The single source of truth: DORA and third-party risk management

Phoebe Jordan

So, kicking off then, Shreeji, can you just give us a little bit of background as to why DORA is focusing on IT third-party risk and what the interesting points are?

Shreeji Doshi

What the regulators intend with DORA is to achieve stability and resilience in the financial services industry, that’s their primary goal, and to defend the industry from the various types of cyber attacks. And we’ve seen a huge increase on those attacks on the financial services industry.

Now, the reason why third parties become a critical part of this equation is because there are so many attacks that have originated from a third party.

Phoebe Jordan

And are there any that come to mind particularly?

Shreeji Doshi

There are plenty of them. Couple of them that spring to mind is the one on LastPass, which is a password manager tool, they had a huge breach.

The other one, which I think is very significant, was Okta, because it provides identity and access management solutions. Though in the disclosure they indicated not many organisations were impacted, but an ICT third-party provider like Okta, which provides identity and access management solutions, if it has a breach, there are significant ramifications for all of its clients.

In that breach, the attacker was able to access session tokens to various customer environments, and with these they were able to get access into organisations that were customers of Okta.

If, for example, there are plenty of financial organisations within the EU that are dependent on a solution like Okta, which provides identity and access management solutions, the ramifications are significant. So, these critical ICT third parties present significant risk to the entire financial services industry as a whole if they have a breach.

Phoebe Jordan

OK. So that makes an awful lot of sense. Obviously, no one wants a breach from a third party. What is DORA saying about managing the third parties, how are organisations supposed to go about it?

Shreeji Doshi

There is nuance in DORA’s requirements in the context of third-party risk management. The scope is limited to ICT third parties, and it makes sense because DORA is about digital resilience, so it is looking at digital destruction caused by ICT third parties. What DORA is requesting at a very high level from financial entities, in managing the risk from ICT third parties, is that at a foundational level they need to have an inventory of all ICT third parties and third parties that support critical functions.

Most organisations would have some kind of inventory management process, but in my experience this is something that they would need to formalise.

In addition to that, there has to be a third-party risk management framework that assesses all types of risks from ICT third parties, not just IT and cyber but legal, financial, etcetera.

One very interesting requirement included in DORA is around concentration risk from these ICT third parties. This is highly relevant to financial entities that have multiple operating companies across the Member States, because in the EU there is a significant risk of concentration risk when it comes to these ICT third parties, and that needs to be assessed.

Another intriguing requirement prescribed in the regulation – and I use the word ‘prescribe’ as it is quite prescriptive – is around the specific clauses that should be included in the contracts with these ICT third parties. It is significant, for a regulation to be this prescriptive, which I think is great. Because it will bring consistency to the financial entities on how they manage ICT third-party risk, with clauses, with contractual terms.  

And that should benefit overall third-party risk management across these financial entities.

Phoebe Jordan

Sure, and I think that’s really logical. You were saying that not all third parties are in scope, but just the ICT ones and just those that are deemed critical. How can an organisation determine which third parties are critical?

And are there any organisations where you’re thinking, does this count as an ICT organisation? Are there some cases where there are potentially third parties on the periphery of what you would consider in scope?

Shreeji Doshi

I think there is a clear definition within the regulation of what constitutes an ICT third party. And what the ESAS has done so far is it has given a clear guide as to what third parties are ICT third parties. It published a high-level report on the ICT landscape, if I’m not mistaken, last September.

If we go onto the details of that, what it identified is that there are around 15,000 ICT third parties serving around 1,600 EU financial entities. And out of these, around 9,000 were identified as supporting critical and important functions. So in a way, the regulator has already done an analysis of the organisations to provide that overview. And this report is available for anyone to look at.

In addition to that, there are already indicators provided as to what drives the criticality of ICT third parties, and how the regulator has already tried to identify that.

The regulators are basically saying, ‘how many financial entities does a third party provide services to? How many assets or functions is it managing? Are there alternatives available to these ICT third parties? Or are they very niche in what they are providing? Is it highly complex to change to another provider, or are there no other suitable providers available?’

They’ve considered multiple aspects in defining this “criticality” of providers.

Phoebe Jordan

And, in terms of how an organisation categorises its third parties, do you see it as important for the organisation to go any levels further than what’s already out there? Or they just need to take into account those that are quite clearly detailed, as you just set out?

Shreeji Doshi

What they would need to assess is whether the third parties support business critical functions or not.

If we go back to DORA, that’s one of the requirements that forms part of the risk management framework, where organisations need to create a repository of all business critical functions, what kind of assets, what kind of third parties are supporting it. So that’s already been done outside of the DORA chapter on third-party, ICT third-party risk management. It’s already done at the risk management level.

But once you have it, what do you need to do about it? DORA gives details around that.

Phoebe Jordan

Whose responsibility is it in an organisation to do this work?

Shreeji Doshi

I have a very ‘consultant’s answer’ – it depends.

