+Third-party Risk Management
---+Third-party Risk Management
---+Pre-Contract Risk Assessment
---+Register of Information
---+Contractual Requisites
---+Exit strategies
---+Annual Reporting of New Arrangements
|
1. Overview
Third-party Risk Management
| Summary |
Standard |
|
Third-party Risk Management
|
Manage third-party risks proportionate to dependency nature, service-related risks, and impact on entity's continuity and availability in case of disruption. Implement a policy for critical function ICT services provided by third-party service providers, considering the location of the service provider (or its parent company), the level of assurance regarding the service providers' risk management framework (including risk mitigation and business continuity measures), the nature of the data shared with the service provider, the location of data processing and storage, group affiliation of the service provider, and the potential impact of the risks and disruptions on the continuity and availability on the activities of the entity. Test response and recovery of critical function-supporting services provided by third parties.
|
|
Pre-Contract Risk Assessment
|
Perform pre-contract risk assessment. This assessment must assess if: the contract covers services supporting critical or important functions, a service provider is easily replaceable, the risks of sub-contracting are covered, the risks of outsourcing service to a third-country are covered, the risks of bankruptcy are covered on the side of the service provider, supervisory conditions for contracting are met, all contractual risks are identified and assessed (e.g., to cover for ICT concentration risks), the service provider is suitable, and if there are conflicts of interest. Assess service provider resources for ensuring entity compliance with all legal and regulatory requirements.
|
|
Register of Information
|
Maintain a comprehensive register of information related to contractual arrangements with third-party service providers, distinguishing those supporting critical/important functions. Ensure that the register is in line with all mandatory fields as defined in the ITS on the register of information.
|
|
Contractual Requisites
|
Only contract with service providers meeting appropriate information security standards (e.g., ISO 27001, SOC, PCI-DSS, etc.) appropriate to the criticaly of services delivered. Determine audit frequency for service providers, ensuring auditors possess requisite skills and knowledge for complex services
|
|
Exit strategies
|
Develop and periodically test exit strategies and plans, considering risks related to third-party service providers, including potential failure, service quality deterioration, business disruption, and termination of contractual arrangements. Ensure that the exit plan is realistic, feasible, based on plausible scenarios and reasonable assumptions and shall have a planned implementation schedule compatible with the exit and termination terms established in the relevant contractual arrangements. Also, ensure smooth exit and workload migration to another service provider without business disruption, compliance loss, or service quality decline.
The DORA Taskforce has designed an exit plan template that could be of assistence, see: https://www.norea.nl/dora/dora-template-exit-plan
|
|
Annual Reporting of New Arrangements
|
Report new service provider arrangements to the regulator, especially those supporting critical or important functions, to the regulator on a yearly basis, with immediate notification for critical services.
|
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|