Critical third parties: resilience and regulation

David Ferbrache at Beyond Blue investigates third party resilience and the implications for the financial sector in the UK

 

Organisations today heavily depend on external providers to operate successfully, whether that be IT infrastructure, managed services, data and analytic providers or a host of new digital services which we couldn’t have imagined ten years ago. 

 

Yet, this heightened reliance also comes with the potential for significant security and resilience risks. 

 

Within complex digital supply chains, the failure of one link can trigger a cascading effect across other systems. Look no further than the recent CrowdStrike outage for proof. 

 

As a result of these increased digital dependencies, financial sector regulators have grown increasingly concerned about the impact a failure at a third party could have on the stability of banking and the broader financial sector.

 

Critical third party regulation

This has been the key driver behind the recently released Critical Third Party (CTP) regulations (PS16/24), from the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). Although, similar themes can be seen in the Digital Operational Resilience Act (DORA) from the EU and its third party regime.

 

The UK regulations specifically address a growing concern about the concentration risk associated with certain providers in the financial sector. While the Treasury has yet to start the process of designating CTPs, we expect these regulations will only target a small number of third parties, whose failure has the potential to cause a major systemic issue for the UK. 

 

For those third parties, the regulations bring an expectation that they will comply with a set of fundamental rules, which cover conducting business with integrity, due skill and diligence, acting in a prudent manner, having effective risk management systems, organising affairs responsibly and being open with the regulator.

 

There are also requirements around operational resilience in areas of governance, risk management, supply chain management, technology and cyber resilience, mapping of services to underlying assets, incident management and service termination.

 

The regulations also embed the concept of scenario testing and incident management playbook exercising, drawn from the broader Operational Resilience regulations – along with the idea of a self-assessment of the resilience state of the CTP, which must be shared with the regulators and also (albeit allowing for redactions) with their financial sector customers and clients. 

 

Incident reporting obligations also follow, not just to the regulators, but to any affected financial sector firms – and an expectation of engaging with sector collective incident response structures, such as the Cross-Markets Operational Resilience Group (CMORG) sector response framework.

 

The new regulations come into force on the 1st January 2025, but at this stage await the designation of CTPs by the Treasury, which has its own process and consultation mechanisms. 

 

So, while no firms will be impacted immediately, we expect that cloud service providers along with the largest managed service and data providers can begin to see what awaits them, if designated.

 

The broader supplier community

Looking beyond this small community there are many other third parties whose failure may impact financial sector firms, but may not meet the demanding criteria of systemic importance set out in the CTP regulations.

 

This group of third parties may still cause an upstream financial institution client to fail to provide an important business service (IBS) to their customers, or an outage of sufficient duration that the financial institution causes intolerable harm to its customers. 

 

The financial sector has also been working to develop its expectations on this broader group of Significant Third Parties. Those third parties won’t be directly regulated under the CTP regime, but the banks and other financial firms who rely on them still need to be confident in the services they provide and their resilience. 

 

CMORG has been developing guidance on just what may be expected of those third parties, while responding to concerns that many of the third parties are being approached by their clients with very different asks over evidence of their resilience. With hundreds of regulated financial firms all asking similar, but subtly different, questions of their suppliers – there is potential for confusion and much wasted effort. Guidance published in September 2024 by CMORG is essential reading for third parties who support the sector.

 

The guidance covers scenario testing, evidential requirements around resilience, alignment of contractual obligations on third parties, and the scope for collaborative testing where a “test once use many” approach can reduce the test burden on third parties. Ultimately financial firms remain responsible for their own resilience, even if the third parties are separately regulated, so have a vested interest in gaining the maximum assurance they can over the resilience of their third parties.

 

The CMORG guidance covers five major aspects: 

1. Scenario testing: Supply chain partners should implement robust scenario testing frameworks, ensuring that their services can withstand severe but plausible disruptions. There is substantial experience across the sector now in how to undertake such testing and much that third parties can draw on as effective practice.
2. Scenario selection: Selecting the right scenarios for testing is crucial. CMORG recommends using a scenario library, which includes a repository of severe but plausible scenarios. 
3. Evidential requirements: Financial firms need clear, verifiable evidence that their third parties can respond to disruptive scenarios. This includes technical, organisational and contractual controls, such as backups and restore processes for critical data, recovery timelines and resilience governance structures.
4. Contractual obligations: CMORG recommends embedding scenario testing obligations into contracts to ensure that third parties commit to supporting resilience requirements. Contracts should specify that third parties must conduct scenario tests and share relevant outcomes with financial firms. This not only facilitates transparency but also helps firms meet regulatory obligations.
5. Community testing: Financial regulators and industry groups should promote community-wide testing initiatives to reduce duplicative efforts and foster collaboration across the sector. This approach involves multiple financial firms collaborating to sponsor tests that evaluate common third-party services.  

By adopting these best practices, financial firms and third party providers can work together to meet the requirements of the regulations, improving the stability of their services, while ensuring that critical services remain robust, even in the face of severe disruptions.

 

Growing attention

As we move into 2025, we can expect growing attention to be paid to third party resilience. 

 

We will see the initial CTP designations by the Treasury, but the financial sector will also look to operationalise the CMORG recommendations, regarding third party resilience and collaborative testing. 

 

We may also see some more surprises as the Cyber Security and Resilience Bill progresses through Parliament in 2025, bringing its own regulatory requirements on managed service providers.

 

---

 

David Ferbrache is managing director at Beyond Blue

 

Main image courtesy of iStockPhoto.com and MicroStockHub