Critical third-party governance in insurance

🚨📝 July 15, 2025. #DORA #ThirdPartyRisk #OperationalResilience. The ESAs (EBA, EIOPA, ESMA) published a new guide under the DORA on the oversight of Critical Third-Party Providers (CTPPs). The message is clear: If you are critical to financial services ICT, you are now under direct EU-level oversight. 🔍 Key Takeaways: ▶️ CTPPs face annual designation based on systemic importance, substitutability, and client base. Criteria include 6 quantitative and 5 qualitative factors. ▶️ Oversight includes inspections, general investigations, and data requests with potential penalties for non-cooperation. ▶️ Non-compliance = public naming. If a CTPP fails to act on recommendations without valid reasons, the ESAs will disclose this publicly. ▶️ ESAs can inspect third-country premises - if conditions are met and local authorities don’t object. ▶️ CTPPs must designate a coordination point or EU subsidiary with authority, staff, data access, and inspection-readiness. ▶️ Joint Oversight Venture (JOV) now operational - ESAs have integrated teams working together with national authorities for seamless supervision. ▶️ Follow-up is serious: CTPPs must share remediation plans and progress reports. Supervisors may ask financial entities to terminate contracts if risks persist. 🤷♂️ The So What? #CTPP teams should: ✅ Assess your criticality status - are you or your providers potentially in scope? ✅ Establish or review your EU coordination point/subsidiary - it must meet ESA expectations. ✅ Prepare for oversight - inspections, RfIs, and documentation requests are coming. ✅ Strengthen ICT risk management - especially in subcontracting, patching, encryption, and incident handling. ✅ Track recommendations & document remediation – visibility and accountability are key. 📩 Questions about how this affects your role as a #CASP, #bank, #paymentinstitution, or #CTPP? Happy to chat in DMs or connect you with our advisory partners. #DORA | #CyberResilience | #ICTThirdPartyRisk | #ESMA | #EBA | #EIOPA | #FinancialServices | #Compliance | #RegTech | #FinvisorFintechPartners

📍🔵 Mitigating Hidden Risks: The Critical Role of Third-Party Risk Onboarding & Monitoring 🔵📍 In today’s interconnected financial ecosystem, third-party partnerships are essential but they also introduce significant risk exposure if not properly assessed and monitored. The diagram below outlines a structured and collaborative approach to Third-Party Risk Onboarding & Monitoring, illustrating how business units, risk management teams and third parties must coordinate to build a secure and resilient vendor ecosystem. 🔍 Why This Diagram Matters from a Risk Management Lens: ✅ Cross-Functional Accountability The diagram emphasizes the alignment between the first line (Business Units) and second line (Risk Management). While the business initiates and justifies the need, risk functions validate and approve based on risk appetite and exposure. ✅ Integrated Risk Assessment at Onboarding A critical decision point—"Is the risk acceptable?"—ensures that vendors are only onboarded after a thorough risk evaluation, supporting compliance with regulatory expectations on vendor due diligence. ✅ Continuous Monitoring and Reassessment Third-party risk doesn’t end at onboarding. Ongoing performance monitoring, risk reassessments, and contract renewal reviews maintain vigilance and accountability throughout the vendor lifecycle. ✅ Supports Regulatory and Audit Readiness This process-centric model fosters audit traceability, demonstrating that the bank has a documented, repeatable, and risk-based vendor governance framework, aligned with industry standards like ISO 27036, FFIEC guidelines, and Basel requirements. ✅ Strengthens Operational Resilience A disciplined onboarding-to-monitoring lifecycle helps prevent downstream risks such as service disruptions, cybersecurity breaches, and reputational damage. #ThirdPartyRisk #RiskManagement #VendorGovernance #BankingRisk #ERM #Compliance #RiskCulture #OperationaRisk

Operational resilience: Critical third parties to the UK financial sector. I have just analysed this document and here is my bit. First point - There is no CTP without the TPs. The organisations will identify their Third Parties and through Materiality Assessment those that are Critical to them. These will be reported to the Regulators – who may apply their own criteria/ judgement to identify the CTPs for the UK Financial Sector. The most important portion for me in the approach note is Operational Resilience. The regulators expect to see evidence that a CTP’s systemic third party service(s) are sufficiently resilient so that CTP operational incidents do not negatively affect the stability of, or confidence in, the UK financial system. This is ensured by effective Scenario Testing by the CTPs. The regulators will focus on scenario selection and calibration, and expect mapping, threat intelligence and prior CTP operational incidents to be included in a CTPs Scenario Test Planning. Appropriate incident management is an important operational mitigant. CTPs should have comprehensive, well-tested and up to date response and recovery measures. As part of this, CTPs should also consider the contingencies available should their core delivery mechanisms fail. The regulators will see whether a CTP has an appropriate range of these measures, and evidence of their effectiveness, including continual improvements as a result of testing, exercises and incidents. The regulators expect such a Scenario Test once in 2 years, but may ask for more depending upon the test results and report. To start with, the Regulators will expect a Self-Assessment Report from the CTP, will conduct stringent annual reviews and followups will be conducted to monitor the progress against the actions in annual reviews. I look forward to your views.

