Despite increased awareness of third-party risks, it is still difficult for financial services companies to keep track of the complex ecosystem of service providers that support their supply chains. Hirun Tantirigama, national technology risk and resilience lead with Protiviti Australia, says regulators must rise to the challenge as financial institutions insist they improve their third-party risk posture.

“Global regulators are pushing for good visibility, oversight and assurance across your organization’s service providers, particularly in the financial services industry,” says Tantirigama.

“The industry needs to recognize that although it may outsource the delivery of core services to a third party, it cannot delegate responsibility – the responsibility for managing that third-party risk still lies with the financial services company.”

Addressing material operational risk

This push for greater accountability is reflected in the UK’s Operational Resilience policy documents as well as the European Union’s Digital Operational Resilience Act (DORA). The Australian Prudential Regulation Authority (APRA) has also placed greater responsibility on financial services to address third-party risk.

APRA’s Prudential Standard CPS 230 (Operational Risk Management) requires regulated entities to maintain the resilience of their critical operations, while expanding the scope of service providers they must take into account when addressing third-party risks.

The new standard, which will come into force in July 2025, emphasizes board accountability for managing service provider exposures and impacts, as well as setting realistic recovery times to minimize and manage customer harm.

APRA draws particular attention to “material service providers” that regulated entities rely on to undertake a critical operation or whose unavailability would expose the regulated entity to material operational risk.

Past performance is the best indicator

Australian Signals Directorate Procurement and Outsourcing Guidelines Emphasize the importance of cyber supply chain risk management when purchasing applications, IT and operational technology (OT) systems. The country’s top government cybersecurity agency is urging organizations to assess security risks across the lifecycle of products and services, from design to decommissioning, particularly regarding jurisdiction and governance issues when using offshore vendors. The guidelines recommend using vendors with a proven track record of security and transparency.

An important aspect is service provider relationship management, which includes developing an approved service provider list and providing regular security assessments, especially for high-risk parties. For managed services and cloud outsourcing, providers must undergo security assessments to reduce risks associated with accessing an organization’s data or systems.

“Organizations should choose service providers who demonstrate a commitment to the security and transparency of their products and services,” the report says, reinforcing a shared responsibility model for security across the supply chain.

Ultimately, sound procurement practices help ensure system integrity, reduce risks associated with foreign suppliers, and outsource critical infrastructure.

See the big picture

Addressing third-party risk requires dependency mapping and response planning that adopts practical and commercially realistic ways to identify key dependencies. This requires investing in the right tools to manage end-to-end supply chain management workflows, rather than relying on spreadsheets and manual processes.

Protiviti managing director Leslie Howatt says a holistic assessment should include each service provider’s own material service providers classified as fourth-party risk.

“Many large organizations don’t even know who all their third-party providers are, let alone critical fourth-party providers,” says Howatt.

“This means they don’t know where to place their assurance processes or who to contact if there is an operational issue. “For example, a third-party managed security provider using tools like CrowdStrike may be critical to their operations but lack visibility into that relationship.”

“This needs to change if financial services institutions are to meet their new regulatory obligations. “They need to understand exactly which providers pose the greatest risk and tailor their management action plans accordingly.”

Fulfilling this obligation requires advanced due diligence processes and service provider lifecycle management. Going forward, financial institutions should also expect contract negotiations with third parties to include new clauses and KPIs related to operational risk, compliance and resilience requirements.

“The financial services industry needs to work hand in hand with its service providers to be more resilient in the long term,” says Howatt.

“Rather than viewing resilience as a necessity, organizations that view it as a competitive advantage should outperform their competitors because resilience superiority is demonstrated as their own customers expect and, in fact, demand.”

Are your third-party relationships as secure as they should be? Please visit Protiviti Strengthening your business with durable and safe operations.