top of page

The Impact of Operational Resilience Regulation on 3rd Party Vendors


Introduction


The growth of digital financial transactions, the complexity and interconnectedness of underlying infrastructure and technology, and increasing concentration risk have led to new regulations.


As with all new regulations, the full impact and cost are yet to be fully understood.

This paper provides a high-level overview of two pieces of regulation affecting entities operating within the EU and UK financial markets. It summarises the implications of the regulations and their immediate impact on third parties in a chain of vendors that contribute to important business services.


It concludes that 3rd Party vendors and services considered material in the delivery of important business services will fall within the reach of the new regulation.


Background


Regulations exist across all the major financial markets to address the risks arising from operational disruptions. These regulations call for regimes that identify, measure, report and mitigate the risks.


More recently, regulators in the EU and the UK have taken additional steps to address gaps in the existing regulation and the overreliance on quantitative measures. More specifically, they are reacting to the development and risks arising out of the digital financial instruments, compounded by the interconnectedness of financial markets.


“...the interconnectedness of the financial system and the complex and dynamic environment in which firms operate.”

Supervisory Statement SS1/21


The EU has developed a regulatory framework known by its acronym ‘DORA’ – The Digital Operational Resilience Act. This framework explicitly targets digital resilience.


The PRA’s Supervisory Statement SS1/21 – Operational resilience: Impact tolerances for important business services extends beyond the digital markets, addressing the management of operational risks, including those related to technology and information systems, complemented by SS2/21 Outsourcing and Third Party risk management.


Implication


Both the EU and the PRA align with the Financial Stability Board’s principles of operational resilience (https://www.fsb.org/2021/03/principles-for-operational-resilience/). Both set 2025 (January and March, respectively) for compliance, and both introduce enhanced 3rd party risk management requirements that draw material or critical service providers into the regulatory net.


“..the PRA expects firms to assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing.”

Supervisory Statement | SS2/21 Outsourcing and third party risk management March 2021


The implication for firms considered as either material or critical providers of services is meaningful. They will need to demonstrate that they are fit for purpose, meeting enhanced ‘regulatory’ standards regarding their governance, risk identification, measurement, control and remediation frameworks.


“The PRA therefore expects firms that are parties to these arrangements, either as service providers or service recipients, to leverage applicable, existing regulatory requirements to manage relevant risks and promote an appropriate level of resilience.”

Supervisory Statement|SS2/21 Outsourcing and third party risk management March 2021


Impact


The regulations are intended to be proportionate and principle-based, providing regulated entities a degree of flexibility in interpretation and approach to compliance. However, it also means that 3rd Party providers will have to solve for the highest standards to satisfy all their clients’ interpretations.


The immediate impact will be on the investment required to design and implement or enhance the governance, risk management and control frameworks required to meet a regulated entity’s onboarding requirements.


The depth and extent of any due diligence (DD) undertaken to satisfy the regulatory requirements will reflect the materiality of the service or product provided. In most cases, the DD will address:

  • Business model

  • Complexity, financial situation, ownership structure, scale

  • Capability, expertise, and reputation

  • Financial, human, and technology resources

  • Key Person Risk

  • ICT controls and security

  • Testing and assessment of tertiary vendors, platforms or products used

  • Relevant authorisations or registrations

  • Compliance with relevant legal and regulatory requirements (GDPR, Data Protection Act)

  • Adherence to recognised and applicable industry standards


The DD will require access to documented evidence to satisfy its requirements. It cannot rely on track record or other anecdotal evidence such as industry standing or reputation. It must satisfy itself that the 3rd Party can demonstrate its ability to prevent, withstand and recover from operational disruptions.


Furthermore, 3rd Parties will need to invest in cybersecurity standards that are at least equivalent to the additional measures imposed by regulation, including incident response plans and participating in periodic assessments.

