SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
AI Security
#
Risk & Compliance
#
Bank of England

Finance sector lacking third-party risk plans despite DORA push

Fri, 23rd Aug 2024
Author image
By Catherine Knowles, Journalist

New global research into third party risk management has revealed that only 20.8% of finance professionals have stressed exit plans with suppliers in place, despite recommendations from the Digital Operational Resilience Act (DORA).

This information comes at a crucial time following a recent CrowdStrike outage, which highlighted the significant impact that third-party IT failures can have on key industries, particularly banking and finance.

The Supplier Stability in Operational Resilience report, commissioned by Escode and CeFPro, has unearthed these findings, shedding light on a critical vulnerability within financial institutions. The CrowdStrike outage in July caused significant disruptions globally due to a faulty software update, underscoring the necessity for more robust digital supply chain resilience in the financial services sector.

Despite the push from financial regulators to embed third party risk management at all levels, the report indicates that compliance is exceedingly low. Only a fifth of financial professionals surveyed said they have stressed exit plans in the majority of their third party agreements, including those with software suppliers.

Financial services have become increasingly dependent on complex third party IT ecosystems. This dependence magnifies the risks associated with supplier disruptions. Regulatory bodies around the world, including the Bank of England and the Office of the Comptroller of the Currency, have issued guidelines aimed at enhancing third party risk management and operational resilience across the financial sector.

The European Union's DORA is a notable example of such guidelines. DORA mandates that by January 2025, all ICT third party license agreements must include stressed exit plans to mitigate against supplier failures, such as cloud outages or software company insolvencies. However, the new survey by Escode and CeFPro suggests the financial sector remains worryingly unprepared. Only 20.8% of global professionals reported having such plans in place for the majority of their agreements, and just 18.7% expressed complete confidence in their current plans.

Financial institutions continue to experience severe material impacts from supply chain failures. Recently, 500,000 members of the Australian superannuation fund UniSuper were unable to access their accounts due to a Google Cloud misconfiguration.

Wayne Scott, Regulatory Compliance Solutions Lead at Escode, emphasised the pressing need for improved supply chain management practices in the financial industry. "The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third party governance is approached across the industry, particularly in light of events such as the CrowdStrike outage."

"As these institutions become more digitally reliant, often on a number of third party suppliers, action must be taken to mitigate the impact of disruption from one point of a supply chain," he stated.

Scott added, "The fact that only a fraction of institutions have robust stressed exit plans is cause for real concern. It’s not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures."

"Whether that’s from ensuring access to vital information during supplier failures and rigorous scenario testing to identify weaknesses, to the use of escrow agreements when working with software suppliers - which regulators have noted as for active consideration in their recommendations. This is about taking a preventative, detective approach - ultimately the only way the industry can withstand the increasingly complex risk landscape it faces."

Andreas Simou, Managing Director at CeFPro, also commented on the findings, stating, "The recent CrowdStrike outage underscores the essential need for comprehensive third-party risk oversight and management. Our findings reveal that significant work is needed in TPRM, with half of the respondents lacking confidence in meeting regulatory compliance demands. With increasing scrutiny and regulatory pressures, including the EU's DORA, it is imperative to ask: How prepared are financial organisations for the numerous risks on the horizon, and what needs to happen for us to overcome this?"

The report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK businesses lag in cybersecurity & tech connectivity
SQR acquired by SQRx to drive digital identity innovation
UK firms lag in cybersecurity confidence, study reveals
Trustwave highlights critical cyber threats to financial services
Cyber-attack on Transport for London raises urgent cybersecurity concerns
Top stories
Radware reports web DDoS attack activity
Hiding in plain sight – How attackers conceal malware in everyday web resources
Exclusive: G+D's Gabrielle Bugat discusses future innovations in ePayments
ReliaQuest reveals sophisticated Inc Ransom tactics in attack analysis
Report: genAI rapidly advancing in cybersecurity operations