ICT Third Party Risk Management (TPRM)

They say that your organization is as secure as your weakest third-party service provider. A single vulnerability in a vendor network can result in a data breach of your otherwise cyber-resilient infrastructure. This gives us better understanding why third-party risk management has become so fundamental.

The digital age has prompted huge shift to workload outsourcing and cloud-based services. As third-party vendors form a complex web, it is important to keep a strong grasp on the constantly expanding perimeter of your company. Mapping all your ICT third-parties in order of critically of their functions, their location and concentration are among the pillars of TPRM.

Once you have your ICT third-party infrastructure drawn and analysed for critical functions and concentration, thorough review of all your existing contracts with third-parties is crucial. There are new contractual arrangements introduced in the EU due to previous regulatory gaps. DORA requires you to ensure that all your contracts with ICT third-party providers follow new rules and templates as a part of your ICT TPRM. There are no shortcuts, you need to do detailed due diligence including assessment of legal jurisdiction etc. New rules require you to have evidence of proof of controls, warranty of data protection safeguards, mandatory sub-contractual and sub-processing obligations, regular reporting and inspections, among other things. The rules require you to have clear clause on termination of contractual agreement in case of vendor’s non-compliance.

Due to the new data protection regulations now in force it is your overall responsibility to ensure privacy and security of all data. Use of data purposes including purpose limitation, data owner authorisation for the use, location of data management and data governance clauses have to be clearly written into your ICT third-party contracts.

Among the drivers that pushed for modernisation of TPRM regulation are:

1. Pandemic (remote workers, virtual audit and assurance, resilience & cloud hosting etc)
2. Non-IT risks (ESG, human rights, supply chain, geo-politics, DEI; etc)
3. RoI (technology for monitoring, work flow automation, risk-based approach, skill set and staffing, “right-sizing” the assessment; etc)

It is a challenging are and we suggest focus on the six steps process to ensure that you follow new EU requirements in the ICT TPRM:

1. Detailed mapping of new and an update of existing ICT third-party providers, their functions and data access
2. Verification of disclosure mechanism to third-party providers
3. Due diligence on third-parties, transfer/disclosures
4. Due diligence on technical, organisational, contractual measures based on risk and classification of functions and data
5. Implementation of appropriate data protection at third-parties
6. Documentation on all processes, standards, requirements,regular review/audits and site visits

Still have questions? Check out our services here and feel free to contact us.