What to consider:

  • Preparedness to meet the standards of operational resilience for onboarding by a regulated entity

  • Due diligence procedures and standards for assessing the operational resilience of their own 3rd Party vendors and platforms that form part of the same chain

  • The quality and nature of the documented evidence of operational resilience

What's important:

  • To demonstrate an understanding of the new requirements and industry standards

  • To demonstrate maturity through the quality and readiness of the materials used to evidence operational resilience

Governing Operational Resilience Regulation

Digital Operational Resilience Act (DORA) – Summary


Objective:


To harmonise, consolidate and upgrade ICT risk requirements, comprehensively addressing all components of operational resilience, introducing targeted qualitative rules for “the protection, detection, containment, recovery and repair capabilities against ICT-related incidents, or for reporting and digital testing capabilities.”


Substance:


Explicitly addresses ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring.


Summary:

  1. ICT risk management

    1. Internal governance, control frameworks, policies and procedures

    2. Documented ICT risk management framework

    3. Identified, classified, and documented inventory of all ICT-supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies concerning ICT risk

    4. Continuous monitoring and control of the security and functioning of ICT systems and tools

    5. Systems/mechanisms/processes to promptly detect anomalous activities

    6. Response and recovery procedures and business continuity policies

    7. Crisis communication and disclosure plans of major ICT-related incidents or vulnerabilities to clients, counterparties and the public.

    8. ICT-related incident management, classification and reporting

  2. Processes to detect, manage and notify ICT-related incidents

    1. Processes to classify ICT-related incidents and cyber threats

    2. Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

    3. Harmonisation of reporting content and templates

    4. Centralisation of reporting of major ICT-related incidents

  3. Digital operational resilience testing

    1. Requirements for the performance of digital operational resilience testing

    2. Advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT)

    3. Requirements for testers to carry out TLPT

  4. ICT third-party risk management

    1. Assessment of ICT concentration risk at entity level

    2. Designation of critical ICT 3rd party service providers

    3. Requirements to assess and regularly review 3rd party service providers

SS1/21 Operational Resilience – Summary


Objective:


To improve the resilience of firms and the wider financial market to operational disruptions.


Substance:


It introduces requirements and standards for identifying essential business services, mapping material business processes and systems, setting impact tolerances, and establishing effective governance and testing frameworks.


Summary:

  1. Identification and Mapping of Business Services

    1. Identify important business services, defined as services which, if disrupted, could pose a risk to the firm’s safety and soundness

    2. Assess, understand and document the necessary people, processes, technology and 3rd parties required to deliver these important business services

  2. Impact Tolerances

    1. Set the maximum tolerable level of disruption to an important business service, measured by the length of time and “other relevant metrics”

    2. Take into account the impact of the failure of connected business services

    3. Apply to recovery and resolution planning

    4. Set by taking into account peak and normal times (a comprehensive cycle)

    5. Implement effective remediation plans for important business services breaching tolerance thresholds

  3. Scenario Testing and Mapping

    1. Regularly test the ability to remain within impact tolerance thresholds in severe but plausible disruption scenarios

    2. Incorporate the entire chain of activities supporting the important business service in the testing plan

    3. Obtain assurances and contractual commitments from 3rd parties to implement and test business contingency plans and to support the testing of the plans

    4. Map the interdependencies of systems, processes, and 3rd parties to identify and document vulnerabilities

  4. Incident Response and Recovery Planning

    1. Establish and document response and recovery plans

    2. Detail responses to disruptions and mitigations to remain within impact tolerance thresholds

    3. Test recovery plans for both availability and integrity scenarios

  5. Collaboration with 3rd Parties

    1. Requirements to collaborate effectively with 3rd parties to manage operational resilience

    2. Assess the operational resilience of 3rd parties

    3. Ensure 3rd parties have adequate contingency plans

  6. Governance and Oversight

    1. Board responsibility to approve the list of identified important business services and impact tolerances

    2. The appointment of a Senior Management Function (SMF 24) to be accountable and responsible for operational resilience

    3. Documented self-assessment of compliance

Douglas Lyons


October 5th 2023

ความคิดเห็น


bottom of page