BLOG: Third-Party Risk Management Guidance

The UK financial services regulators have combined to deliver guidelines on their expectations for third-party risk management. The Bank of England, The Prudential Regulation Authority and The Financial Conduct Authority have delivered joint guidance which highlights the growing importance of third-party risk management.

Under third-party ICT arrangements, they encourage firms to take into account advice from the G7 and the Financial Stability Board (FSB). The G7 suggest that “entities should identify, assess and monitor the cyber risks associated with their third-parties and manage them using a risk-based approach.” They also say “entities monitor changes in criticality and risk… on an ongoing basis to manage their cyber risks. Ongoing monitoring may include changes to the material cyber vulnerabilities and risks of the third party, its operating environment and the impact of any cyber threats or incidents.”

Ongoing monitoring is an important part in an effective risk management process. Security posture can change often, based on changes from the organisation or the discovery of new vulnerabilities. The traditional route companies have used to manage suppliers, by using a questionnaire and external assessments, are not effective to defend against the current cyber threat.

The FSB say “organisations (should) include cyber risks from third-party service providers or vendors, poor cybersecurity practices by suppliers, third-party data storage and software security vulnerabilities in their supply chain management or supplier systems.”

We have seen several attacks over the last few years which have originated in the supply chain. According to preliminary data from our supply chain survey, at least 80% of organisations have experienced a breach from a third-party. While most organisations are taking steps to address third-party risk, this can be a challenging task. Finding a suitable way to assess the risk accurately, can be one of the most difficult parts of any third-party risk management programme.

Orpheus have published a summary on what the regulators say about third-party risk which is available to read here.

To understand how Orpheus can help mitigate supply chain risk, request a demo today.