And this is primarily based on experience, having seen where the responsibility has sat in various organisations. Sometimes I’ve seen that at a procurement level, sometimes I’ve seen it at a risk management level, sometimes I’ve seen this responsibility sit in security. There is also legal, where I’ve seen this responsibility sit.

Now, I think more importantly, the regulation is demanding that there be a dedicated function with someone responsible for overseeing it. It wouldn’t matter where it sits, what’s required is that there’s someone dedicated to overseeing it and managing it in a structured way. In my experience, I think it’s a lot easier to put it either in a risk or a procurement function.

So it does make sense. But again, it depends on how the organisation is structured.

Phoebe Jordan

Is there any responsibility to report back to the regulator?

Shreeji Doshi

For ICT third parties there is now, with DORA, mandatory reporting back to the regulator or competent authority. At least once a year, organisations have to report any new arrangements for the use of ICT services. We already have a reporting template provided by the regulator.

Apart from that, there is also a mandatory requirement that, if there is any change to your ICT third-party providers, that also needs to be reported. So, for example, if there is a new critical function that you’ve identified and you have a third party that was not already on your list, that also needs to be notified to the competent authority.

Additionally, the competent authority would request a full information register on an ad hoc basis. So there are some mandatory reporting requirements back to the regulator from an ICT third party, which will push organisations to ensure that they have a good inventory management process for ICT third parties.

Phoebe Jordan

Yes, certainly essential that you’ve got everything, all your ducks in a row, so that you’re able to respond and notify in the right way.

Can I go back to ask about concentration risk and exit strategies? Where should an organisation start when it comes to trying to manage their third parties from a DORA perspective?

Shreeji Doshi

Well, I think fundamental to any TPRM programme is a framework, there has to be a third-party risk management framework.

This framework has various components to it. At a strategy level, what’s there? What’s the model like, what are the policies? What are the various governance mechanisms? So this would be one of the components of the pillars within that framework.

Then we mentioned inventory being a cornerstone, which also is part of the framework. It’s at the heart of that framework, because everything is centred around that inventory, and categorisation. Currently the regulators are saying either critical or non-critical. You can further categorise non-critical into various segments depending on the type of data they have access to, how they have access to it.

There are various elements to that. Then what kind of risks from these third parties are you going to assess? What are the risk models? How are you going to look at it at an aggregate level? You need to have the full lifecycle management process around all the third parties in that inventory.

After the initial assessment, due diligence, contracting, taking in input from that initial assessment, that’s when the real work starts. What were the risks identified? How are you managing that risk if you’re not managing that risk already? What sort of priority do you need to give it? What is the governance around it? Ongoing monitoring and assessments are also an integral part of that process.

How frequently do you assess ICT third parties – do you do onsite visits? Or do you do a remote assessment or self-assessment? What kind of risk domains are you going to assess?

Phoebe Jordan

Lots to think about.

Shreeji Doshi

Yeah, lots to think about. Lots of issues with risk management, always. Then on top of this, you need to report it on a regular basis so that your governance bodies have enough information to act on. In my opinion, an organisation that’s looking to do DORA compliance should look at it more holistically to see what framework it already has in place for third-party risk management, and what refinements that framework needs.

And once those refinements are in place, then look at the DORA requirements to see if it is compliant.

Phoebe Jordan

This really goes beyond DORA, doesn’t it? I mean, it’s a global requirement really to ensure that you’re not exposed to the third parties that you’re working with.

Your point about inventory is interesting. We’ve been to quite a few meetings and been on numerous calls with organisations and a theme that emerges from all of them is that understanding who your third parties are in the very first instance can be a challenge in itself, especially when you’ve got lots of different departments or areas of the organisation acting in silos, in some cases. Actually centralising that information is really valuable.

Shreeji Doshi

And challenging, to be honest, because, as you mentioned, there are business units that have been provided with budgets to go and do procurement for themselves.

It’s very important to look at that process when you’re setting up governance to see what is going to delegated to business departments in terms of procurement. How can you know if there are ICT third parties in your daily operating environment that the central team may not be aware of?

And that I think is very critical.

Phoebe Jordan

Are there any other challenges that you think organisations face when managing third parties?

Shreeji Doshi

In general, in management of third parties? I think in in my experience, no. How much influence you have with third parties drives how you manage the issues and risks that stem from them.

With the regulatory push, that should become less challenging. That’s my hypothesis so it remains to be seen. The other thing that I typically see organisations struggle with is assessing various types of risks of third parties.

It goes beyond security needs and financial risk – it’s regulatory compliance risk, operational risk, the multiple risk areas that one needs to assess. How do you factor that into the decision making process? That’s always a challenge because there is no one-size-fits-all way of translating those risk assessments to the risk model.

There is a huge element of integrating it within the existing risk management process because that will guide anyone who’s designing or refining that kind of thing and reporting on a regular basis.

We go back to the earlier challenge of centralisation. I think if there is a centralised function to manage this, then some of these challenges can be tackled in a meaningful way.

Phoebe Jordan

How can organisations tackle the centralisation and administrative burden challenges that they have?