The European Supervisory Authorities (ESAs) have published their guide on the oversight framework for Critical Third-Party Providers (CTPPs) under the Digital Operational Resilience Act (DORA), effective July 15, 2025. This guide operationalises a significant evolution in the EU's regulatory architecture. The framework establishes a new paradigm of direct supervision over the critical ICT infrastructure underpinning the financial sector, aiming to mitigate systemic concentration risk and harmonise ICT third-party risk management across the Union. Key Implications: For Critical Third-Party Providers (CTPPs): The oversight cycle will be managed by a designated Lead Overseer (LO) and executed by Joint Examination Teams (JETs). CTPPs will be subject to a range of supervisory tools, including ongoing monitoring, formal Requests for Information (RFIs), general investigations, and on-site inspections. Non-adherence to recommendations can lead to public disclosure and financial penalties, resulting in significant reputational and economic risks. For Financial Entities (FEs): The framework mandates a material enhancement of internal third-party risk management and due diligence protocols. Insights from CTPP oversight will directly inform the supervisory activities of National Competent Authorities (CAs), leading to increased scrutiny of FEs' concentration risk and the viability of their contractual exit strategies. In extremis, CAs may direct FEs to terminate relationships with a non-compliant CTPP. The era of indirect supervision for critical technology vendors is over. Both CTPPs and financial entities must now strategically align their governance, risk, and compliance functions with this more direct and intrusive oversight model. #DORA #DigitalOperationalResilience #ESMA #EBA #EIOPA #CTPP #RiskManagement #Compliance #FinancialRegulation #ThirdPartyRiskManagement #Cybersecurity #EU

𝗦𝗽𝗶𝗰𝘆 𝗦𝘁𝗮𝘁𝗲𝗺𝗲𝗻𝘁- "Failure to address [third party risk] can result in significant financial losses, legal penalties, and damage to stakeholder trust." - https://lnkd.in/emPjfeMe In this series, I will present contentious academic research and promote discussion. I believe academic research might be underutilized in informing decision-making at the CISO level. In this article, the author argues for a strong third-party risk program 𝘁𝗵𝗮𝘁 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝘀 𝗮𝘂𝗱𝗶𝘁𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝘁𝗵𝗶𝗿𝗱 𝗽𝗮𝗿𝘁𝗶𝗲𝘀; however, the discussion begins with the Statement above and assumes it's what the business needs. If that's true, the recommendations are typical and sound. If not, get these steps right before considering a bigger program. ·  𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱 𝗬𝗼𝘂𝗿 𝗔𝗯𝗶𝗹𝗶𝘁𝘆 𝘁𝗼 𝗦𝗮𝘆 𝗡𝗼: Risk acceptance is key. If you lack decision-making authority, you’ll need to rely on the buyer or risk owner to accept risks. You can use buying limits to determine who can accept risk and at what level. Be cautious when advising "no" — this can damage relationships if perceived as obstructing business needs. ·  𝗜𝗱𝗲𝗻𝘁𝗶𝗳𝘆 𝗖𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗧𝗵𝗶𝗿𝗱 𝗣𝗮𝗿𝘁𝗶𝗲𝘀: Know which vendors are vital to generating revenue and managing costs for the business. These are your high-risk vendors. ·  𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗙𝗶𝗿𝘀𝘁: For each critical vendor, conduct a Cost Benefit Analysis to determine the best, most affordable resilience strategy. Test and implement it. Building resilience has far more long-term business value than a "fire-and-forget" security assessment. Getting to resilience requires security. ·  𝗖𝗼𝗹𝗹𝗲𝗰𝘁 𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝘁 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀: Review third-party certificates (ISO 27001, SOC 2 Type 2). If you’re working with SaaS vendors, decide if you’ll work with them if they don’t have certifications. Expect more complexity and costs if you decide to work with those vendors. ·  𝗡𝗲𝗴𝗼𝘁𝗶𝗮𝘁𝗲 𝗥𝗼𝗯𝘂𝘀𝘁 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀: Ensure that vendor contracts are as solid as leadership is comfortable with. Set clear negotiating limits with Legal to avoid getting wrapped up in individual contract negotiations. Also, ensure that significant vendor changes are prohibited or reported to you for assessment. ·  𝗣𝗮𝘆 𝗮𝘁𝘁𝗲𝗻𝘁𝗶𝗼𝗻 𝘁𝗼 𝘁𝗵𝗲 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗟𝗮𝗻𝗱𝘀𝗰𝗮𝗽𝗲: Survey for any third-party compliance requirements that might have been missed. Work with Legal to meet the bare minimum. Consider a CBA to determine if scoping can limit exposure. Next week I'll cover efficiency. #InformationSecurity #CSuite #ThirdPartyRisk