Cyber and third

party risk (TPR)

management
JUNE 26, 2019

Roberto Franconi
Technology Risk Inspection Manager
Prudential Analytics & Inspections Directorate
Central Bank of Ireland

INTERNATIONAL MONETARY FUND 1

 Agenda

 Introduction

 Risks associated with outsourcing

 Limits of outsourcing

 How to supervise third party vendor risk

 Example: European Banking Authority Guidelines on Outsourcing arrangements

 Consequences of risk and control landscapes with the adoption of cloud

INTERNATIONAL MONETARY FUND 2

 Introduction - Definitions of outsourcing and third
parties

G7 FUNDAMENTAL ELEMENTS FOR THIRD PARTY CYBER RISK MANAGEMENT

IN THE FINANCIAL SECTOR (October 2018)

Third parties are organizations that have entered into business relationships or
contracts with an entity to provide a product or service. One important type of third
party relationship is outsourcing, whereby a third party provides a business function,
service or process that would otherwise be provided by the entity itself.

MIFID Technical Advice (2005)

“Outsourcing” means an arrangement of any form between an

investment firm and a service provider by which the service provider
performs a process, a service or an activity which would otherwise
be undertaken by the investment firm itself.

INTERNATIONAL MONETARY FUND 3

 Introduction - What are the main reasons to
outsource?

Cost savings

Economies of scale: decisions at group level

Access to specific expertise and capabilities

Flexibility to deal with temporary needs

Focus on core business

Process optimization and quality improvement

Foster innovation

INTERNATIONAL MONETARY FUND 4

 Risks associated with outsourcing

Lowering of control

Loss of knowledge in the organization

Dependence on the service provider

Legal

Operational

Compliance

Reputational

Concentration on a few service providers

INTERNATIONAL MONETARY FUND 5

 Limit of outsourcing - third parties cyber risk
management

“Third parties introduce additional cyber risk management challenges to entities that
they supply. Cyber incidents resulting from third party vulnerabilities could lead to
fraud, disruption of services or access to sensitive customer or corporate information.
As the scale, complexity and interconnectedness of third parties and their usage
continues to grow, maintaining visibility of cyber risks becomes increasingly
challenging, for both individual entities and the financial system as a whole.”

(G7 Fundamental Elements for Third party Cyber risk management in the financial sector)

INTERNATIONAL MONETARY FUND 6

 Limit of outsourcing - third parties cyber risk
management (2)

INTERNATIONAL MONETARY FUND 7

 How to supervise third party vendor risk -
regulatory frameworks on outsourcing

 Almost every jurisdiction, international organization or standard setting body has

issued regulation, standards or best practices on outsourcing: BCBS (2005), IOSCO
(2009), G7, national authorities in many countries, …
 All of them share the same basic principle

Outsourcing of services can never result in the outsourcing of responsibility

INTERNATIONAL MONETARY FUND 8

 How to supervise third party vendor risk - from
outsourcing to third parties risk management

 Most existing frameworks still speak of “outsourcing”

 Utilities like power or telecommunication do not fall under the definition of
outsourcing
 But, is there a risk that needs to be managed?
 There is a progressive tendency to speak of “third parties risk management”
 Still understanding Third party = Vendor

INTERNATIONAL MONETARY FUND 9

 How to supervise third party vendor risk -
regulatory and supervisory challenges

 Legal ability to regulate and supervise third parties

 Even more if they are located in different jurisdictions
 Chain outsourcing or “endless subcontracting”
 Increasing concentration on a reduced number of service providers that could
constitute a single point of failure.
 Difficulty to cover the whole group perimeter: subsidiaries
 It is impossible to control the whole supply chain

INTERNATIONAL MONETARY FUND 10

 How to supervise third party vendor risk -
regulatory and supervisory challenges (2)
Should we extend the scope of “Third parties” from cyber risk perspective?

OUTSOURCING
PROVIDERS

Clearing
houses

FMIs PARTNERS

INTERNATIONAL MONETARY FUND 11

 How to supervise third party vendor risk -
regulatory and supervisory challenges (3)
Concentration risk

INTERNATIONAL MONETARY FUND 12

 How to supervise third party vendor risk -
regulatory and supervisory challenges (4)
Group perimeter: subsidiaries

INTERNATIONAL MONETARY FUND 13

 How to supervise third party vendor risk -
regulatory and supervisory challenges (5)
Supply chain

INTERNATIONAL MONETARY FUND 14

 Example: European Banking Authority Guidelines
on Outsourcing arrangements
 Current European regulation regarding outsourcing:
◆CEBS Guidelines on outsourcing, applicable since 2006
◆EBA Recommendations on cloud computing, effective from July 2018

 New EBA Guidelines on outsourcing published in February 2019.

