News
Risk Ledger CEO joins high profile panel discussion on public sector cyber security
Third-Party Risk Management (TPRM), or mitigating the potential risks posed by an organisation’s corporate supply chain, is essential for institutions operating in the financial sector. TPRM equips financial organisations with the means to face the complex environment of compliance requirements, cyber security threats, and operational challenges posed by risks in their extended supply chains.
Here, we discuss how financial institutions can best address and reduce their risk exposure posed by their corporate supply chains.
The financial industry faces unique challenges when it comes to Third-Party Risk Management (TPRM). This sector relies heavily on a vast network of third-party partners and outsourcing providers, significantly expanding the attack surface. Equally important, it relies heavily on few crucial third-parties that are shared across the entire industry, for example a very limited number of clearing houses or a payment messaging service provider such as SWIFT, which, if compromised, could pose a systemic risk to the entire industry.
Compounding this, financial institutions must contend with rapid digitalisation, stringent regulatory requirements, complex global operations and group structures, and a rapidly evolving threat landscape.
Financial institutions typically work with a large number of partners, from IT, HR software to customer service providers. This wide variety of relationships complicates oversight and increases points of vulnerability. The sheer volume makes it extremely challenging to effectively monitor each third-party entity, let alone suppliers further down the supply chain, including 4th, 5th and n-th parties.
The financial sector's swift digital transformation has enhanced service delivery but also significantly raised cyber security risk. Interconnected systems and outsourcing arrangements represent weak links in organisations’ security postures, which can be exploited by attackers and lead to major breaches through onward attacks or data exfiltration.
Financial institutions face a particularly stringent regulatory landscape. Frameworks like the EU's DORA, Guidance from the FCA such as FG16/5 - Guidance for firms outsourcing to the cloud and other third-party IT services, the supervisory statement SS2/21 (March 2021) with Policy Statement | PS7/21 for outsourcing and third-party risk management by the Prudential regulatory authority (PRA) or the Bank of England’s, PRA’s and FCA’s jointly proposed CP26/23 - Operational resilience: Critical third parties to the UK financial sector, are just some examples.
Many of these rules and standards require managing not just direct third-party risks, however, but also aspects of 4th, 5th and nth party risks (outsourcing risks and concentration risks) in the supply chain - adding layers of complexity.
International financial institutions must navigate diverse regulatory and operational environments across regions. Their common group structures also create interdependencies that further complicate TPRM.
The rising geopolitical tensions around the world have led to a further deterioration of the threat environment, and financial services organisations, which are vital to the economic stability of entire nations, are attractive targets of state-sponsored threat actors. Remaining vigilant in this evolving threat landscape is critical.
As third-party relationships multiply, scaling TPRM programmes becomes a major challenge. Most organisations can only actively assure a small fraction of suppliers, typically between 10% and 20%, which is insufficient given the magnitude of risks involved. Institutions must develop strategies that leverage technology and seek greater automation to enhance and scale their TPRM capabilities, making them more fit for purpose.
The increasing reliance on, and integration of, fintech companies meanwhile have introduced additional risks. While these partnerships drive innovation, the newer, and often less secure, third-parties may lack the robust risk frameworks and best practices of established financial institutions, thus requiring careful management.
Successful TPRM programmes in the financial sector consistently comprise four core elements regardless of the specific framework adopted.
This crucial first step involves a meticulous audit of the organisation's third-party relationships. Financial institutions must thoroughly understand the nature of each engagement, its scope, and the parties involved. Financial services firms must carefully examine factors like the sensitivity of data shared and/or handled by their suppliers, the level of third-party access to its own systems and processes, and the criticality of their suppliers to their own business operations. This is the necessary first step in order to get a clearer picture of a firms’ own risk profile and its third-party relationships. It is also a prerequisite to better understand and appreciate how any breaches at particular suppliers, and any resulting service disruptions, could impact their own operations, reputation, or compliance.
Once a full supplier inventory list exists and suppliers have been labelled according to their criticality to a firms’ operations, whether they hold and process personally identifiable information, and based on other parameters, the TPRM process then moves to evaluating individual suppliers' security controls. This is done to ensure that they abide by standards set by a firms’ internal requirements and policies.
In finance services in particular, such risk assessments, in addition to touching on security domains as Security Governance, network and IT security, cloud security and human resource governance, often also involve other vendor cyber security requirements, including evaluating risks posed by the financial stability and wider business resilience of suppliers, whether they abide by relevant data protection and privacy legislation and more.
Comprehensive risk assessments such as these allow financial institutions to make informed decisions about appropriate risk mitigation strategies. This could involve asking suppliers to implement additional controls, but also diversifying vendor relationships, or even terminating high-risk engagements.
