Simplify DORA Third-Party Assessments
The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.
DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector such as banks, insurance companies and investment firms.
DORA creates a regulatory framework for digital operational resilience whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats. It also applies to critical third parties that provide ICT (Information Communication Technologies) services to the financial services industry, such as cloud platforms or data analytics services.
Manage ICT third-party risk as an integral component of all ICT risk.
Assess concentration risk and the risk associated with fourth and Nth parties.
Ensure that third-party vendor contracts include rights and obligations that can be continuously assessed.
Apply consistent methodology to assess critical third parties.
Establish and govern a third-party risk management program, including identifying key roles.
Conduct audits and onsite inspections, and monitor the program over time.
The DORA Third-Party Compliance Checklist
This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.
Mapping Prevalent Capabilities to Requirements in DORA Chapter V: Managing of ICT Third-Party Risk
Chapter V includes several provisions aimed at ensuring that organizations and establish and maintain a rigorous third-party risk management program.
NOTE: This information is presented as summary guidance only. Organizations should review DORA requirements in full in consultation with their auditors.
|How We Help
Section I: Key Principles for a Sound Management of ICT Third-Party Risk
Article 25: General Principles
“Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework and in accordance with the following principles …” To summarize, the principles address areas including contract management, third-party criticality, reporting, pre-contract due diligence, auditing, and exit strategies.
The Prevalent Third-Party Risk Management Platform is a SaaS solution that automates workflows required to identify, assess, manage, continuously monitor, report on, and remediate third-party IT security, privacy, compliance, operational, and procurement/supply chain-related risks throughout the vendor lifecycle.
Key solution capabilities that address Article 25 requirements include:
Article 26: Preliminary Assessment of ICT Concentration Risk and Further Sub-Outsourcing Arrangements
Article 26 includes provisions to guide entities in assessing concentration risk and the risk associated with fourth and Nth parties, including recommendations for risk monitoring and contractual requirements.
Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.
Suppliers are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as to uncover sanctions and politically exposed persons (PEP) tied to each organization.
Together, these capabilities help to identify third-party concentration risk and fourth parties in the extended vendor ecosystem.
Article 27: Key Contractual Provisions
Article 27 includes guidance for ensuring that third-party vendor contracts include rights and obligations that can be continuously assessed.
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. The Prevalent platform also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:
By simplifying the process of managing and chasing vendor contracts, redlines, dates, and other key attributes, Prevalent ensures that key contract provisions are tracked to successful outcomes.
Section II: Oversight Framework of Critical ICT Third-Party Service Providers
Article 28: Designation of Critical ICT Third-Party Service Providers
Article 28 identifies key criteria for entities to consider for designating their third-party service providers as critical.
The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and to determine the criticality and scope of ongoing assessments.
Prevalent enables organizations to classify third parties based on multiple criteria, including:
The Prevalent platform’s tiering and categorization capabilities enable organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.
Article 29: Structure of the Oversight Framework
Article 29 describes how to establish and govern a third-party risk management program, including identifying key roles.
Prevalent partners with our customers to build comprehensive third-party risk management (TPRM) programs that are based on proven best practices and extensive real-world experience. Our experts collaborate with customers on everything from defining TPRM processes and selecting assessment questionnaires and regulatory frameworks, to continually evaluating and optimizing the TPRM program to address the entire third-party risk lifecycle.
As part of this process Prevalent helps to define:
Article 32: Request for Information
Article 33: General Investigations
Articles 32 and 33 explain how to conduct audits and other related investigations, including identifying the types of data to collect.
Prevalent provides the foundation for a mature third-party risk management program by helping security and risk management teams address risks across every stage of the vendor lifecycle. The Platform delivers:
Prevalent includes more than 200 questionnaire templates in its platform’s survey library, plus tens of thousands of completed assessments in its network exchanges. This enables organizations to assess third parties against multiple risk domains, from cybersecurity and data privacy to business and operational resilience.
Article 34: Onsite Inspections
Article 24 describes processes for onsite controls reviews and audits.
The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.
Prevalent experts first review assessment responses and then map the responses to SIG, SCA, ISO, SOC II, AITECH, and/or other control frameworks. We also work with customers to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help organizations reduce risk with their existing resources.
Article 35: Ongoing Oversight
Article 35 describes processes for ongoing management of a third-party risk management program, including continuous monitoring and obligations for regular reporting to relevant authorities.
To simplify ongoing oversight of third-party risk management programs, Prevalent delivers continuous risk monitoring, remediation guidance, and compliance reporting.
Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.
Built-in remediation recommendations accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
This regulation will require organizations to report on their suppliers' human rights and environmental practices. Here’s...