Meeting EU Digital Operational Resilience Act (DORA) Third-Party Risk Requirements

Article 28: Designation of Critical ICT Third-Party Service Providers

Article 28 identifies key criteria for entities to consider for designating their third-party service providers as critical.

The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and to determine the criticality and scope of ongoing assessments.

Prevalent enables organizations to classify third parties based on multiple criteria, including:

• Type of content required to validate controls
• Criticality to business performance
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and implications
• Reputation

The Prevalent platform’s tiering and categorization capabilities enable organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.

Article 29: Structure of the Oversight Framework

Article 29 describes how to establish and govern a third-party risk management program, including identifying key roles.

Prevalent partners with our customers to build comprehensive third-party risk management (TPRM) programs that are based on proven best practices and extensive real-world experience. Our professional services experts collaborate with customers on everything from defining TPRM processes and selecting assessment questionnaires and regulatory frameworks, to continually evaluating and optimizing the TPRM program to address the entire third-party risk lifecycle.

As part of this process Prevalent helps to define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds to identify risks based on appetite
• Assessment and monitoring methodologies based on business criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Article 32: Request for Information and Article 33: General Investigations

Articles 32 and 33 explain how to conduct audits and other related investigations, including identifying the types of data to collect.

Prevalent provides the foundation for a mature third-party risk management program by helping security and risk management teams address risks across every stage of the vendor lifecycle. The Platform delivers:

• Automated vendor onboarding and offboarding
• Automated profiling, tiering, and inherent and residual risk scoring
• Automated fourth-party mapping and vendor demographics
• A vast library of standardized and custom risk assessments with automated risk creation, workflow, tasks, and supporting evidence management
• Native continuous cyber, business, reputational, screening, and financial risk monitoring to correlate risks against assessment results and validate findings
• Executive, program and operator-level reporting that is backed by machine learning analytics to normalize and correlate findings from multiple sources
• Automated compliance and risk reporting by framework or regulation
• Remediation management with built-in guidance
• Contract and RFX management to facilitate more complete risk management prior to onboarding

Prevalent includes more than 200 questionnaire templates in its platform’s survey library, plus tens of thousands of completed assessments in its network exchanges. This enables organizations to assess third parties against multiple risk domains, from cybersecurity and data privacy to business and operational resilience.

Article 34: Onsite Inspections

Article 34 describes processes for onsite controls reviews and audits.

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses and then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. We also work with customers to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help organizations reduce risk with their existing resources.

Article 35: Ongoing Oversight

Article 35 describes processes for ongoing management of a third-party risk management program, including continuous monitoring and obligations for regular reporting to relevant authorities.

To simplify ongoing oversight of third-party risk management programs, Prevalent delivers continuous risk monitoring, remediation guidance, and compliance reporting.

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.

Built-in remediation recommendations accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.

The Platform includes dozens of pre-built compliance and risk reporting templates by framework or regulation to simplify ongoing audits.

Next Steps for DORA Compliance

Prevalent helps financial organizations ensure their digital operational resilience by:

• Building a comprehensive, agile and mature third-party risk management program based on proven financial industry best practices
• Enforcing key ICT security contract provisions throughout the third-party relationship lifecycle
• Automating the identification and assessment of critical third parties based on their criticality to the organization
• Continuously monitoring for cybersecurity, business, financial and reputational risks – and correlating findings with assessment results
• Delivering remediation recommendations to reduce third-party residual risk
• Including templates to simplify regulatory and security framework audit reporting to multiple internal and external stakeholders

For more on how Prevalent can help address the requirements set forth in Chapter V of the Digital Operational Resilience Act (DORA), download the guide or request a demo today.