ICT third party management
In this article we will be touching on the key components the European Supervisory Authorities are expecting for you to manage your ICT third-party service providers competently.
All financial entities, we expect, have a third-party management function and most will have dedicated staff that specialise in the area. While the majority of these functions will be doing a good job some will not. The Digital Operational Resilience Act (DORA - Chapter V Managing of ICT third-party risk) from the EU is detailed and prescriptive; highlighting the key building blocks they expect to be in place.
ICT third-party strategy
Top of the list is an ICT third-party strategy. This should be aligned to the business strategy and designed to guide the use of ICT third party providers to further the goals of the business. The ICT third party may help you get your services to market quicker or they may simply be better, more efficient or cheaper. Whatever the reason, selection should be a driven by your strategic direction and purpose.
ICT third-party policy
Second on the list is the ICT third-party policy. This outlines what’s permitted and what’s not. It provides the guiderails for management and gives them leeway in terms of their authority. It also places conditions on what is expected in terms of governance, risk management and control. The policy should define the types of services that may be subcontracted and those that must not. It also mandates the following items below.
ICT Third-party risk assessment
A risk assessment is used to determine the risk of using a given ICT third-party taking into account important factors. The European Supervisory Authorities have written a separate policy document that helps understand those factors - JC 2024-53 - Final report DORA RTS on subcontracting.pdf. We suspect the factors listed go far beyond what most financial entities assess today. We have summarised them below:
- nature of the services, activities and operations
- scale of the services, activities and operations
- elements of increased or decreased complexity
- type of ICT services being provided
- location of the ICT third party provider or its parent company
- length of the chain of subcontractors
- nature of shared data with the ICT subcontractors
- location ICT services provided from (and geopolitical risks)
- where the data is processed and stored
- if the ICT third party provider is part of the same group as the financial entity
- if the ICT third party provider is registered or subject to supervision or oversight by a competent authority in a member state
- if the ICT third party is registered or subject to supervision or oversight by a competent authority in a third country
- if the ICT third party is concentrated to a single subcontractor or a small number of such subcontractors
- the transferability of the services to another ICT subcontractor
- the potential impact of disruptions on the continuity and availability
- the ICT concentration risk
This risk assessment allows you to determine the criticality of the service being provided. If the service supports a critical or important business function all of the following will apply.
ICT Third-party due diligence
Due diligence is essential in understanding what service is being bought and how the ICT third-party is structured to deliver it and how the service is designed and operated. If the ICT service being provided is critical to you as a financial entity you will expect the Information Security controls and systems to be similar to most financial entities. You also expect digital operational resilience to be a high priority for the ICT third party provider and reflected in the design and operation of their services.
In addition, one area called out by the European Supervisory Authorities is "subcontractors to ICT third party providers". To address this DORA requires the following to be assessed prior to contracting.
- the due diligence processes implemented by the ICT third party provider to assess potential subcontractors including their participation in digital operational resilience testing
- ICT third party is able to inform the financial entity of any subcontractors providing ICT services
- ICT third party permits rights of access, inspection and audit
- ICT third party provider has the capability to monitor its subcontractors
- financial entity has the capability to monitor the ICT third party provider
- impact of a possible failure of a subcontract to provide the critical service
- potential obstacles to audit, inspections and access rights
ICT Third-party monitoring
This is necessary to ensure the third-party continuously deliver services contracted. It needs to include regular governance and management meetings to ensure continuous contact and lines of communications. This is especially important for critical business functions. It is also recommended that members of the ICT third party management team are embedded in the teams and offices of the financial entity to ensure the best interaction and good lines of management communication.
ICT Third-party exit strategy and testing
The exit strategy details the approach to be followed to enable an alternate supplier or the financial entity itself to provide the service. The approach is supplemented with a plan and the plan needs to be tested regularly to understand issues and challenges.
Material changes to subcontracting
To keep control of the risks associated with subcontracting DORA has specific obligations that need to be fulfilled by ICT third party providers.
- notified in advance to permit a risk assessment to be undertaken
- subcontractor changes only permitted on approval from financial entity
- if risk assessment is not within tolerance ICT third party to be informed and the change refused
Termination of contractual arrangements
Failure to comply with these obligations relating to changes to subcontracting will be grounds for contract termination if:
- proceeds with change despite refusal from financial entity
- proceeds with change without explicit approval from financial entity
- proceeds with subcontracting an ICT service that is not permitted
ICT Third-party audit assessments and inspections
The regular management monitoring of the ICT third party will help to ensure the third party delivers to the contractual arrangements. This is further supported by regular audit assessments and inspections to ensure the monitoring is comprehensive and being carried out correctly. An Audit plan or schedule should be agreed at the start of the contract. There should be capacity for additional ad hoc audits required from time to time - as issues or problems arise and necessitate an independent view. These should be baked into the contract to avoid disagreements later.
DORA Contractual model clauses
In order to comply with DORA it is important to have template model clauses for inclusion in all ICT third-party contracts and to keep these updated every time the contracts are renewed or reviewed.
There are a number of clauses required by the DORA regulation. Below are some that were clarified in the recent policy document issued in the second batch of documents.
- ICT third party service provider is responsible for subcontractors
- ICT third party monitor all subcontractors
- ICT third party reporting obligations are defined
- ICT third party assesses the location of potential subcontractors
- subcontractor contracts detail the monitoring and reporting requirements
- subcontractor contracts detail the security requirements
- subcontractor to provide the financial entity with the same rights of access, inspection and audit
- ICT third party responsible for continuity of services
- the financial entity will be notified of material changes to subcontracting arrangements
- financial entity has termination rights
- ICT third party to provide details of all subcontracting
- the chain remains up to date
- ICT third party to permit and support ongoing monitoring
- monitoring and compliance to include how long and complex the chain of subcontracts are
ICT third-party Register of Information
Finally, there is the formal register of all ICT third party arrangements. The register has been designed to support regulatory supervision and the information needs to be presented in very specific ways to comply with DORA. It is critical to comply with the formatting required as the European Supervisory Authorities will be using the data to help compile a holistic picture of all ICT third party providers. This will be used to help identify Critical ICT third party providers (CTPPs) from the perspective of the European Supervisory Authorities.
How IT Security Locksmith can help
If you need to undertake an EU Digital Operational Resilience Act GAP analysis please get in touch. We offer three levels:
- Board level - takes about three weeks to complete
- Management level - takes about six weeks to complete
- Full gap analysis - takes about three months to complete
Free expert opinion!
If you are concerned about the EU DORA or told that it's all under control please get in touch for a no obligation free consultation. We can help you understand the challenges, how to go about addressing them and provide you with options and prices for you to take away and consider.
If nothing else you get some expert opinion free of charge!
About IT Security Locksmith
IT Security Locksmith specialises in board level training and consultancy.
To find out more about our capabilities please click here.
Our services page showcases the types of services we offer.
Click here to contact us for a no obligation initial consultation.