The new regulatory frontier: Cyber and supply chain resilience

Supply chain resilience in financial services has not received the same attention as operational resilience. However, the lessons learned from the Covid-19 pandemic, alongside the continued growth in services delivered by third parties to firms, have significantly raised its profile.

The complexity of the supply chain in financial services reflects the ever more complex range of products, services, and channels that firms use to service their customers and develop their business. Providers offer a range of services such as market data metrics, customer data enrichment, IT and technology service provision, outsourced customer services, application development and support, co-branded business initiatives and much more. Using third-party suppliers often helps deliver innovation more quickly and more cost-effectively than developing the same capabilities in-house. Over time this means that third- party service providers can become core to the broader business. It also means that supply chain resilience issues can impact a firm's own operational resilience. It is no coincidence that the Prudential Regulatory Authority (PRA) published its consultation paper - Outsourcing and Third Party Risk Management - for operational resilience and supply chain resilience at the same time. 

Best practice vendor risk management is central to supply chain management. It can encompass contract management and service monitoring, concentration risk, and proactive business monitoring to ensure that issues such as the acquisition of a supplier by another company, or its bankruptcy, do not materially impact a firm itself. While this is now more common, the emphasis is increasingly also on monitoring the fourth and fifth party relationships that support the third-party suppliers.

This holistic approach to vendor risk management ensures that the supply chain integrates fully into an institution's enterprise risk management regime. It also helps institutions devolve supplier management to the day-to-day business managers, who can monitor performance against contract, while still following corporate procurement and business standards. These close relationships help both to build the partnerships and to identify and resolve issues early, so they do not have the opportunity to impact a firm's services and capabilities.

The increasing maturity of supply chains and the Covid-19 pandemic has highlighted the significance of vendors' cyber resilience. Many services to firms are delivered digitally, which if mismanaged by the firm or the supplier expose both to cyber risks. This risk is amplified where the technology infrastructure is provided by fourth or fifth parties - typical with Cloud or SaaS-based services - where neither the supplier nor the firm has direct control. Cyber risk has increased sharply during the pandemic as financial services and supplier staff have worked from home extensively, offering more entry points for hackers looking to penetrate secure corporate environments from insecure domestic locations.

A best practice approach to managing cyber risk in the supply chain should focus on externally monitoring how a company safeguards its environment, maintains its privacy,  its technology resilience and its online brand. This should cover a range of issues including patch management, website security, application security, SSL monitoring, and credentials management, as well as the sensitivity of information disclosed on the website and on social media. Monitoring issues such as network and email security, distributed Denial of Service Attack (DDoS) protection, as well as online brand health including measuring the prevalence of fraudulent applications or domains, are also common.

The Mitratech solution (VendorInsight + Black Kite) leverages the Mitre cyber risk scoring approach combined with the FAIR financial impact assessment that results in a simple yet effective dashboard which highlights the ?failing? third and fourth party vendors at a glance. This approach provides practical steps for institutions looking to enhance their vendor risk management and identify quickly where the risks lie. It can integrate cyber risk into the broader vendor risk management framework and ultimately into the top-level risk management picture for a firm. It also supports aligning supply chain resilience with operational resilience in order to help firms maintain market confidence and satisfy regulators, while still working with those business partners best placed to meet its corporate objectives.

Area of expertise:

Register for our Regulatory Roadmap series

To continue to support our members we are running a second structured programme of focused technical briefings to help firms adapt to the rapid change of a constantly evolving regulatory landscape. Topics will include Cyber and Third Party Risk, Cyber Transformation, Regtech and many others.

Register now Read more