The concept of third-party risk management is hardly a fledgling idea. However, as the world becomes ever-more digitised, cybersecurity threats are now looming larger than ever before. According to research from Soha Systems, more than 60% of data breaches can be traced back to third-party vendors. This means that an effective third-party risk management strategy is not just a luxury anymore – it is a necessity.
But what exactly is third-party risk management? Donal Lawlor, Director of Sales at ViClarity sat down with FinTech Global‘s Harry Slade to open up on the topic – and delve into its paramount role within RegTech today.
“Third-party risk management (TPRM) is the identification and management of risks inherent in any outsourcing and vendor relationships. TPRM is not a new phenomenon, however, the recent surge of digitalisation and reliance on 3rd parties has driven a heightened regulatory focus, he explained.”
The figures in question are increasingly stark. As per PwC’s findings, 41% of companies encountered a significant third-party breach within the past year.
When pressed as to why this figure is so large, Donal remarked, “Third party breaches have increased as third parties may offer a better opportunity for the attacker than targeting a company directly. While large organisations have comprehensive protection in place, a third party may be easier to exploit and may not have the same culture of data protection and cyber security.”
Due to this rise in digitisation – and the increasing pressure this puts on organisations to vet their potential third-party relationships – having a robust third-party risk management framework is vital.
Donal delved into the key tenets that companies should be looking for when producing their own offerings – suggesting that producing a structure whereby the board and executives are firmly at the helm of the operation.
He remarked, “The first component is creating the governance structure whereby the board and executives are ultimately responsible for TPRM activities. The TPRM policy should be documented and reviewed periodically. Providing the executive and board with a comprehensive view of their TP universe including metrics is a key component, ideally to be included in the board pack and scheduled governance agenda.
“Another key component is the maintenance of Outsourcing and Vendor registers. Organisations need to assess third parties from a risk and criticality perspective on an ongoing basis. Criticality classification will drive the depth of ongoing due diligence.
“Contracts with OSP or Vendor partners should include SLAs and KPIs that are measurable. Mutually agreed actions for not meeting agreed SLA/KPI thresholds are good practice,” he continued.
But that’s not all, developing a firm that has superb operational resilience is vital for a company to survive the potential onslaught of third-party risks that are taking the world by storm, in fact both concepts are tightly intertwined, according to Donal.
At its core, this resiliency encompasses the firm’s capability to identify, prepare for, and swiftly respond to major challenges.
Central to this concept is a keen focus on understanding the potential impact, along with defining the risk appetite and tolerance levels in the face of these disruptions.
With third-party risks becoming a core operational concern, Donal suggested that firms should be expected to meticulously gauge their resilience to third-party disruptions, ensuring robust measures are in place to safeguard both their business operations and the interests of their customers.
The challenges of managing third-party risks
Prevalent highlighted a significant apprehension among companies that they surveyed this year, with 71% expressing that their top concern was the risk of experiencing a data breach or security incident due to inadequate vendor security practices.
With this being so widespread, the number of challenges that third-party risks can cause is clear to see – as businesses from across the spectrum are operating in fear of them. But in Donal’s eyes this can be particularly challenging for firm’ which haven’t got heaps of experience managing non-financial risks – due to the vast difference in nature.
Moreover, sourcing skilled staff, with the expertise, know-how, and nous to successfully challenge current OSP arrangements with vendors is certainly not a trifling task. It becomes ever-more challenging when you have to consider these staff have to have the backbone and assuredness of mind to effectively enforce these appropriate oversight mechanisms.
Donal added, “Another challenge experienced by clients is deciding the depth of due diligence to apply to a 3rd party. A supplier contract may be immaterial however it may involve the processing of considerable business critical data. Finally, in preparation for DORA, mapping third party relationships, understanding vulnerabilities, and setting testing represents a key challenge for the next year.”
How ViClarity can help
ViClarity is an award-winning provider of governance, risk and compliance (GRC) management software solutions, the Irish RegTech’s offering streamlines risk and compliance to save hours of time for businesses.
Moreover, the company’s holistic solution provides a systematic method for handling organisational risks. It offers the capability to gain real-time insights into risk management processes using robust analytics, heat maps, reports, and dashboards. These tools are designed to empower users to make more informed decisions based on risk assessment.
In terms of solving the ever-changing third-party risk puzzle, ViClarity’s solution optimises and integrates various components of TPRM programs, offering clients a comprehensive, interconnected perspective.
This approach facilitates a comprehensive risk assessment process, empowering clients to make informed decisions based on a thorough understanding of their risk landscape.
Donal explained, “ViClarity provides a 360-degree view of the risk associated with a third party. This holistic view equips the organisation with all relevant data needed to make a risk assessment. Oversight of a third party may include several components or streams, for example, the collection of due diligence evidence, KPI/SLA tracking, TP incidents, or vulnerability testing. ViClarity will streamline and interconnect all the TPRM programmes components, providing the client with an end-to-end view, and enabling them to make a full risk assessment.”
What does the future hold?
As companies like ViClarity look to grapple with the challenges that third-party risks hold – and ultimately stymie the challenges, looking ahead to the future is key.
2025 is set to see a major change to sector through the implementation of the Digital Operational Resilience Act (DORA).
The impetus behind DORA stems from the aforementioned rapid digitisation of the European financial services sector.
In response to these challenges, the European Union recognised the need for a comprehensive regulatory framework to bolster cybersecurity measures across the industry.
DORA aims to provide a clear roadmap for enhancing digital operational resilience and cybersecurity within the European financial sector, ensuring that businesses adopt a strategic approach to managing digital identities as an essential component of compliance.
Speaking on the importance of the act’s introduction, Donal stated, “In the immediate future, DORA is designed to help firms become more operationally resilient. DORA will apply in full from January 2025 and will represent a ‘sea-change’ for organisation in terms of inter-departmental collaboration. DORA now requires organisations to have a detailed records of information in relation to their providers.”
Moreover, a host of other legislature is set to come in and shake up the landscape. One of which is the Financial Conduct Authority’s (FCA) PS21/3 on building operational resilience. The new guidance highlights the latest requirements to strengthen operational resilience in the financial services sector as a result of the wave of third-party risk incidents.
This is particularly daunting, as by no later than March 31, 2025, need to be able to must mapping and scenario testing, including for cyber-related disruptions, to ensure that its important business services remain within impact tolerances, while also making the requisite investments to consistently operate within these tolerances.
The FCA has also emphasised its plans to bolster its efforts to deal with firms who cannot abide by the new standards regarding operational resilience, Donal explained.
With a litany of regulatory hoops set to be required to be jumped through, there is no doubt that firms must up their game in regard to tackling third-party risks. However, with this added challenge, solutions such as ViClarity are set to become ever-more important in a market that is becoming increasingly stringent and challenging.
Keep up with all the latest FinTech news here
Copyright © 2024 FinTech Global
