Overall risk profile and complexity for 3rd Party vendors with DORA
Nov 21, 2024
Welcome back to another part of our 3rd party DORA compliance explainer series. We have covered due diligence on vendors, as well as contract management in the previous episodes. Today we are going to dive into overall risk profile and uncover what exactly it all means.
Defining the risk profile for 3rd party vendors can sometimes be a little tricky but with DORA its fairly straight forward, as its written in the following article.
Overall risk profile and complexity
The policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers shall take into account, for the purpose of Articles 3 to 10, at least the following elements of increased or reduced risk or complexity:
(a) the type of ICT services included in the contractual arrangement between the financial entity and the ICT-third party service provider;
(b) the location of the ICT third-party service provider or its parent company;
(c) whether the provision of ICT services supporting critical or important functions by ICT third-party service provider is located within a Member State or in a third country, also considering the location where the ICT services are actually provided from and the location where the data is actually processed and stored.
(d) the nature of data shared with the ICT third-party service providers;
(e) whether the ICT third-party service providers are part of the same group of the financial entity;
(f) the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a competent authority in a Member State 9 or subject to the oversight framework under Section II of Chapter V of Regulation (EU) 2022/2554 and those that are not;
(g) the use of ICT third-party service providers that are authorised, registered or subject to supervision or oversight by a supervisory authority from a third country and are subject to supervision or oversight and those that are not;
(h) the concentration in the provision of ICT services supporting critical or important functions by a single or small number of ICT third-party service providers;
(i) the transferability of the ICT service supporting a critical or important functions to another ICT third-party service provider, including as a result of technology specificities;
(j) the potential impact of disruptions on the continuity and availability of the financial entity’s activities.
Purpose
This article explains how financial entities should consider various factors that affect the risk and complexity of using ICT (Information and Communication Technology) services provided by third-party service providers.
Key Points
Type of ICT Services: The policy should consider what kind of ICT services are included in the contract between the financial entity and the ICT third-party service provider. Different types of services may carry different levels of risk.
Location: The location of the ICT third-party service provider or its parent company is important. This includes considering whether the services are provided within the same country (Member State) or from a third country, as this can affect regulatory compliance and risk levels.
Geographical Considerations: It's crucial to know where the ICT services are actually provided from and where the data is processed and stored. Services provided from different locations can have varying risks, especially if they are in countries with different regulatory standards.
Nature of Data: The policy should take into account the type of data shared with the ICT third-party service providers. Sensitive or critical data may require more stringent controls and assessments.
Group Affiliation: If the ICT third-party service providers are part of the same corporate group as the financial entity, this can influence the risk profile and complexity of the services provided.
Regulatory Status:
The policy should consider whether the ICT third-party service providers are authorized, registered, or supervised by a competent authority in a Member State.
It should also consider if they are subject to the oversight framework under specific EU regulations.
Additionally, the policy should check if the providers are authorized, registered, or supervised by a supervisory authority from a third country.
Service Concentration: The policy should evaluate if there is a concentration of critical or important ICT services provided by a single or a small number of ICT third-party service providers. Relying heavily on a few providers can increase risk.
Service Transferability: The policy should assess how easily the ICT service supporting critical or important functions can be transferred to another ICT third-party service provider. This includes considering any technology-specific factors that might affect transferability.
Impact of Disruptions: Finally, the policy should consider the potential impact of any disruptions on the continuity and availability of the financial entity’s activities. Understanding this impact helps in planning for and mitigating risks.
So there you have it a complete explainer on how to create a profile for 3rd party risk with DORA.
References
https://www.esma.europa.eu/sites/default/files/2024-01/JC_2023_84_-_Final_report_on_draft_RTS_to_specify_the_policy_on_ICT_services_supporting_critical_or_important_functions.pdf