Episode Notes
Third-party providers are often crucial to financial service operations – and a serious cyber risk. For that reason, EU regulators are taking a close look at the digital supply chain. Here, BISO (Business Information Security Officer) at ICE Trading and Clearing, and Chair of FS-ISAC’s UK Strategic Subsidiary Board, Burim Bivolaku talks about the biggest challenges in third-party risk management, how to effectively address them, and why FS-ISAC’s UK Strategic Subsidiary Board helps its governance structure remain both global and local.
Third-Party Risks and the Benefit of Collaboration
Reliance on third-party providers varies among financial service firms and sub-sectors, and some have more critical providers than do others. But risk management considerations– especially as they pertain to cloud computing and UK and EU regulations – are gaining prominence across the sector.
For that reason, the financial community should encourage collaboration with providers, as the sector routinely does amongst itself. Proactively sharing knowledge and capabilities complements regulatory compliance requirements. And getting to know each other builds trust in a way that due diligence doesn’t – and trust can be a vital asset during an incident.
Define the Third-Party Interface
Financial service firms should define their interface with and outputs from third-party suppliers – and be really specific -- from a cyber-risk perspective. Risk outcomes manifest in different ways, from outages to contagion, but the interface definition can minimize or prevent harm. This is especially important with critical service providers because they’re core to effective risk management and overall resilience, while contractual agreements can address fourth- and fifth-party risks.
Threat Goes Beyond the Cybersecurity Department
Cybersecurity is a multi-disciplinary, cross-organizational issue. All departments should be involved, because the implications of a cyber attack are wide.
Why FS-ISAC’s UK Strategic Subsidiary Board is Important
FS-ISAC has a global remit because threats are cross-national, but members navigate local and jurisdictional complexities as well. FS-ISAC has enhanced its regional governance structures over the years, and the UK Strategic Subsidiary Board is a logical continuation. The Board will help FS-ISAC advance cyber risk management, sharing, and collaboration among members and authorities in the UK, provide local and global threat intelligence, and offer a forum to share best practices, knowledge, and cybersecurity frameworks.
DORA and Third-Party Risks
Collaborating with regulatory bodies on third-party risks helps drive positive regulatory change. And the sector’s feedback helps actions such as the EU’s Digital Operational Resilience Act (DORA) reduce risk with appropriate proportionality.
For example, DORA includes rules regarding third-party tracking. Some critical service providers will not be able to meet the additional cost of compliance, which increases the potential of concentration risk – and that impacts financial service firms’ resilience. The sector’s input will help regulators keep the sector safe.
Advice for People Aspiring to Become BISOs
The role links information security and business functions, so on-the-ground experience with both business and cyber issues will help you advise your board, management, and sector. By understanding the business, you can better serve it.
© 2024 FS-ISAC, Inc. All rights reserved.
