Management of ICT risk for third-party providers

Articles 28 and 29 of DORA outline the different general principles for third-party risk management. To be resilient against cyber threats and ICT disruptions throughout the chain, it is important to be mindful of the risks of taking ICT services from third-party providers.

These articles focus on the measures companies should take before concluding an agreement with a third-party provider. This involves the same requirements for external agreements as for intragroup agreements.

Strategy

First of all, companies should explicitly address the ICT risks arising from using services from third-party providers. This risk analysis is not an isolated exercise, but needs to be part of the organisation-wide ICT risk management framework.
Additionally, DORA requires companies to develop a strategy for third-party risk management, in which the risks of outsourcing critical services are regularly reviewed. Microenterprises are exempt from the obligation to develop this strategy.

Register

All contractual arrangements for the provision of ICT services must be recorded in a register of information. Companies should also include in this register of information whether the services purchased support critical or important activities. Supervisory authorities may request this register of information. The register of information is important for an institution's internal control, but will also be used by the ESAs to designate Critical Third-Party Service Providers (CTPPs) of the European Union.

Reporting

Furthermore, DORA requires companies to report annually to the supervisory authority which third-party ICT agreements were entered into that year. Agreements relating to critical or important functions will also have to be actively reported to the supervisory authority on an interim basis.

Analysis

Prior to concluding agreements with third-party providers, various aspects should be analysed, such as the required ICT security level and the required frequency and scope of audits and inspections. It is also important to consider any concentration risks.

Further subcontracting by the service provider may also have an impact on this. Additionally, companies also need to have an exit strategy in place if third-party providers support critical or important functions. Such exit strategy has to consider any risks that may occur on the part of the service provider, such as a disruption in provision, deterioration in quality or (premature) termination of the agreement.

The ESAs have developed a standard model for the register of contractual arrangements. They have also further elaborated the key principles for third-party risk management in an RTS. The standard model and the starting points have since been submitted to the European Commission.

Article 30 of DORA includes different provisions that companies need to include in contractual arrangements with third-party providers. It distinguishes between elements that must be included in all agreements, and additional obligations for agreements that support critical or important functions.

Examples of elements that must at all times be included in agreements are:

• Both parties’ rights and obligations.
• A full description of the services provided.
• The regions and/or countries where the services are to be provided and where data are to be processed.
• The service level to be provided.
• The level of data protection, in terms of availability, authenticity, integrity and confidentiality.
• The support in case of incidents.
• The termination rights and related minimum notice periods. In addition to the elements above, contractual arrangements on the outsourcing of services supporting critical or important functions will need to include at least the following:
• The service provider’s reporting obligation.
• The requirement for the service provider to implement and test business contingency plans.
• The obligation of the service provider to cooperate in the financial institution’s Threat-Led Penetration Tests (TLPTs).
• The right of inspection and audit by the financial entity or an appointed third party.
• It also sets additional and more in-depth requirements for the provisions that should apply to all means of subcontracting, such as detailing the services provided through accurate key performance indicators.

Microenterprises may agree with the service provider that audits and inspections are performed by an independent party appointed by the service provider, rather than microenterprises performing them themselves. However, in doing so, microenterprises should always be able to request the necessary information from this party.