 Applicable to all credit institutions, investment firms, payment institutions and e-money
institutions
 Addressed also to supervisory authorities
 Principle of proportionality
 The cloud recommendations have been integrated in the guidelines
 Into force since 30 September 2019 for new outsourcings. Existing ones will have to be
reviewed and compliant no later than 31 December 2021

INTERNATIONAL MONETARY FUND 15

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (2)
Outsourcing
arrangements

Assessment
Oversight of of criticality G
outsourcing or
importance O
V
E
R
N
Contractual Due A
phase dilligence
N
C
Risk E
assessment

INTERNATIONAL MONETARY FUND 16

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (3)

Definition of outsourcing

 Aligned with MIFID II

“Arrangement of any form between an institution (…) and a service provider by
which that service provider performs a process, a service or an activity that would
otherwise be undertaken by the institution (…) itself”
 Criteria to consider an arrangement as outsourcing:
 the function (or a part thereof) that is outsourced to a service provider is
performed on a recurrent or an ongoing basis
 whether this function (or part thereof) would normally fall within the scope of
functions that would or could realistically be performed by institutions
 even if the institution has not performed this function in the past itself

INTERNATIONAL MONETARY FUND 17

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (4)

Definition of outsourcing

Examples that should not be considered outsourcing:

◆Function legally required to be performed by a service provider (e.g. audit)
◆Market information services
◆Global network infrastructures
◆Clearing and settlement
◆Global financial messaging infrastructure
◆Correspondent banking services
◆Acquisition of services that would not be undertaken by the institution (e.g. legal
advice, cleaning, medical services, etc.)
◆Utilities

INTERNATIONAL MONETARY FUND 18

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (5)
Governance aspects

 Can everything be outsourced?

► Activities requiring license or authorization
► Core management functions:
◆Strategy and policies setting
► Control functions:
◆Risk management
◆Compliance
◆Internal audit
 “Institutions (…) should identify, assess, monitor and manage all risks resulting from
arrangements with third parties to which they are or might be exposed, regardless of
whether or not those arrangements are outsourcing arrangements”

INTERNATIONAL MONETARY FUND 19

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (6)
Governance aspects

 The senior management of the institution keeps the ultimate responsibility

 The institution should have an approved outsourcing policy in place. The policy should be reviewed
periodically and contain at least:
► Assessment criteria for risks related to the outsourcing, including “chain” outsourcing
► Criteria to assess criticality or importance of outsourcing
► Criteria for the service provider evaluation and selection (also considering concentration risk)
► Roles, responsibilities, and competencies for the personnel responsible for managing
outsourcing
► Exit strategies
 Institutions should retain adequate competence and sufficient skilled resources to ensure
appropriate management and oversight of outsourcing arrangements

INTERNATIONAL MONETARY FUND 20

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (7)
Governance aspects

 Institutions should identify, assess and manage conflicts of interest created by the
outsourcing, including between entities of the same group
 The institution should have appropriate business continuity plans in place with regard to
the outsourcing of critical or important functions
 They should also plan what to do if the service deteriorates to an unacceptable level as
well as in case of insolvency or other failures of the service provider
 The internal audit should cover –on a risk based approach- the independent review of
outsourced activities, as well as assess the adequacy of the institution’s outsourcing
policy, procedures and governance framework
 The institution should keep an inventory of all outsourced activities
 Intragroup outsourcing is subject to the same regulatory framework as outsourcing to
service providers outside the group.

INTERNATIONAL MONETARY FUND 21

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (8)
Governance aspects

 Outsourcing policy comprehensive,

approved and periodically reviewed
 Knowledge retention and capacity to
manage outsourcing
 Business continuity plans and tests
include outsourced functions
 Exit strategies and realistic exit plans
 Full Inventory of outsourced activities
 Attention to “Shadow IT”
 Adequate coverage by internal audit, in a
risk based manner

INTERNATIONAL MONETARY FUND 22

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (9)
Assessment of criticality or importance

 Where a defect or failure in the outsourced function would materially impair

compliance and regulatory obligations, financial performance, or soundness or
continuity of banking and payment services and activities
 Outsourcing of licensed activities
 Activities, processes or services relating to core business lines and critical functions
 Impact on clients
 Potential impact of disruption or outages of the outsourced services
 Others: size and complexity of business function, difficulty to change the provider or
re-insource the service, confidentiality, integrity and availability of data

