Professional Documents
Culture Documents
2019-06-26 Item 1 - Cyber and Third-Party Risk (TPR) Management
2019-06-26 Item 1 - Cyber and Third-Party Risk (TPR) Management
Roberto Franconi
Technology Risk Inspection Manager
Prudential Analytics & Inspections Directorate
Central Bank of Ireland
Introduction
Limits of outsourcing
Third parties are organizations that have entered into business relationships or
contracts with an entity to provide a product or service. One important type of third
party relationship is outsourcing, whereby a third party provides a business function,
service or process that would otherwise be provided by the entity itself.
Cost savings
Foster innovation
Lowering of control
Legal
Operational
Compliance
Reputational
“Third parties introduce additional cyber risk management challenges to entities that
they supply. Cyber incidents resulting from third party vulnerabilities could lead to
fraud, disruption of services or access to sensitive customer or corporate information.
As the scale, complexity and interconnectedness of third parties and their usage
continues to grow, maintaining visibility of cyber risks becomes increasingly
challenging, for both individual entities and the financial system as a whole.”
(G7 Fundamental Elements for Third party Cyber risk management in the financial sector)
OUTSOURCING
PROVIDERS
Clearing
houses
FMIs PARTNERS
Assessment
Oversight of of criticality G
outsourcing or
importance O
V
E
R
N
Contractual Due A
phase dilligence
N
C
Risk E
assessment
Definition of outsourcing
Definition of outsourcing
Institutions should identify, assess and manage conflicts of interest created by the
outsourcing, including between entities of the same group
The institution should have appropriate business continuity plans in place with regard to
the outsourcing of critical or important functions
They should also plan what to do if the service deteriorates to an unacceptable level as
well as in case of insolvency or other failures of the service provider
The internal audit should cover –on a risk based approach- the independent review of
outsourced activities, as well as assess the adequacy of the institution’s outsourcing
policy, procedures and governance framework
The institution should keep an inventory of all outsourced activities
Intragroup outsourcing is subject to the same regulatory framework as outsourcing to
service providers outside the group.
► KPIs, KCIs
3 service models:
◆Infrastructure as a Service (IaaS) “Rent the infrastructure”
◆Platform as a Service (PaaS) “Rent the programming tools”
◆Software as a Service (SaaS) “Rent the software”
4 deployment models: Private, Community, Public, Hybrid
Community Cloud
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have
shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed,
and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may
exist on or off premises.
Hybrid Cloud
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that
remain unique entities, but are bound together by standardized or proprietary technology that enables data and application
portability (e.g., cloud bursting for load balancing between clouds).
Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a
business, academic, or government organization, or some combination of them. It exists on the premises of the cloud
provider.
SQL
CONS
Standard solution vs tailored solution
Standard contracts: right to access and right to audit?
Difficulty to manage suppliers
Difficulty to regulate and supervise suppliers
Dependence on Internet connectivity
Higher concentration on a few providers and chain outsourcing
Compliance: e.g. data location issues
Security issues at vendor and customer
Besides, we do
whatever we want.
Sorry.
We will not disclose Your Content to any government or third party […] or
move Your Content from the […] regions selected by you; except in each
case as necessary to comply with the law or a binding order of a
It doesn’t matter if you
governmental body. put your stuff in an EU
data center. Sorry.
CLOUD NEVER
FAILS ...
www.linkedin.com/in/robertofranconi/
Roberto.Franconi@centralbank.ie
Tel: +353 1 224 6995
Mobile: +353 87690 0325