EU Digital Operational Resilience Act Compliance

Section I: Key Principles for a Sound Management of ICT Third-Party Risk

Article 25: General Principles

“Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles …” To summarize, the principles address areas including contract management, third-party criticality, reporting, pre-contract due diligence, auditing, and exit strategies.

The Prevalent Third-Party Risk Management Platform is a SaaS solution that automates workflows required to identify, assess, manage, continuously monitor, report on, and remediate third-party IT security, privacy, compliance, operational, and procurement/supply chain-related risks throughout the vendor lifecycle.

Key solution capabilities that address Article 25 requirements include:

• Contract lifecycle management to ensure that key performance indicators (KPIs) are established and tracked from the beginning of the relationship
• Automated profiling and tiering of all third parties to ensure that vendors are managed according to service criticality and other factors
• A central vendor profile that includes demographic information, fourth-party dependencies, financial information, data breach history, and any adverse business news that may impact the business relationship
• Comprehensive and automated due diligence assessments to ensure that third parties have essential IT security controls in place
• Built-in remediation recommendations to mitigate the risk of third-party IT security weaknesses
• Dozens of compliance reporting templates to streamline the auditing process
• Programmatic third-party offboarding to reduce the organization’s risk of post-contract exposure.

Article 26: Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements

Article 26 includes provisions to guide entities in assessing concentration risk and the risk associated with fourth and Nth parties, including recommendations for risk monitoring and contractual requirements.

Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.

Suppliers are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as to uncover sanctions and politically exposed persons (PEP) tied to each organization.

Together, these capabilities help to identify third-party concentration risk and fourth parties in the extended vendor ecosystem.

Article 27: Key Contractual Provisions

Article 27 includes guidance for ensuring that third-party vendor contracts include rights and obligations that can be continuously assessed.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. The Prevalent platform also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:

• Central tracking of all contracts and contract attributes such as type, start and end dates, value, reminders, and status – with customized, role-based views
• Workflows based on user or contract type to automate the progression of contract lifecycles
• Automated reminders and overdue notices to keep reviews on track
• Centralized contract discussions and comments, plus the ability to limit discussions to internal participants only
• Contract and document storage with role-based permissions and audit trail tracking
• Version control tracking capabilities that enable document changes to be reviewed offline
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

By simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes, Prevalent ensures that key contract provisions are tracked to successful outcomes.

Section II: Oversight Framework of Critical ICT Third-Party Service Providers

Article 28: Designation of Critical ICT Third-Party Service Providers

Article 28 identifies key criteria for entities to consider for designating their third-party service providers as critical.

The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and to determine the criticality and scope of ongoing assessments.

Prevalent enables organizations to classify third parties based on multiple criteria, including:

• Type of content required to validate controls
• Criticality to business performance
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and implications
• Reputation

The Prevalent platform’s tiering and categorization capabilities enable organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.

Article 29: Structure of the Oversight Framework

Article 29 describes how to establish and govern a third-party risk management program, including identifying key roles.

Prevalent partners with our customers to build comprehensive third-party risk management (TPRM) programs that are based on proven best practices and extensive real-world experience. Our experts collaborate with customers on everything from defining TPRM processes and selecting assessment questionnaires and regulatory frameworks, to continually evaluating and optimizing the TPRM program to address the entire third-party risk lifecycle.

As part of this process Prevalent helps to define:

• Clear roles and responsibilities (e.g., RACI)
• Third-party inventories
• Risk scoring and thresholds to identify risks based on appetite
• Assessment and monitoring methodologies based on business criticality
• Fourth-party mapping
• Sources of continuous monitoring data (cyber, business, reputational, financial)
• Key performance indicators (KPIs) and key risk indicators (KRIs)
• Governing policies, standards, systems and processes to protect data
• Compliance and contractual reporting requirements against service levels
• Incident response requirements
• Risk and internal stakeholder reporting
• Risk mitigation and remediation strategies

Article 32: Request for Information

Article 33: General Investigations

Articles 32 and 33 explain how to conduct audits and other related investigations, including identifying the types of data to collect.

Prevalent provides the foundation for a mature third-party risk management program by helping security and risk management teams address risks across every stage of the vendor lifecycle. The Platform delivers:

• Automated vendor onboarding and offboarding
• Automated profiling, tiering, and inherent and residual risk scoring
• Automated fourth-party mapping and vendor demographics
• A vast library of standardized and custom risk assessments with automated risk creation, workflow, tasks, and supporting evidence management
• Native continuous cyber, business, reputational, screening, and financial risk monitoring to correlate risks against assessment results and validate findings
• Executive, program and operator-level reporting that is backed by machine learning analytics to normalize and correlate findings from multiple sources
• Automated compliance and risk reporting by framework or regulation
• Remediation management with built-in guidance
• Contract and RFX management to facilitate more complete risk management prior to onboarding

Prevalent includes more than 200 questionnaire templates in its platform’s survey library, plus tens of thousands of completed assessments in its network exchanges. This enables organizations to assess third parties against multiple risk domains, from cybersecurity and data privacy to business and operational resilience.

Article 34: Onsite Inspections

Article 24 describes processes for onsite controls reviews and audits.

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses and then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. We also work with customers to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help organizations reduce risk with their existing resources.

Article 35: Ongoing Oversight

Article 35 describes processes for ongoing management of a third-party risk management program, including continuous monitoring and obligations for regular reporting to relevant authorities.

To simplify ongoing oversight of third-party risk management programs, Prevalent delivers continuous risk monitoring, remediation guidance, and compliance reporting.

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.

Built-in remediation recommendations accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.
The Platform includes dozens of pre-built compliance and risk reporting templates by framework or regulation to simplify ongoing audits.