INTERNATIONAL MONETARY FUND 23

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (10)
Due diligence

 The selection of a service provider before an outsourcing should involve at least an

analysis of some of the following elements:
► Market position, image, well-chosen references, legal and financial situation;
► Location of data and service;
► Human and technical resources of the service provider;
► Quality of subcontractors;
► Internal control at the service provider;
► Confidentiality, security and business continuity measures at the service provider;

INTERNATIONAL MONETARY FUND 24

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (11)
Risk assessment
 The management body and senior management have to be informed and
make the decision to outsource or not during the procurement process, based on a
documented assessment of the impact of the outsourcing on the risk management
of the institution
 A risk assessment should be properly documented and take into account:
► Criticality of services to be outsourced: availability and security needs
► Confidentiality of data to be outsourced: protection needs
► Sub-outsourcing
► Legal aspects
► Location of the data and processing (potential risks to data protection and effective
supervision)
► Compliance with regulation (including data protection)
► Concentration risk …

INTERNATIONAL MONETARY FUND 25

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (12)
Criticality, Due diligence, Risk assessment

 Tendency to consider most outsourcing as

“non material”
 “Confidential data” is not only “Data
subject to Privacy rules”
 Proper due diligence of service providers
 Completeness of the risk assessment
 Including concentration risk, sub-
outsourcing.
 Level of detail proportionate to inherent
risk of the outsourcing
 Documented and sufficient for the
management body to decide

INTERNATIONAL MONETARY FUND 26

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (13)
Contractual phase

 There has to exist a written agreement. Containing at least:

► Sub-outsourcing conditions
► Location of data and processing
► Governing law of the arrangement
► Security (confidentiality, integrity and availability) requirements
► Right to audit for the institution and for the supervisor
► Legal and compliance obligations
► Service level agreements, metrics, penalties
► Reporting obligations
► Termination clauses

INTERNATIONAL MONETARY FUND 27

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (14)
Contractual phase

 Difficulty to negotiate with big service

providers: e.g. right to audit, right to
access for supervisors
 Level of detail of SLAs
 Requirements on sub-outsourcing
 Requirements on incident notification
 Termination clauses define the when and
how
 Detailed requirements on security

INTERNATIONAL MONETARY FUND 28

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (15)
Oversight of outsourcing
 Monitoring on an on-going basis the performance and quality standards of
the outsourced service by means of:
► Reports from the service provider on the service

► KPIs, KCIs

► Other reports: business continuity tests, certifications, independent reviews, etc.

 Special focus to ensure availability, integrity and confidentiality

 Periodical report to management body of any risks identified in the outsourcing of
critical or important functions
 Monitor and manage concentration risk
 If shortcomings, appropriate actions need to be taken. Including, if necessary,
termination of the arrangement

INTERNATIONAL MONETARY FUND 29

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (16)
Oversight of outsourcing

 Tools to effectively assess the

performance
 Adequate in-house expertise
 Level of reliance on self-assessments or
reports provided by the service provider
 On-going process
 Adequate escalation and reporting to the
management body
 Independent reviews, proportionate to risk

INTERNATIONAL MONETARY FUND 30

 Example: European Banking Authority Guidelines
on Outsourcing arrangements (17)

Ex ante notification – supervisory dialogue

 Institutions (…) should adequately inform competent authorities in a timely manner

or engage in a supervisory dialogue with the competent authorities about the
planned outsourcing of critical or important functions and/or where an outsourced
function has become critical or important

INTERNATIONAL MONETARY FUND 31

 Consequences of risk and control landscapes with the
adoption of cloud - A particular case of outsourcing
 “Cloud computing is a model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications and services) that can be rapidly
provisioned and released with minimal management effort or service provider
interaction “ (NIST, 2011)

 3 service models:
◆Infrastructure as a Service (IaaS) “Rent the infrastructure”
◆Platform as a Service (PaaS) “Rent the programming tools”
◆Software as a Service (SaaS) “Rent the software”
 4 deployment models: Private, Community, Public, Hybrid

 Cloud computing is generally considered a particular case of IT outsourcing

INTERNATIONAL MONETARY FUND 32

 Consequences of risk and control landscapes with the
adoption of cloud - Definitions
Private Cloud
The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g.,
business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them,
and it may exist on or off premises.

Community Cloud
The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have
shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed,
and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may
exist on or off premises.

Hybrid Cloud
The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that
remain unique entities, but are bound together by standardized or proprietary technology that enables data and application
portability (e.g., cloud bursting for load balancing between clouds).