Evaluating a suppliers’ security posture only once, however, usually in the process of onboarding them is no longer sufficient. Continuous risk monitoring of third-party security controls using specialised tools and techniques is essential. Financial institutions must stay informed about changes in the risk landscape on an ongoing basis. They need to promptly detect emerging risks when they emerge and proactively address vulnerabilities in third-party relationships. This ongoing vigilance is crucial in the fast-evolving threat environment facing financial institutions.
Institutions may leverage solutions providing automated risk scoring, alert notifications, and visual dashboards to track third-party performance and compliance, as well as potential concentration risks in their wider supply chains. Continuous monitoring enables enhanced incident response speeds to changes and emerging threats, and supports mitigation strategies.
The final stage focuses on reducing identified risks to an acceptable level. This can involve working with suppliers to ensure they implement crucial yet still missing controls, potentially conducting audits as well as developing contingency plans themselves to reduce their exposure to any risks.
To ensure an effective third-party risk management programme, financial institutions should consider these best practices:
Aligning TPRM with wider enterprise risk management programmes and risk identification strategies is essential. Institutions should create a comprehensive third-party inventory, differentiate criticality, and determine mitigating actions. This foundation tailors the TPRM programme to the organisation's needs and risk appetite.
Involving all relevant stakeholders, including risk, legal and compliance, procurement, security, and commercial teams, in designing and implementing the TPRM programme is crucial. This cross-functional collaboration aligns the programme with wider business objectives and ensures adherence.
Similarly, collaborating closely with other business units enables leveraging their insights and ensures their stake in necessary and effective TPRM activities. This quantitative and qualitative evaluation of third-party risk exposure helps establish effective management responsibilities. Cyber security, including third-party risk management, has to be an organisation-wide effort and cannot just be provided by IT security teams alone.
Categorising third-parties by criticality and inherent risk allows prioritising high-risk vendors and allocating appropriate due diligence and monitoring resources where most needed. This risk-based approach ensures the institution's limited resources target the greatest concerns.
Incorporating TPRM into the procurement process to evaluate potential risks during vendor selection and onboarding ensures a comprehensive view of the supply chain and reduces the risk of shadow IT and other suppliers. This integration enables informed decisions about vendor selection and appropriate contractual terms to mitigate risks from the outset, as well as setting the right expectations.
Adopting a proactive, ongoing TPRM approach utilising specialised tools and technologies for continuous vendor security posture monitoring is crucial in the fast-paced and complex world of finance. This shift from point-in-time assessments to dynamic, real-time monitoring allows quick response speeds to emerging threats.
Financial institutions can leverage solutions like Risk Ledger to help comply with evolving regulations, identify concentration and systemic risks, and implement continuous monitoring of their supplier ecosystem. A number of large financial institutions have enjoyed significant success with Risk Ledger, as we explore below.
Our first example is a tier-1 bank that used Risk Ledger. Within the first 24 hours of using Risk Ledger, they identified 14 of their critical suppliers that were already using the Risk Ledger platform and connected with them.
After connecting, they could then access these suppliers’ already completed and peer-vetted security profiles immediately.
Within 48 hours, using Risk Ledger’s advanced network mapping and visualisation capabilities, they were able to get a clear overview of their wider supply chain, far beyond their immediate direct suppliers. They were able to identify and visualise 36 fourth parties, 175 fifth parties, 15 sixth parties, 27 seventh parties, and, most importantly, identified 7 concentration risks. They used this information to brief regulators in a meeting the following week.
Schroders Personal Wealth (SPW) implemented Risk Ledger to manage security risks in their supply chain more effectively. As a £13 billion+ wealth manager, SPW required a robust security programme to ensure compliance with regulations like GDPR, the FCA Handbook, and evolving ESG principles.
Risk Ledger's platform allowed SPW to onboard suppliers efficiently, often in a single day. The platform's live monitoring and network mapping provided unprecedented visibility, enabling the identification of vulnerabilities and concentration risks.
The collaborative Risk Ledger model, which has been optimised to make the lives of suppliers easier, fostered stronger partnerships between SPW and its suppliers. It also provided SPW with visibility into 95% of their suppliers, rather than just 10%, which is common among most organisations.
At the heart of Risk Ledger's approach is its social network model, where clients and suppliers work together to Defend-as-One. This model provides organisations with in-depth insight into their vendors' security posture, yet also offers deep visibility into the relationships and risks that exist beyond just third-parties.
With Risk Ledger, financial institutions can gain a complete understanding of their position within the wider supplier ecosystem, enabling institutions to trace how security incidents may impact their operations.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
