+Subcontracting Management
---+Third-Party Subcontractor Due Diligence
---+Subcontracting Risk Management
---+Subcontracting Monitoring
|
1. Overview
Subcontracting Management
| Summary |
Standard |
|
Third-Party Subcontractor Due Diligence
|
With regards to subcontracts that support a critical or important function:
- Implement due diligence procedures to evaluate third-party ICT service providers' subcontracting practices.
- Identify all subcontractors that provide ICT services that support critical or important functions or material parts thereof, to notify and inform the financial entity of those subcontractors,
- Ensure that the contractual arrangements with the subcontractors thereof enable the financial entity to comply with its own obligations.
- Ensure in contract with ICT third-party service provider that the subcontractor grants the same contractual rights of access and inspection as those granted by the ICT third-party service provider.
- Assess the third-party provider's organizational structure, resources, and information security standards, including incident response and risk management mechanisms with regards to the subcontractor.
- Assess financials entities own organizational structure, resources, and information security standards, including incident response and risk management mechanisms with regards to the ICT service provider and subcontractors.
- Assess the impact on digital operational resilience and financial soundness of a possible failure of a subcontractor
- Assess the location of the potential subcontractors
- Assess the ICT concentration risks at entity level in accordance
- Address any barriers to audit and access rights for competent authorities and the financial institution.
|
|
Subcontracting Risk Management
|
With regards to subcontracts that support a critical or important function:Establish a risk management process to oversee subcontracting activities effectively. Monitor the entire ICT subcontracting chain, documenting conditions and ensuring compliance with contractual obligations and the obligation to maintain and update the register of information. Review contractual documentation to verify adherence to established conditions throughout the subcontracting chain. Require advance notice of significant changes to subcontracting arrangements, enabling thorough risk assessment and mitigation. Ensure that the right to approve changes or request modifications to material subcontracting activities is added to the contracts with the third-party ICT service providers that provide critical or important functions. Implement proactive measures to address identified risks and enhance subcontracting oversight.
|
|
Subcontracting Monitoring
|
With regards to subcontracts that support a critical or important function:Institute a process of continuous improvement and monitoring to enhance subcontracting practices and mitigate associated risks. Regularly review and update subcontracting conditions based on changing business environments and risk assessments. Conduct periodic assessments of subcontracting criteria, including ICT threats, concentration risks, and geopolitical factors. Monitor and evaluate the effectiveness of subcontracting controls through contractual rights of access and inspection. Proactively identify and address any deficiencies or emerging risks to strengthen subcontracting governance and oversight.
|
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|