days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Countdown to DORA Enforcement, Part 4: Managing Third Party Risk
Last week’s blog detailed the requirements for an ICT risk management framework as firms work to align with the Digital Operational Resilience Act (DORA), before the January 17, 2025 enforcement deadline. As firms working with businesses in the European Union enhance their operations to get and stay compliant with DORA, they must also be conscious of external risks. These firms must shift their focus to outside the four walls of the company to ensure they’re adequately managing third-party risks from vendors and other external partners.
DORA’s Requirements for Managing Third Party Risk
DORA designates managing third-party risk as an integral part of an ICT risk management framework.
The regulations require firms to adopt and regularly review a strategy on third-party risk that takes into account the nature, scale, complexity and importance of ICT-related dependencies. This includes policies that document all risks that arise from the contractual agreements on the use of third-party ICT services, as well as the potential impact on the continuity of services and activities.
In particular, DORA regulations stipulate that a business impact analysis on the risk presented by third-party vendors must be conducted and maintained annually. In addition, vendor assessments must be conducted prior to contract with all ICT third-party vendors, and contracts should only be executed on vendors with high levels of compliance. All these steps must be thoroughly documented and exit strategies must be established to ensure no loss of functionality in the event a vendor relationship is terminated.
Such measures are necessary in light of research showing more than 80% of legal and compliance leaders contend with significant third party risks, even among current vendors after initial onboarding and due diligence. This is why DORA regulations include a requirement to conduct assessments of current vendors at a regular cadence as the organization and its third-party partners adjust activities and relationships on an ongoing basis to respond to changing business conditions.
Furthermore, the shared responsibility model that defines many third party partnerships means that firms must ensure they are not introducing compliance violations in how they manage third party assets, even in cases where the vendor’s own operations remain compliant. Consider the example of a SaaS vendor that is responsible for application security. While they are responsible for delivering a working product, your firm is still accountable for any data and workload misconfigurations or breakdowns in network or endpoint security.
Ensuring Strong Third-Party Risk Management
Anytime you engage a vendor, you take on the regulatory burden for any circumstance when a vendor or your management of them fails to live up to your industry’s security and compliance standards. Fortunately, firms can turn to ECI for the support they need in satisfying the DORA requirements around managing third party risk. Our Governance, Risk and Compliance (GRC) platform includes robust capabilities and services for third-party risk management.
ECI reviews vendors through a due diligence process and customized risk assessments, compliance audits and action reports that document any actions that should be taken to mitigate operational and security risk. We help you understand vendor activities and rate compliance through a comprehensive business impact analysis. We also go the extra mile to verify vendor compliance and credentials like SOC assessments and industry certifications, with actionable reports to inform both clients and vendors of any problems or compliance gaps and how to fix them.
Throughout, ECI takes a highly advanced approach to understanding exactly how vendors interact with your data and processes. This is particularly helpful in positioning clients to stay resilient in situations where vendor services are down or fall out of compliance. For instance, we arm clients with backup services with automatic failover for third-party internet, cybersecurity or other critical services. From a cost management perspective, we also protect clients by strengthening their contract terms with vendors, such as SLAs that stipulate rebates or cost credits in response to any vendor service delivery or compliance problems.
These activities can transform an organization's relationship with vendors from one of poor visibility and unknown risks, into a proactive and transparent operation that gives firms total control of all factors across the vendor ecosystem that may impact compliance. This, in turn, gives firms peace of mind when it comes to satisfying DORA’s strict requirements around managing third party risk.
Learn more about how ECI can help your firm comply with DORA requirements.