In July 2024, a well-established cybersecurity solution provider experienced an IT outage that affected 8.5 million computers across multiple countries and industries, including banks and stock markets. This global (and largest) cyber incident was just a reminder of how dependent enterprises are on ICT third-party providers (ICT TPPs) running many critical services, and highlights the importance of properly managing them and ensuring resilience capabilities.

Given the strong interdependencies and interconnectedness within the financial sector, ICT-related or cyber incidents along the entire chain could disrupt critical services, cause spillovers, erode confidence in the financial system, and threaten financial stability. This growing reliance on ICT third-party providers has raised concerns and scrutiny from regulators. The Digital Operational Resilience Act (DORA), effective from January 2025, will significantly strengthen the requirement for financial entities to diligently monitor their ICT TPPs and ensure they do not pose a risk.

Although the financial impact and criticality of business processes remain top criteria for defining a critical third-party, the importance of business continuity and resilience has significantly increased. Financial entities know well that zero third-party risk is unattainable—unless there is no engagement with third parties at all. It is more about: ”How do you identify, manage and mitigate that risk?”

DORA establishes a set of requirements that financial entities must consider and adhere to. In July 2024, the Basel Committee on Banking Supervision published third-party risk management (TPRM) principles for banks. These principles take into account the size, complexity, and risk profile of banks, as well as the nature and duration of third-party provider (TPP) arrangements and the delivery of critical services.

Most financial entities (FEs) in Luxembourg have third-party risk management programs that are either nascent or well-defined. Control assessments are paramount, as FEs continue to rely on the validation of TPRM programs and risk/control assessments of third-party populations and subcontractors to identify, assess, and monitor these relationships. In this new era of digitalization, compliance, and resilience, here are eight best practices to effectively tackle third-party risk management.

• Get to Know Your Third-Party Landscape: While it may seem obvious, start by identifying who your providers and third parties are. Specifically, determine the number and percentage of third parties supporting your critical activities. Conducting this exercise is a conditio sine qua non for effective third-party risk management. For instance, DORA requires you to identify all your ICT third-party providers distinguishing between critical and non-critical, and ensure that all are recorded within the Register of Information (ROI). Additionally, after the regulation comes into effect on 17 January 2025, financial entities are required to maintain information in the ROI related to terminated contractual arrangements for at least five years after the termination of the provision of the ICT services.
• Identify, Assess, and Prioritize Risks: To effectively manage third-party risks, it is crucial to conduct thorough risk assessments to understand the potential impacts of these relationships on your firm’s business. Regular reviews of these risks should be conducted, considering changes in the geopolitical environment, regulations, data locations, and subcontracting practices. Special attention must be given to concentration risk, as over-reliance on a single vendor or service provider can create strong dependencies, reduce operational flexibility, and increase vulnerability to disruptions.
• Ensure Clear Contractual Agreements: It is essential that ICT third-party providers are contractually obligated to meet specific resilience and security standards. Contracts should explicitly define expectations, financial obligations, data locations, audit rights, service performance metrics, use of subcontractors, and termination clauses. Provisions addressing operational resilience, security requirements, and incident response must also be included. Leveraging AI tools, such as those provided by experts, for contract review can significantly enhance the efficiency, accuracy, and effectiveness of the contract management process. These tools ensure that contracts comply with relevant laws, regulations, and industry standards, flag any clauses that may lead to non-compliance, and suggest necessary amendments.
• Conduct Initial and Ongoing Due Diligence on Third Parties: Performing regular periodic security audits, vulnerability assessments, and penetration testing on TPP systems that interact with the firm’s business is fundamental. Additionally, it is important to consistently review TPPs’ security policies and practices. Considering leveraging expert resources for specialized assessments across IT security and business resiliency (BR) can ensure comprehensive end-to-end execution of third-party reviews and testing.
• Develop Continuity and Incident Response Plans: Create and routinely test strategies to ensure business continuity and efficient incident response in the event of disruptions or security breaches at TPPs. This should include a variety of tests, such as penetration tests, crisis management drills, and table-top exercises, and make sure to involve third parties in these activities.
• Adopt Appropriate Tools and Emerging Technologies for Efficient TPRM Execution: The lack of a “best-in-class”toolset can hinder the integration of TPRM tools into a business’s technology environment. Cloud-based systems or Governance, Risk, and Compliance (GRC) systems are designed for TPRM-specific activities, including risk assessment, control assessment, and issue management. Additionally, integrating third-party related risks with the enterprise risk management program enhances overall risk management.
• Foster Training: To ensure employees have a clear understanding of their roles and responsibilities, it is essential to provide regular training on third-party risk management (TPRM), ICT risks, and relevant regulations. For example, EY offers training programs specifically designed to educate employees on these topics, thereby fostering a risk-aware culture within the organization.
• Facilitate Effective TPRM Through Metrics: Establishing appropriate metrics and reporting mechanisms for identified third-party risks is crucial for effective monitoring of these risks, transparency, and accountability. Regular performance assessments enable the early identification of issues and risks, allowing for timely escalation to the appropriate governance bodies for resolution.

Third-Party Risk Management provides a framework for management to identify, evaluate, monitor, and manage the risks associated with third parties, including vendors, suppliers, intercompany relationships, and fourth parties. An increased focus on effective TPRM reporting enhances transparency and accountability, reduces risk, and supports strategic initiatives that drive further reliance on third parties.

By leveraging comprehensive managed services in TPRM, organizations can effectively manage third-party risks, enhance their operational resilience, and ensure compliance with regulatory requirements. EY’s expertise and tools offer a robust framework for identifying, assessing, and mitigating third-party risks, enabling your organization to navigate the complexities of the modern risk landscape with confidence. For tailored guidance and support, consider consulting with experts in the field to strengthen your third-party risk management strategies.

Karim Bouaissi

EY Luxembourg Partner, Consulting, Cyber and Digital Risk