In January this year, a network configuration changed in an obscure part of the web’s infrastructure, and a large number of businesses ground to a halt. Meetings were cancelled, emails went unsent and companies lost access to critical data to support their operations.
This demonstrated a reality many companies have avoided acknowledging - that businesses are increasingly reliant on third-party service organisations to keep critical parts of their businesses running. Failures at service providers can have a serious impact on individual companies and on wider market integrity, financial stability, and customer protection.
Regulators are waking up to this and increasing their scrutiny of how companies govern third-party relationships. They expect the level of oversight of third parties to be commensurate with the sometimes existential criticality of those third parties. Two different regulations have been proposed or finalised - DORA in the EU and PS21/3 in the UK respectively. These regulations expose the shortfall of typical approaches to understanding third-party risks and require a fresh approach.
There are a couple of ways financial services firms used to investigate and secure confidence in third-party providers’ resilience. One: by asking them, usually using a due diligence questionnaire. And two: single-point or point-by-point testing of aspects of a third-party’s service provision. Both of these methods are insufficient to meet the new regulations.
Asking service providers for this information is tricky, and regulators can view it as the equivalent of them marking their own homework. Ultimately it needs to be more independent. Testing an aspect or aspects of provision in isolation won’t work either. Service providers are connected within their own businesses and connected to one another too. Point-by-point stress testing doesn’t reveal these connections, thereby masking where critical points of failure could exist, or where business continuity plans are reliant on shared infrastructure.
Financial services firms are incredibly complex and getting even more so. For example, one organisation we worked with thought it might have up to 10 critical service providers. By the time we unpicked sub services, infrastructure agreements, and customer journeys, we found more than 30. This company hadn’t understood how integrated third parties had become or the common pieces of infrastructure shared across those third parties.
Service providers themselves have hundreds, sometimes thousands of clients. If every company requests them to compile a risk report based on their own needs, that means the service provider is either going to be writing thousands of reports (at great cost - which you’ll end up paying), or they’ll do what some have and refuse to respond to such requests.
Handling it all in-house isn’t an option either, for either the service providers or their customers. Most companies simply don’t have the time or expertise, and finding both would be very expensive.
There is a viable solution: collective controls reports.
We know hundreds of companies asking for their own individual reports doesn’t work. But if companies instead work together (and with expert assurance providers) to demand standardised reporting on controls over resilience, then the service provider will be able to release one robust report with more detailed disclosures.
We already know this collective requirements approach works because financial services firms have long demanded control reports from service providers serving financially relevant information. A host of international standards, such as SOC 1, ISAE 3402 and AAF 01/20, govern those reports. And we have a great deal of experience providing such reports. Doing something similar for operational resilience and service availability has the potential to provide the transparency and detail regulators - and service users - want.
For users of the reports: you get confidence in what you are being told at a fraction of the cost of doing your own individual on-site reviews and testing. For service organisations, a controls report means they get some agency in calling out the specific ways their organisation addresses risk, and they benefit from being audited once rather than having to respond separately to every user. Both sides benefit from the economies of scale in testing once for a wide customer base and getting testing done by specialists who are putting their name to the reports they issue.
These controls reports aren’t a requirement yet, but we are moving to provide them for a number of our clients. The regulator will likely note that some organisations are seeking more rigorous assurance, see that such assurance meets the standard of effective oversight, and require a similar level from all financial services companies.
So while the regulations aren’t here or effective yet, and while there’s no strict requirement that service providers share more detail or that their clients request it, there’s also no doubt that this will change.
Find out more information about third-party assurance or speak to one of our team about how controls reports can help with operational resilience.