How Risk Ledger can help you with your operational resilience
Operational resilience is rapidly moving up the agenda for financial services firms, as regulators increase their scrutiny. Authorities including the Bank of England and the European Banking Authority argue that firms without clear plans and protections for business continuity present material threats to market stability. As such, they are introducing new regulation specifically to address operational resilience concerns.
Crucially, supply chain and third-party risks sit at the centre of this scrutiny. Any financial services firm that depends on a third-party provider to deliver critical systems or services must understand the potential risk of a failure at the provider. Without that understanding it is impossible to assess the firm’s own operational resilience – and therefore impossible to comply with the regulation.
Operational resilience requirements are embedded across a wide range of legislation and guidelines – and more regulation is on its way. Most significantly, the European Union is in the process of introducing the Digital Operations Resilience Act (DORA), a new framework on digital operational resilience. This will include new standards on management of third-party IT risk, business continuity and sub-contracting.
Again, the supply chain sits centre-stage in this regulation. What if a supplier suffers a cyber attack that takes its system offline? How quickly will it be able to bring the system online again? Does it have other suppliers further downstream that could have an incident stopping it from providing services?
Resolving these questions – and more – are now a key element of financial services firms’ operational resilience. However, establishing the impact of third parties on your resilience – on an ongoing basis – is not easy. Risk Ledger can help.
In simple terms, our aim is to give you visibility and control over your supply chain security. Your suppliers can sign up to our platform, free of charge, in order to share a real-time picture of their cyber security that you can assess on an ongoing basis.
- Crucially, this approach overcomes many of the failures, from an operational resilience perspective, of traditional approaches to third party risk management. These depend on suppliers completing one-off compliance exercises that lack detail and accuracy, and provide no visibility of the extended supply chain. By contrast, our platform offers:
- Continuous monitoring of supplier controls, so that you can see all changes and access information at any time.
- A continuous communication channel with security teams at your suppliers.
- Incentives for suppliers to provide accurate and up-to-date information, enabling you to work together to defend against attacks
- Visibility of the full supply chain– including fourth, fifth, sixth parties and so on – thanks to our social network model.
- Identification of concentration risks using the social network model.
In this paper, we provide an overview of the operational resilience landscape that your business now faces, along with the key priorities relating to supply chain risk that must be confronted, and further detail of how Risk Ledger can help.
Key regulatory developments on operational resilience and supply chain risk
UK amendments to operational resilience regulation
The Bank of England, Financial Conduct Authority and Prudential Regulation Authority published a joint policy on strengthening operational resilience in the financial sector in March 2021, with new rules taking effect from 31 March 2022.
Importantly, while the UK is no longer part of the European Union following Brexit, the British authorities have said their operational resilience regime will align with that of the EU, particularly in respect of outsourcing and third-party arrangements. While businesses that operate only in the UK may no longer be bound by European law – especially new regulation – the UK rules are, in practice, likely to hold financial services businesses to very similar standards and requirements.
For example, the emphasis of the joint policy is on the need to map important business services and scenario testing with third-party providers, much like the latest European Banking Authority guidelines on outsourcing, ICT and security risk management. Critically, the UK authorities make firms responsible for the impacts of the failure of third parties in their supply chains – this is the same principle as is enshrined in EU law.
EBA Guidelines on Outsourcing Arrangements
The European Banking Authority (EBA) Guidelines on Outsourcing Arrangements came into force on 30 September 2019. They introduce a European Union-wide regulatory framework for outsourcing to third parties that applies to institutions including banks, credit institutions and investment firms. Key features include:
- Governance requirements for entering and overseeing outsourcing arrangements.
- Requirements for pre-outsourcing analysis which must include appropriate due diligence, a materiality assessment, and a risk assessment.
- A requirement to maintain a register of outsourcing arrangements.
- A requirement to maintain a written outsourcing policy.
- Contractual requirements for critical or important outsourcing arrangements.
- Notification requirements when entering or amending critical or important outsourcing arrangements.
EBA Guidelines on ICT and Security Risk Management
The EBA Guidelines on ICT and Security Risk Management came into force on 30 June 2020. These European Union-wide guidelines apply to banks, payment services firms and investment firms and govern business continuity management in respect of ICT and security risks. Key components include:
- A sound business continuity management process.
- Effective response and recovery plans including testing.
- Crisis communication measures in place.
EIOPA Guidelines on Outsourcing to Cloud Service Providers
The European Insurance and Occupational Pensions Authority (EIOPA) Cloud Guidelines came into force on 1 January 2021. They govern insurance and reinsurance undertakings throughout the European Union and apply to all outsourcing arrangements with cloud providers.
ESMA Guidelines on Outsourcing to Cloud Service Providers
The European Securities and Markets Authority (ESMA) Cloud Guidelines applied from 31 July 2021 on a European Union-wide basis. They apply to a broad range of investment industry businesses and broadly mirror the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines.
