Finance sector lacking third-party risk plans despite DORA push
New global research into third party risk management has revealed that only 20.8% of finance professionals have stressed exit plans with suppliers in place, despite recommendations from the Digital Operational Resilience Act (DORA).
This information comes at a crucial time following a recent CrowdStrike outage, which highlighted the significant impact that third-party IT failures can have on key industries, particularly banking and finance.
The Supplier Stability in Operational Resilience report, commissioned by Escode and CeFPro, has unearthed these findings, shedding light on a critical vulnerability within financial institutions. The CrowdStrike outage in July caused significant disruptions globally due to a faulty software update, underscoring the necessity for more robust digital supply chain resilience in the financial services sector.
Despite the push from financial regulators to embed third party risk management at all levels, the report indicates that compliance is exceedingly low. Only a fifth of financial professionals surveyed said they have stressed exit plans in the majority of their third party agreements, including those with software suppliers.
Financial services have become increasingly dependent on complex third party IT ecosystems. This dependence magnifies the risks associated with supplier disruptions. Regulatory bodies around the world, including the Bank of England and the Office of the Comptroller of the Currency, have issued guidelines aimed at enhancing third party risk management and operational resilience across the financial sector.
The European Union's DORA is a notable example of such guidelines. DORA mandates that by January 2025, all ICT third party license agreements must include stressed exit plans to mitigate against supplier failures, such as cloud outages or software company insolvencies. However, the new survey by Escode and CeFPro suggests the financial sector remains worryingly unprepared. Only 20.8% of global professionals reported having such plans in place for the majority of their agreements, and just 18.7% expressed complete confidence in their current plans.
Financial institutions continue to experience severe material impacts from supply chain failures. Recently, 500,000 members of the Australian superannuation fund UniSuper were unable to access their accounts due to a Google Cloud misconfiguration.
Wayne Scott, Regulatory Compliance Solutions Lead at Escode, emphasised the pressing need for improved supply chain management practices in the financial industry. "The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third party governance is approached across the industry, particularly in light of events such as the CrowdStrike outage."
"As these institutions become more digitally reliant, often on a number of third party suppliers, action must be taken to mitigate the impact of disruption from one point of a supply chain," he stated.
Scott added, "The fact that only a fraction of institutions have robust stressed exit plans is cause for real concern. It's not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures."
"Whether that's from ensuring access to vital information during supplier failures and rigorous scenario testing to identify weaknesses, to the use of escrow agreements when working with software suppliers - which regulators have noted as for active consideration in their recommendations. This is about taking a preventative, detective approach - ultimately the only way the industry can withstand the increasingly complex risk landscape it faces."
Andreas Simou, Managing Director at CeFPro, also commented on the findings, stating, "The recent CrowdStrike outage underscores the essential need for comprehensive third-party risk oversight and management. Our findings reveal that significant work is needed in TPRM, with half of the respondents lacking confidence in meeting regulatory compliance demands. With increasing scrutiny and regulatory pressures, including the EU's DORA, it is imperative to ask: How prepared are financial organisations for the numerous risks on the horizon, and what needs to happen for us to overcome this?"
The report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews.