In March 2022, the Bank of England’s Prudential Regulation Authority (PRA) activated a new Supervisory Statement (SS2/21), which set expectations for how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management to improve business resilience.
Applicable to all UK banks, investment and insurance firms, and UK branches of overseas banks and insurance firms, the objectives of the Supervisory Statement (SS) are to:
“… facilitate greater resilience and adoption of the cloud and other new technologies … complement the requirements and expectations on operational resilience in the PRA Rulebook; SS1/21 … and implement the European Banking Authority (EBA) ‘Guidelines on outsourcing arrangements’ (EBA Outsourcing GL).”
The Supervisory Statement also clarifies the difference between material outsourcing and non-outsourcing third-party arrangements, sets expectations for assessments and third-party due diligence, and identifies areas that require detailed examination, including:
- Data security
- Access, audit and information rights
- Business continuity and exit strategies
This post examines the assessment and due diligence requirements for both outsourcing and non-outsourcing third parties as set forth in the Supervisory Statement. It also identifies capabilities in the Prevalent Third-Party Risk Management Platform that can be used to address PRA requirements.
Understanding PRA Supervisory Statement SS2/21 Third-Party Risk Management Requirements
Supervisory Statement SS2/21 requires that PRA-regulated firms conduct a Materiality Assessment during vendor onboarding and periodically thereafter. PRA expects to be informed of each firm’s material third parties, so now is the time to ensure your third parties follow the business and operational resilience practices necessary to be compliant and minimize risk to your organization.
Mapping Prevalent Capabilities to PRA Supervisory Statement SS2/21 Requirements
The Prevalent Third-Party Risk Management Platform can help financial services organizations address the outsourcing and non-outsourcing third-party requirements in PRA SS2/21.
NOTE: This guidance includes the most relevant requirements only, and should not be considered comprehensive. For a complete list of requirements, please review the complete Supervisory Statement in detail and consult your auditor.
Section 2: Definitions and scope
To address the requirements in 2.8 and 2.9, the Prevalent Platform delivers:
- Profiling, tiering, and inherent and residual risk scoring based on comprehensive criteria to identify material and non-material outsourcing third-parties.
- More than 100 standardized templates and custom risk assessments tuned to material and non-material third parties with built-in workflow, task and evidence management. Assessments address a multitude of ICT security-based frameworks, including Cyber Essentials, ISO 27001, NIST 800-53, GDPR, and many others.
- Remediation management with built-in guidance to act on identified risks from material outsourcing third parties.
- Compliance and risk reporting by framework or regulation to simplify the auditing process.
Section 3: Proportionality
To address the requirements in 3.6 and 3.7, the Prevalent Platform:
- Enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and determine the scope of ongoing assessments.
- Automatically maps information gathered from control-based assessments to regulatory frameworks including ISO 27001, GDPR and dozens more. This enables you to quickly visualize and address important compliance requirements and simplify auditing processes.
- Offers the Prevalent Compliance Framework (PCF), a single, comprehensive assessment that enables security and risk management teams to map answers to several regulatory requirements.
Section 5: Pre-outsourcing phase
To address the requirements in 5.8, 5.10-5.13, and 5.18-5.24, the Prevalent Platform offers:
- RFx management, enabling organizations to automate and add risk intelligence to vendor selection decisions.
- Contract lifecycle management, delivering automation to improve the vendor contracting experience and conduct continuous SLA monitoring.
- Comprehensive profiling and tiering of third parties to determine materiality. Criteria include criticality, regulatory considerations, reliance on fourth parties, operational exposure, financial status and reputation.
- The largest library of standardized and custom risk assessments with built-in workflow, tasks, and evidence management. Includes a built-in business resilience assessment based on ISO 22301.
- Native cyber, breach, business, reputational and financial risk
monitoring to continuously assess vendor risks between annual assessments and correlate findings against assessment results to determine if further investigation is needed.
- Automatic mapping of assessment and monitoring results to NIST, ISO, and other control frameworks to demonstrate compliance.
- Guidance on building a more robust third-party business resilience program.
- Incident response to identify and mitigate the impact of third-party vendor breaches with event assessments, scoring, and remediation guidance.
Section 6: Outsourcing agreements
To address the requirements in 6.3, Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. With these capabilities, organizations can centrally track all contracts and contract attributes that can impact service levels, effectively enforcing contractual safeguards.
Section 7: Data security
To address the requirements in section 7, Prevalent delivers a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks. Key data security and privacy assessment capabilities include:
- Scheduled assessments and relationship mapping to reveal where personal data exists, where it is shared, and who has access to it – all summarized in a risk register that highlights critical exposures.
- Privacy Impact Assessments to uncover at-risk business data and personally identifiable information (PII) – enabling you to analyze the origin, nature and severity of risk and get remediation guidance.
- Vendor assessments against GDPR
and other privacy regulations via the Prevalent Compliance Framework (PCF) – enabling you to reveal potential hot spots by mapping identified risks to specific controls.
- GDPR risk and response mapping to controls – equipping you with percent-compliance ratings and stakeholder-specific reports.
- A database containing 10+ years of data breach history for thousands of companies around the world. Includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.
- Centralized onboarding, distribution, discussion, retention, and review of vendor contracts. This ensures data protection provisions are enforced from the beginning of the relationship.
Section 8: Access, audit, and information rights
To address the requirements in 8.7 and 8.9:
- The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.
- Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.
- Prevalent centralizes certifications, agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features.
Section 9: Sub-outsourcing
To address the requirements in section 9, Prevalent identifies fourth-party and Nth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment. Suppliers discovered through this process are then monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.
Section 10: Business continuity and exit plans
To address the requirements in 10.1, 10.3 and 10.9, Prevalent:
- Delivers free resources for organizations to use as they build or mature their third-party business continuity programs.
- Includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:
- Categorize suppliers according to their risk profile and criticality to the business
- Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)
- Centralize system inventory, risk assessments, RACI charts, and third parties
- Ensure consistent communications with suppliers during business disruptions
How Prevalent Helps Address PRA SS2/21 Outsourcing and Third-Party Risk Management Requirements
Prevalent can help organizations automate Materiality Assessments and continuously monitor their outsourcing and non-outsourcing third parties for business resilience risks. Prevalent assessment and monitoring capabilities enable organizations to determine and validate whether a defect or failure in the performance of a vendor materially impairs:
- The organization’s ability to meet Threshold Conditions
- Compliance with the Fundamental Rules or the Financial Conduct Authority’s (FCA's) Principles of Business
- The financial stability of the UK
- The organization’s requirements under the Information Gathering section of the PRA Rulebook
- The organization’s financial or operational resilience
For organizations that have outsourced an internal control or key function, Prevalent can help determine whether a defect or failure in performance would adversely affect the relevant function. It can also help determine the potential impact of a disruption, failure or inadequate performance on:
- operational risk, conduct risk, information and communication technology (ICT) risk, legal risk and reputational risk
- the organization’s ability to comply with and report against legal and regulatory requirements
- the organization’s access to essential data or risk of breach to Confidential or Highly Confidential Data
Next Steps for Complying with PRA SS2/21
For more on how Prevalent can help address the requirements set forth in PRA Supervisory Statement SS2/21, download the complete compliance checklist or request a demo today.