Public Cloud
The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a
business, academic, or government organization, or some combination of them. It exists on the premises of the cloud
provider.

The NIST definition of cloud computing

INTERNATIONAL MONETARY FUND 33

 Consequences of risk and control landscapes with the
adoption of cloud - Service Models

SQL

IaaS PaaS SaaS

Infrastructure as a Service Platform as a Service Software as a Service

Rent the Rent the Rent the Software

Infrastructure programming tools

CONSUME BUILD ON IT MIGRATE TO IT

INTERNATIONAL MONETARY FUND 34

 Consequences of risk and control landscapes with the
adoption of cloud - Service Models (2)

INTERNATIONAL MONETARY FUND 35

 Consequences of risk and control landscapes with the
adoption of cloud - Pros and Cons
PROS
Flexibility and scalability
Agile (self-service) provisioning
Cost reduction
Access to cutting-edge technologies
Accessibility of services from anywhere
Easier maintenance

CONS
Standard solution vs tailored solution
Standard contracts: right to access and right to audit?
Difficulty to manage suppliers
Difficulty to regulate and supervise suppliers
Dependence on Internet connectivity
Higher concentration on a few providers and chain outsourcing
Compliance: e.g. data location issues
Security issues at vendor and customer

INTERNATIONAL MONETARY FUND 36

 Consequences of risk and control landscapes with the
adoption of cloud - Pros and Cons (2)
We are not
responsible if we lose
your credentials.
Sorry.
If you use the [Provider] Site, you are responsible for maintaining
the confidentiality of your [Provider] account and password and
for restricting access to your computer, and you agree to accept
responsibility for all activities that occur under your account or
password.

[Provider] reserves the right to refuse service, terminate

accounts, remove or edit content in its sole discretion.”

Besides, we do
whatever we want.
Sorry.

INTERNATIONAL MONETARY FUND 37

 Consequences of risk and control landscapes with the
adoption of cloud - Pros and Cons (3)

We will not disclose Your Content to any government or third party […] or
move Your Content from the […] regions selected by you; except in each
case as necessary to comply with the law or a binding order of a
It doesn’t matter if you
governmental body. put your stuff in an EU
data center. Sorry.

Unless it would violate the law or a binding order of a governmental body,

we will give you notice of any legal requirement or order referred to in this
Section.

We will not tell you we

gave your stuff to
unnamed agencies.
Sorry.

INTERNATIONAL MONETARY FUND 38

 Consequences of risk and control landscapes with the
adoption of cloud - Pros and Cons (4)

CLOUD NEVER
FAILS ...

INTERNATIONAL MONETARY FUND 39

 Consequences of risk and control landscapes with the
adoption of cloud - Pros and Cons (5)
IT’S SO EASY
TO USE THE
CLOUD...

INTERNATIONAL MONETARY FUND 40

 Consequences of risk and control landscapes with the
adoption of cloud - Forrester predictions (end of 2017):
 The total global public cloud market will be $178B in 2018, up from $146B in 2017,
and will continue to grow at a 22% compound annual growth rate (CAGR)
 More than 50% of global enterprises will rely on at least one public cloud platform to
drive digital transformation and delight customers
 ….

INTERNATIONAL MONETARY FUND 41

 Consequences of risk and control landscapes with the
adoption of cloud - Supervisory challenges

• Parts of the operation of institutions move out of our reach/ability to supervise

• Concentration risk becomes more prevalent in cloud computing. Monitor it through

registry

• Introduction of (big) techs in our supervisory landscape (different business model,

operational model, risk and control landscape, culture, attitude towards control and
supervision)

• Need to engage in a continuous dialogue with institutions and providers. Ex-ante

notification may be a helpful tool

• Difficulty to keep supervisory skills up to date

INTERNATIONAL MONETARY FUND 42

INTERNATIONAL MONETARY FUND 43
 Presenter: Roberto Franconi

Master Degree in Computer Science Engineering,

CISA, CISM, CISSP, Prince2, PMP
 2004-2012 Different roles in accounting firms, in Italy and Ireland,
providing consultancy services on IT audit and information security
 2012-2017 IT internal audit roles in financial services, including the ECB
 Since 2017 Technology Risk Inspection Manager @ Central Bank of
Ireland

www.linkedin.com/in/robertofranconi/

Roberto.Franconi@centralbank.ie
Tel: +353 1 224 6995
Mobile: +353 87690 0325

INTERNATIONAL MONETARY FUND 44

 Thank you very much for your attention!

INTERNATIONAL MONETARY FUND 45