Know your suppliers

Despite growing awareness of third-party risks, it is still difficult for financial service companies to keep track of the complex ecosystem of service providers that support their supply chains.

They must rise to the challenge, as regulators are insisting that financial institutions improve their third-party risk posture, says Hirun Tantirigama, national technology risk and resilience lead with Protiviti Australia.

“Global regulators are pushing for good visibility, oversight and assurance across your organisation’s service providers, especially in the financial services industry,” Tantirigama says.

“The industry needs to recognise that while they might transfer the delivery of key services to a third party, they cannot transfer responsibility – the responsibility still lies with the financial services company to manage that third-party risk.”

Address material operational risk

This push for greater accountability is reflected in the UK’s Operational Resilience policy papers, as well as the European Union’s Digital Operational Resilience Act (DORA). Closer to home, the Australian Prudential Regulation Authority (APRA) has also put greater responsibility on financial services to address third-party risk.

APRA’s Prudential Standard CPS 230 (Operational Risk Management) requires regulated entities to safeguard the resilience of their critical operations, while broadening the scope of the service providers they must consider when addressing their third-party risk.

Coming into effect in July 2025, the new standard emphasises board accountability when it comes to managing service provider exposure and impacts, as well as setting realistic recovery times to minimise and manage customer harm.

APRA draws particular attention to “material service providers” relied upon by regulated entities to undertake a critical operation or, if unavailable, would expose the regulated entity to material operational risk.

Past performance the best indicator

The Australian Signals Directorate’s Guidelines for Procurement and Outsourcing emphasise the importance of cyber supply chain risk management during the procurement of applications, IT, and operational technology (OT) systems. The nation’s peak government cyber security body urges organisations to assess security risks throughout the lifecycle of products and services, from design to decommissioning, particularly in relation to jurisdictional and governance issues when using offshore suppliers. The guidelines recommend using suppliers with proven security and transparency track records.

A key aspect is service provider relationship management, which involves developing an approved service provider list and ensuring regular security assessments, particularly for high-risk parties. For managed services and cloud outsourcing, providers must undergo security assessments to mitigate risks associated with accessing an organisation’s data or systems.

“Organisations should preference service providers that have demonstrated a commitment to the security and transparency of their products and services,” the report says, reinforcing the shared responsibility model for security across the supply chain.

Ultimately, robust procurement practices help ensure system integrity, reducing risks associated with foreign suppliers and outsourcing critical infrastructure.

Look at the big picture

Addressing third-party risk requires dependency mapping and response planning which adopts practical and commercially realistic ways to identify key dependencies. Rather than relying on spreadsheets and manual processes, this requires investment in the right tools to manage end-to-end supply chain management workflows.

A holistic assessment must include each service provider’s own material service providers, classified as fourth-party risk, says Protiviti managing director, Leslie Howatt.

“Many large organisations don’t necessarily know who all their third-party providers are, let alone their critical fourth-party providers,” Howatt says.

“This means they don’t know where to put assurance processes in place or who to contact in the event of an operational issue. For instance, a third-party managed security provider using tools like CrowdStrike could be critical to their operations, yet they may lack visibility into that relationship”

“This has to change if financial services organisations are to meet their new regulatory obligations. They need to understand exactly which providers pose the greatest risk and tailor their management action plans accordingly.”

Meeting this obligation requires enhanced due diligence processes and service provider lifecycle management. Going forward, financial institutions should also expect contract negotiations with third parties to include new clauses and KPIs related to operational risk, compliance and resilience requirements.

“The financial services industry must work hand-in-hand with their own service providers to become more resilient for the long term,” Howatt says.

“Rather than view resilience as an obligation, the organisations that view it as a competitive advantage should outperform competitors, as their own clients expect and indeed demand demonstrated resilience superiority.”

Are your third-party relationships as secure as they should be? Please visit Protiviti to strengthen your business with resilient, secure operations.