Shreeji Doshi

Technology’s the answer.

Phoebe Jordan

Technology, I think absolutely is the answer. Can you expand on that a little bit?

Shreeji Doshi

Doing your vendor management on an Excel sheet becomes very, very challenging. Especially when the volume is huge, and the resourcing is short, it’s nearly impossible to ensure that the information is consistent and updated at all times.

One way of mitigating that is having a tool. Obviously your policies still need to be documented outside the tool. They need to be promoted outside of the tool. But those policies will drive governance processes. Those governance processes can be implemented on the technology.

The inventory can be stored on the technology platform. The risk models can be configured on the technology, the questionnaire can be configured on the technology. Running the entire lifecycle management process can be done through technology platforms, and there are technology platforms available.

Phoebe Jordan

So a technology solution on its own won’t solve all your problems necessarily, but as part of a comprehensive framework and strategy, it can definitely go a long way.

Phoebe Jordan

So Thomas Murray has supported hundreds of organisations with managing due diligence processes, issuing questionnaires, receiving responses. That element of third-party risk management, Nita, if I was an organisation that was looking to manage third parties, what could I get from the technology?

Nita Sinha

I would say, first of all, when you’re looking at a technology solution, it should aim to eliminate manual processes as much as possible. So we have clients of all sizes, small and large, and depending on your size of organisation, you’ll have different challenges, but you can have tools supporting your use case and that is what you want out of the tool.

You should be looking to reduce the administrative burden rather than increasing it, so you don’t want something that requires long processes and intensive training when you’re adopting a new solution like this.

Other key points, which our clients value and of course you would want out of the tool, is the flexibility, I would say, because I think a standardised risk framework is very important.

You want something customisable so it’s exactly right for your company. So when you are making a decision, when you’re evaluating the tools on offer, the flexibility is quite important. It should adapt to your framework so that you can solve your challenges and problems with it.

Shreeji Doshi

You raise a very important point. I think there’s one way to look at these technology platforms. They bring in what “good” looks like from a process point of view, right? Because there is so much experience of these technology platforms, of running this over multiple clients. There is an element of best practices that these technology platforms bring, though whichever one you choose should drive the refinement of your own framework.

There has to be a balance between customising the technology platform to your requirements, and being able to adopt some elements of general best practice that the platform can enhance your framework with.

Nita Sinha

Absolutely, yes. And we do see that journey with clients, because once they are using our platform, they are centralising their information and reporting and analysis of their data.

And once the client has that single source of truth, they can actually see where the problems are and start fixing them. What do you want to improve? What do you want to standardise? And in tangible ways, get to the truth with that.

Maybe just the final point to add in terms of technology choices, the reporting is also a key aspect because you are taking in a lot of data through questionnaires, through other data feeds, a lot of information is being presented to you.

Think about how you extract the key information which matters and bring it to the forefront. And again, the key information for different organisations might be different. So you want a tool that will be able to leverage and present those facts to you and in a very easy to use manner.

Phoebe Jordan

When thinking about the number of third parties that you’re working with, is there a critical mass at which point you think, yes, now’s the time to kind of use a technology platform?

Nita Sinha

We have helped clients with very small numbers of third parties as well as clients who have very large numbers of third parties. And it’s interesting in both landscapes because when the volume is high, we are talking thousands of entities, then of course the volumes are very, very large and it’s impossible to do that manually. So you definitely need a tool to automate your processes and help you with it.

But when you’re talking about our smaller clients, what we normally find is they’ve got smaller teams and smaller numbers of providers. In those cases, their resources, their analysts are best utilised by bringing in the value-add stuff, rather than doing administrative tasks. That type of client does really appreciate using the tool.

My other thought is that we’re here today having this conversation because the regulatory landscape has changed so much over the last few years. Across many industries there’s an increased requirement to monitor third parties, so every company, big or small needs to pay attention to that.

Phoebe Jordan

The technology acts as an extension of your team. So if that’s a small team, it can add a considerable support resource. In terms of feedback from existing clients, what kind of reaction have you had? Sometimes we hear about clients or other organisations being concerned about the initial resource required to set up and manage the technology.

Nita Sinha

Again, it varies depending on the volume and the size, but I would say that there are overarching common themes for the different types of clients and standardising their processes, doing the value-add stuff and being able to identify the risk very easily – and just feeling you are in control because that comes from the transparency of information that you’re getting from these tools.

It does help clients in these areas, and this is the main benefit and the feedback we’ve had. They feel totally in control of their third-party risk management.

Phoebe Jordan

Being in control, being able to focus on the value add, that makes a lot of sense. And I think we’re seeing a rise in the number of organisations interested in managed services as well, where they can turn to an outsourced provider to actually take away that administrative burden.

Nita Sinha

Absolutely. Even with the automated part of the tool, there are still a number of things that today require some sort of human input.

When you’re talking about our managed services, all of these are standardised, and they’re done in a very process-driven manner. So again, it helps our clients to focus on their own value-add activities and their input and analysis. That’s where the managed service comes into play.