Digital Operational Resilience Act
The European Commission is moving forward with the Digital Operational Resilience Act (DORA), with the aim of introducing a framework on digital operational resilience within the European Union financial sector that is intended to apply to virtually all types of financial services firms. The legislation will include a single set of mandatory rules with a number of key objectives:
- Bringing critical ICT third party providers, including cloud service providers, within the scope of regulation.
- Setting EU-wide standards for digital operational resilience testing.
- Harmonising ICT risk management rules.
- Harmonising ICT incident classification and reporting.
Key takeaways from the regulation
The detailed requirements of this swathe of operational resilience regulation are complex and far-reaching, but the starting point for financial services firms is to recognise the big picture on supply chain risk and third-party arrangements. It is crucial that they:
- Identify their important business services, particularly in relation to how they matter to customers and broader systemic considerations.
- Map these business services and their providers on an ongoing basis in order to understand how they are delivered and potential vulnerabilities.
- Establish impact tolerances for each service – how quickly would disruption pose a problem, and how serious would that problem be?
- Run scenario testing exercises in order to establish how likely it is that suppliers will remain within these tolerances in the event of disruption.
- Accept that the board is responsible for operational resilience strategy and put governance arrangements in place to deliver oversight.
- Accept that business disruption may be inevitable and design incident response and business continuity plans accordingly.
The Log4j episode provides a perfect example of the importance of being able to map potential supply chain vulnerabilities and to respond at speed as new problems emerge.
The issue, which first emerged in December, was a problem with the open-source software Log4j, widely used by technology providers and software developers to log information in their applications. The vulnerability provided cyber attackers with a potential route into the systems of any organisation using applications that made use of Log4j.
As a result, organisations have faced a race against time to establish whether they or their suppliers are using software that carries the vulnerability – and then to apply the security fixes released to close the gap.
For those organisations lacking visibility of their supply chains, this work has proved especially challenging. By contrast, those on top of third-party supplier mapping have been able to identify their potential resilience threats much more quickly – and then to work with these suppliers to remediate the problem.
Some organisations have even chosen to stop working with suppliers where the potential impact has been judged too high. But without systems and tools to identify those third parties in the first place, making such judgements is impossible.
How can Risk Ledger help you meet these challenges?
Risk Ledger’s platform gives you the visibility and control needed to manage your supply chain risk – and comply with operational resilience regulation.
To comply with the various European outsourcing guidelines and UK policy, your organisation will need to be able to “identify, assess, monitor and manage all risks resulting from arrangements with third parties”.
This includes identifying concentration risk and critical dependencies between your third-party suppliers. Risk Ledger makes this simple by giving you live access to a personalised network graph that maps the third parties you depend on, other organisations that depend on those third parties, and common connections between multiple third parties.
In the past, this kind of mapping has been very challenging, but Risk Ledger’s social network model means you have visibility of your entire supply chain well beyond just third-party connections and through to fourth, fifth and sixth parties.
The outsourcing rules also require continuous monitoring of third-party risks, but most traditional risk management processes are built around point-in-time assessments which quickly go out of date. Risk Ledger solves this by making it easy for third parties to update their supplier profile when anything changes. With a Risk Ledger client account, you have access to an activity feed of all the changes your suppliers make to their security practices over time.
Because many third parties use their Risk Ledger supplier profile to manage security controls internally, you get a clear view inside your suppliers – lifting the lid on security controls, instead of taking the information you’re given at face value.
Risk Ledger can also help your organisation to comply with the EU Digital Operations Resilience Act (DORA) once it reaches the statute books. The aim of the legislation is to ensure that you can continue operating, even in the midst of a cyber attack. In order to comply, you will need to be able to demonstrate a new level of ICT third-party risk management, which is where Risk Ledger gives you an advantage.
The DORA legislation involves a shift of mindset, implying that financial institutions must now accept that breaches and disruptions are inevitable – the emphasis is on you can be sure your operations will continue uninterrupted during a supply chain attack or third-party breach.
As a first step, Risk Ledger will help you understand which ICT suppliers are critical, through simple tagging and reporting functionality. Then you can easily identify where these critical ICT suppliers may have vulnerabilities - and use that knowledge to work with them on strengthening their defences (or to inform your decision to find an alternative provider). Involving your suppliers in incident response planning – and simply making sure you can contact key people in the event of a crisis – is crucial in this regard.
Risk Ledger is free to suppliers, giving them access to a shareable profile they can use to breeze through security questionnaires. This means that the onboarding process and continued tracking of security controls over time is painless for everyone involved. By helping you and your critical ICT suppliers collaborate, Risk Ledger makes the shared responsibility of operational resilience regulation compliance manageable.
Finally, it is important to remember that while your obvious focus is on your critical suppliers, these third parties also expose your organisation to a whole host of risks lurking further down your supply chain. Suppliers that may not be critical at a third-party level, say, may have fourth-party connections with your critical suppliers that would have a serious knock-on effect that disrupts operations.
With Risk Ledger, you have unprecedented visibility of your entire supply chain, mapping every connection in your supplier network and uncovering risks you may not otherwise have noticed until an attack was already underway.