Back

Include contingency plans in the third party management plan.


CONTROL ID
10030
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a supply chain management program., CC ID: 11742

This Control has the following implementation support Control(s):
  • Refrain from placing excessive reliance on third parties that provide support for service continuity., CC ID: 12768


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Concentration risk may arise where a major EDSP provides data services to a large number of financial firms, since a significant disruption in its services may have an impact on the market. Depending on the scale of a licensed corporation's operations and the extent of its use of data storage or pro… (22., Circular to Licensed Corporations - Use of external electronic data storage)
  • A licensed corporation using external data storage or processing services in the conduct of its regulated activities should assess the level of its dependence on the prompt and consistent delivery of services by its service providers as well as the potential operational impact on the licensed corpor… (19., Circular to Licensed Corporations - Use of external electronic data storage)
  • business continuity management; (5.5.2 (d), Guidelines on Outsourcing)
  • Determine that the service provider has in place satisfactory business continuity plans ("BCP") that are commensurate with the nature, scope and complexity of the outsourcing arrangement. Outsourcing agreements should contain BCP requirements on the service provider, in particular, recovery time obj… (5.7.2 (a), Guidelines on Outsourcing)
  • The FI should ensure that contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements. The requirements and conditions covered in the agreements would usually include performance targets, ser… (§ 5.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Furthermore, as part of the response and recovery plans, a financial institution should consider and implement continuity measures to mitigate failures of third party providers, which are of key importance for a financial institution's ICT service continuity (in line with the provisions of the EBA G… (3.7.3 86, Final Report EBA Guidelines on ICT and security risk management)
  • where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and … (4.2 23(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agre… (4.7 42(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • business continuity planning in accordance with Section 9; (4.7 42(c)(vi), Final Report on EBA Guidelines on outsourcing arrangements)
  • develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and (4.15 107(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: (4.15 106, Final Report on EBA Guidelines on outsourcing arrangements)
  • reintegrate the function; or (4.6 40(f)(ii), Final Report on EBA Guidelines on outsourcing arrangements)
  • requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framew… (Art. 30.3. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Firms should begin to develop their business continuity and exit plans, in particular for stressed exits, during the pre-outsourcing phase once they have determined that a planned outsourcing arrangement is material (see Chapter 5). Doing so will enable them to: (§ 10.17, SS2/21 Outsourcing and third party risk management, March 2021)
  • business continuity plan; and (§ 10.1 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Applicable emergency and disaster recovery plans are in place, (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Include critical suppliers in contingency planning, incident response, and disaster recovery planning and testing. (3.4.2. ¶ 1 Bullet 10, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The third party management plan should include the bank's contingency plans. ("Planning" Bullet 9, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)