Based on recent market studies and industry analyses, the key objective of third-party risk management is to prioritise the Digital Operational Resilience Act (DORA). This focus reflects the growing reliance of financial institutions on third-party ICT service providers, including cloud services, fintech partnerships, and other digital vendors.

Why this focus? 

This focus is driven by several factors, such as financial institutions' increasing dependence on third-party providers for critical ICT services, which raises concerns about vulnerabilities outside their control, making risk management a priority.  

Regulatory bodies, recognising the key role of these providers, stress the need for stringent oversight to ensure they meet high cybersecurity and resilience standards. The dominance of a few large providers in the market introduces concentration risks, where disruptions could impact multiple institutions simultaneously, posing systemic risks. To address these challenges, DORA requires financial entities to establish robust compliance frameworks, continuous monitoring, and coordinated incident response plans with third-party providers. 

In summary, DORA's focus on third-party risk management is the key for building a resilient digital infrastructure that can withstand disruptions, protect consumers, and maintain market stability. 

Strategic and operational measures 

To align with the key objective of third-party risk management under DORA, financial companies can adopt several strategic and operational measures. These steps ensure that third-party ICT service providers adhere to necessary standards of cybersecurity, operational resilience, and regulatory compliance. 

Companies should establish a third-party risk management framework policy through which business needs are defined, critical providers are identified, risk assessments are conducted (as per Regulation (EU) 2022/2554 and sectoral laws), and rigorous due diligence processes are set. The policy should incorporate a process for selecting and assessing ICT third-party providers signifying that, before contracting, each company must evaluate several aspects, such as the provider's reputation, resources, expertise, authorisations, ability to monitor ICT developments, use of sub-contractors, location of operations or data storage, willingness to allow audits, and ethical practices. In addition, it must specify the assurance level for their risk management and ensure due diligence on risk mitigation and business continuity. The policy should also include audits, independent reports, third-party certifications, or other relevant data for assurance. 

Contracts with third-party providers should include enhanced security clauses, resilience requirements, and rights to audit their practices. Continuous monitoring and regular audits are important to track providers' performance, security, and compliance. 

Integrated incident response plans that include third-party providers should be developed, tested, and regularly updated. Companies must also ensure that their practices align with DORA's requirements, including reporting obligations for ICT-related incidents. This involves providing training and fostering collaboration with industry peers and regulators. Diversification and redundancy strategies are essential to avoid relying too heavily on a single provider. Developing internal capabilities can also help reduce external dependencies.

By following these steps, companies can not only comply with DORA but also strengthen their operational resilience, enabling them to better withstand and recover from potential disruptions. 

Challenges in the alignment process  

Aligning with the third-party risk management objectives of DORA presents several challenges for financial institutions. These challenges arise from the complexity of managing numerous third-party relationships, the evolving cybersecurity landscape, and the requirements imposed. 

Managing third-party relationships is complex and resource-intensive, especially when dealing with global providers. Financial institutions should prioritise their most important providers, automate vendor risk management processes, and standardise assessment criteria. Ensuring compliance with DORA’s requirements, particularly for non-EU providers is challenging. Clear contractual obligations, regular audits, and trainings can help achieve compliance. Effective risk management is delayed by a lack of visibility into third-party operations, but advanced risk management tools, enhanced communication, and regular third-party audits can improve the visibility. On the other hand, the concentration risk, especially in cloud services context, poses a significant threat. Institutions should diversify their provider portfolios, implement redundancy plans, and regularly stress test critical services. 

The rapidly evolving cybersecurity landscape adds further challenges, as third-party providers may not always be prepared for new threats. Continuous monitoring, proactive security measures, and collaborative incident response plans are key for mitigating these risks. Cultural and organisational resistance can also prevent the adoption of third-party risk management practices. Securing leadership commitment, establishing cross-functional teams, and providing ongoing education can help embed these practices across the organisation. 

By proactively addressing these challenges, financial institutions can align with DORA’s third-party risk management objectives, ensuring compliance while enhancing their overall operational resilience and security posture. 

Managing Third-party risk and aligning with DORA 

To effectively manage third-party risk and align with DORA, financial institutions can utilise a combination of technical solutions and platforms. These solutions help automate, streamline, and enhance the processes required for third-party risk management, including vendor assessments, continuous monitoring, incident response, and compliance reporting.  

Archer IRM (RSA Archer) offers risk management, integrating various functions such as vendor assessments and automates compliance management processes, which are important for adhering to DORA's requirements. ServiceNow GRC supports real-time monitoring, ensuring that institutions can continuously assess and mitigate third-party risks. 

Splunk enhances security monitoring by providing real-time insights into security events and analysing large data volumes to detect threats from third-party vendors. Cortex XSOAR automates incident response, enabling swift and coordinated actions in the event of cybersecurity incidents, including those involving third parties. Microsoft Power Apps allows institutions to build custom applications for tracking vendor performance, compliance, and incident management, further streamlining their risk management processes. 

By integrating these platforms, financial institutions can build a comprehensive approach to managing third-party risks, ensuring compliance with DORA while enhancing their operational resilience and cybersecurity posture.