputational damage. These risks and many others are the drivers behind the strong emphasis on third party risk management within the new EU Digital Operational Resilience Act (DORA).
DORA directives are focused on strengthening the operational resilience of financial institutions. It establishes a common framework of rules, procedures, and oversight mechanisms with the objective of enhancing the ability of financial institutions to ‘predict’, prepare, withstand, and recover from operational disruptions caused by cyber threats, IT failures, and other sources. With regard to third-party risk, DORA mandates that financial institutions must take a comprehensive approach to managing the risks resulting from third party dependencies and interactions.
The importance of third-party risk management is highlighted by the ramp up of attack damage in the last several years. According to a report by the Ponemon Institute, the average cost of a data breach caused by a third-party vendor was $4.29 million in 2020. This represents a significant increase from the average cost of $3.86 million in 2019. Furthermore, 59% of companies have experienced a data breach caused by a third-party vendor in the past 12 months, indicating the frequency and severity of these risks.
In Black Kite’s recent Third-Party Breach Report we learn that attackers have gotten smarter about going after key third parties, echoing the words of infamous bank robber Willy Sutton: I rob banks because it’s where the money is.
Bear in mind, the business impact of a third-party risk event can go well beyond direct costs such as remediation, fines, and legal fees. Reputational damage, loss of trust, and plummeting shareholder value can also result. This is why it is critical for financial institutions to implement a comprehensive approach to third-party risk management in order to reduce the risk of an operational disruption and protect the institution’s reputation.
What requirements must financial institutions implement according to DORA?
DORA outlines a number of key requirements that financial institutions must follow to effectively manage third-party risks.
- Institutions must maintain an inventory of all third-party vendors and the services they provide.
- They must conduct regular (at least annually) risk assessments of third-party vendors, taking into account factors such as their security controls, regulatory compliance, and financial stability.
- Institutions must ensure that their contracts with third-party vendors contain certain provisions related to risk management. The provisions must adequate security controls, a notification procedure in case of security incidents, and to allow for audits. Contracts must also mention data protection (essentially regional and local privacy laws).
- Institutions must have a process in place for monitoring the ongoing performance of their third-party vendors. The good news is: Black Kite does this!!!
To sum it all up: third-party risk management is critical to the operational resilience of financial institutions. And if the EU has its way (and if early discussions are indicators, they ain’t messing around) we expect to see increasing focus and not just in FSB. To sum it all up: third-party risk management is critical to the operational resilience of financial institutions. And if the EU has its way (and if early discussions are indicators, they ain’t messing around) we expect to see increasing focus and not just in FSB.
Stay safe, stay healthy, stay secure.