In response to increasing numbers of cyber-attacks, the European Union (EU) Parliament introduced legislation to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.
DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector. It also applies to critical third parties that provide ICT (Information Communication Technologies) services to the financial services industry, such as cloud platforms or data analytics services. DORA creates a regulatory framework for digital operational resilience whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats.
This post examines key DORA articles related to third parties and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can be used to address DORA requirements.
Broadly speaking, there are nine article identified in Chapter V of the Digital Operational Resilience Act (DORA) that address third-party business resilience. We examine those articles below, and identify key Prevalent capabilities that address the requirements.
Article 25 states that, “Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles …” To summarize, the principles address areas including contract management, third-party criticality, reporting, pre-contract due diligence, auditing, and exit strategies.
The Prevalent Third-Party Risk Management Platform is a SaaS solution that automates workflows required to identify, assess, manage, continuously monitor, report on, and remediate third-party IT security, privacy, compliance, operational, and procurement/supply chain-related risks throughout the vendor lifecycle.
Key solution capabilities that address Article 25 requirements include:
Article 26 includes provisions to guide entities in assessing concentration risk and the risk associated with fourth and Nth parties, including recommendations for risk monitoring and contractual requirements.
Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.
Suppliers are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as to uncover sanctions and politically exposed persons (PEP) tied to each organization.
Together, these capabilities help to identify third-party concentration risk and fourth parties in the extended vendor ecosystem.
Article 27 includes guidance for ensuring that third-party vendor contracts include rights and obligations that can be continuously assessed.
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. The Prevalent platform also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:
By simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes, Prevalent ensures that key contract provisions are tracked to successful outcomes.
The DORA Third-Party Compliance Checklist
This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.
Article 28 identifies key criteria for entities to consider for designating their third-party service providers as critical.
The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and to determine the criticality and scope of ongoing assessments.
Prevalent enables organizations to classify third parties based on multiple criteria, including:
The Prevalent platform’s tiering and categorization capabilities enable organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.
Article 29 describes how to establish and govern a third-party risk management program, including identifying key roles.
Prevalent partners with our customers to build comprehensive third-party risk management (TPRM) programs that are based on proven best practices and extensive real-world experience. Our professional services experts collaborate with customers on everything from defining TPRM processes and selecting assessment questionnaires and regulatory frameworks, to continually evaluating and optimizing the TPRM program to address the entire third-party risk lifecycle.
As part of this process Prevalent helps to define:
eBook: 25 KPIs and KRIs for Third-Party Risk Management
The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.
Articles 32 and 33 explain how to conduct audits and other related investigations, including identifying the types of data to collect.
Prevalent provides the foundation for a mature third-party risk management program by helping security and risk management teams address risks across every stage of the vendor lifecycle. The Platform delivers:
Prevalent includes more than 200 questionnaire templates in its platform’s survey library, plus tens of thousands of completed assessments in its network exchanges. This enables organizations to assess third parties against multiple risk domains, from cybersecurity and data privacy to business and operational resilience.
Article 34 describes processes for onsite controls reviews and audits.
The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.
Prevalent experts first review assessment responses and then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. We also work with customers to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help organizations reduce risk with their existing resources.
Article 35 describes processes for ongoing management of a third-party risk management program, including continuous monitoring and obligations for regular reporting to relevant authorities.
To simplify ongoing oversight of third-party risk management programs, Prevalent delivers continuous risk monitoring, remediation guidance, and compliance reporting.
Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.
Built-in remediation recommendations accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.
The Platform includes dozens of pre-built compliance and risk reporting templates by framework or regulation to simplify ongoing audits.
Prevalent helps financial organizations ensure their digital operational resilience by: