Third-party risk management is under the spotlight
In the aftermath of the CrowdStrike IT outage, new research has uncovered a critical vulnerability within financial institutions regarding supply chain resilience. The outage has demonstrated the need for greater digital supply chain resilience, particularly in vital sectors such as financial services.
Outline of differences in approaches to on-premise vs. cloud applications (Source: Escode and CeFPro report)
Yet despite a strong push from financial regulators to embed this at all levels, only a minority of financial organizations currently adhere to regulatory requirements around third-party risk management.
A mere 20.8% of financial professionals report having stressed exit plans in most of their third-party agreements, including those with software suppliers, according to a report by Escode and CeFPro.
With financial services increasingly reliant on complex third-party IT ecosystems, the risks associated with supplier disruption have been heightened. Regulatory bodies worldwide, from the Bank of England to the Office of the Comptroller of the Currency, have issued stringent guidelines to enhance third-party risk management and ultimately embed better operational resilience across the financial sector.
One of the most in-depth examples is the European Union’s Digital Operational Resilience Act (DORA). It advocates for the inclusion of stressed exit plans in all ICT third-party license agreements to prevent supplier failure—from cloud outages to software companies folding—from majorly disrupting the financial service sector.
Yet despite this global regulatory push – with DORA due to be implemented by January 17, 2025 – the new survey suggests the industry needs to be more prepared. Only a fifth of global professionals surveyed reported having stressed exit plans for 76-100% of license agreements, with just under a half reporting these were in place for 0-10% of agreements. A mere 18.7% of respondents expressed ‘complete confidence’ in their current third-party stressed exit plans.
The news comes as financial institutions suffer potentially devastating material impacts due to supply chain failure.
Just over a month ago, 500,000 members of an Australian superannuation fund, UniSuper, were unable to access accounts after a ‘one-of-a-kind’ Google Cloud misconfiguration led to the provider’s private cloud account being deleted.
The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying–and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third party governance is approached across the industry – particularly in light of events such as the CrowdStrike outage. As these institutions become more digitally reliant, often on a number of third party suppliers, action must be taken to mitigate the impact of disruption from one point of a supply chain,” said Wayne Scott, Regulatory Compliance Solutions Lead at Escode.
“The fact that only a fraction of institutions have robust stressed exit plans is cause for real concern. It’s not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures. Whether that’s from ensuring access to vital information during supplier failures and rigorous scenario testing to identify weaknesses, to the use of escrow agreements when working with software suppliers – which regulators have noted as for ‘active consideration’ in their recommendations. This is about taking a preventative, detective approach – ultimately the only way the industry can withstand the increasingly complex risk landscape it faces.”