The Risk of Third-Party Relationships in Financial Services

In today’s interconnected financial services sector, third-party relationships are essential to the smooth running of operations. From cloud providers and software vendors to utility services and infrastructure support, external parties play a pivotal role in enabling organisations to function efficiently and scale effectively. However, these partnerships come with hidden risks that financial institutions must carefully manage, particularly when considering business continuity and resilience.

The Growing Concern: Third-Party Risk

According to Protiviti and NC State University’s 2024 Top Risks in the Financial Services Industry report, third-party cyber threat risk has seen a significant rise in importance, moving from the 11th highest risk last year to the fifth highest this year. This jump underscores the increasing recognition of the potential vulnerabilities posed by critical external service providers. Financial services organisations are highly reliant on external suppliers for everything from software systems to utility services, and even a short-term outage can have catastrophic consequences.

When disaster strikes, whether due to a cyberattack, power outage, or infrastructure failure, the ripple effect can extend far beyond the impacted third-party. For financial institutions, any disruption to a core service – such as a payment processing system, cloud storage, or a key software application – can lead to operational downtime, financial loss, and reputational damage. The ability to access or maintain critical systems could be compromised, affecting not only internal operations but also customer trust and compliance with regulatory requirements.

The CrowdStrike Incident and Its Ripple Effect

The CrowdStrike incident in July 2024 serves as a stark example of the potential fallout from third-party disruptions. A failure in a software update, affecting Microsoft Windows machines globally, highlighted the far-reaching consequences of third-party issues in sectors like banking, healthcare, and government. This incident showed how an external service failure can cascade through industries, illustrating the deep interdependence of modern business operations.

Reports such as the Risk Management Association (RMA) and the BCI Crisis Management Report note that third-party failures were a leading cause of crisis management plan activations in the past year. Moreover, the Financial Conduct Authority (FCA) emphasised how the CrowdStrike incident underscored the need for organisations to address vulnerabilities within their third-party networks.

Third-Party Risk: A Complex Web of Dependencies

Third-party relationships are often layered, meaning that a single issue with a service provider can trigger a cascade of problems. For example, an organisation may rely on a cloud provider for data storage, but that provider, in turn, relies on infrastructure providers for their services. If one of these entities experiences a disruption, it could result in a larger system failure that affects multiple interconnected partners. The complexity of these relationships makes it increasingly difficult for financial organisations to fully assess and mitigate the risk involved.

In addition, financial services firms typically rely on a network of external partners to comply with regulatory requirements. For example, banks may need to work with external auditors, cybersecurity firms, or credit rating agencies. If any of these third parties experience an issue, it could lead to a failure in meeting regulatory obligations, potentially resulting in fines or more serious penalties.

The Financial and Reputational Cost

The true cost of third-party failures goes beyond operational disruptions and can include direct financial impacts such as lost revenue and increased operational costs due to service delays or legal disputes. However, one of the most significant costs comes in the form of reputational damage. In the financial services industry, trust is everything. A failure in a third-party relationship that affects customers’ access to funds or services can erode that trust quickly. As customers increasingly expect continuous service and security, even brief service interruptions can drive them to seek alternative providers.

Moreover, the increasing sophistication of cyber threats has made it even more critical for financial organisations to assess the cybersecurity practices of their third-party vendors. A cyberattack on a third-party provider could lead to a data breach, loss of customer information, or financial fraud, all of which would damage the organisation’s reputation and trustworthiness.

Mitigating Third-Party Risk

Given the growing importance of third-party risk, financial services organisations must take proactive steps to mitigate potential disruptions. A robust third-party risk management strategy should include:

• Comprehensive Due Diligence: Before entering into a relationship with a third-party, organisations must assess their partners’ operational resilience, security measures, and regulatory compliance. This can include regular audits, assessments, and reviews of the provider’s ability to maintain service continuity in the face of a crisis.
• Service-Level Agreements (SLAs): Well-drafted SLAs can help define the expectations of both parties and establish clear protocols for managing service interruptions. These agreements should outline the provider’s obligations regarding uptime, security, and disaster recovery, ensuring there are contingency plans in place.
• Continuous Monitoring: Continuous monitoring of third-party performance and risk exposure is essential. Financial institutions should keep track of any potential vulnerabilities, changes in their third-party providers’ status, or emerging risks that may impact business continuity.
• Crisis Management and Contingency Planning: Organisations must establish crisis management frameworks that include procedures for responding to third-party failures. This includes having clear plans for business continuity, including backup providers or alternate systems that can be activated quickly if a third-party provider fails.

A Push for Greater Accountability

This growing concern around third-party risk is reflected in the increasing push for greater accountability within the financial services industry. Policies such as the UK’s Operational Resilience framework and the European Union’s Digital Operational Resilience Act (DORA) underscore the need for financial institutions to ensure that third-party providers are resilient and prepared for disruptions. These regulatory measures are designed to strengthen the operational resilience of organisations, ensuring that they can maintain critical services even in the event of third-party failures. Compliance with such regulations is becoming a priority for businesses looking to protect their operations and manage risks effectively.

Conclusion

The increasing dependence on third-party providers in the financial services industry introduces a hidden cost that can have far-reaching consequences. Financial institutions must be vigilant in managing third-party risks, ensuring that appropriate measures are in place to protect against service disruptions, cyber threats, and compliance failures. By understanding the complex web of dependencies that exists in these relationships, financial institutions can better navigate the risks and ensure business continuity, protecting both their operations and their reputation in the process.

How AJC Can Help

Adopting a proactive approach to managing third-party risk is crucial for financial institutions and businesses alike. Identifying vulnerabilities in third-party relationships, staying ahead of potential disruptions, and keeping up to date with evolving regulations are key to ensuring business continuity. AJC, with its extensive experience and expertise in risk management, can support organisations in navigating these challenges. By conducting thorough risk assessments, helping to establish effective contingency plans, and offering guidance on regulatory compliance – including frameworks like DORA and the UK’s Operational Resilience policies – AJC helps organisations strengthen their resilience and safeguard their operations from third-party failures.

Find out more about AJC’s Risk Management and Resilience services here.

References

• Protiviti. (2024). Top Risks in the Financial Services Industry.
• Risk Management Association (RMA) and the BCI Crisis Management Report.
• Financial Conduct Authority (FCA).
• Financial Conduct Authority’s (FCA) and the Digital Operational Resilience Act (DORA) guidelines.

Image accreditation: Alex Shuper (May 2023) from Unsplash.com. Last accessed on December 9th 2024. Available at: https://unsplash.com/photos/a-computer-generated-image-of-a-cloud-with-a-blue-arrow-pointing-up-EHko-zSjnoI