Back

Assess third parties' business continuity capabilities during due diligence.


CONTROL ID
12077
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

This Control has the following implementation support Control(s):
  • Review third parties' backup policies., CC ID: 13043


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the service provider's contingency plan, the results of testing thereof and the scope for improving it. (2.6.2 Bullet 4, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • If the system resilience of AIs depends on the cooperation of external service providers, they should maintain an adequate level of monitoring of the system resilience of these service providers and understand their contingency planning arrangements. If the service providers concerned are AIs' outso… (§ 9.4.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • the EDSP's internal governance for the safeguard of the licensed corporation's Regulatory Records (where Regulatory Records are kept with the EDSP), and may include assessing the physical security of the storage facilities, the type of hosting (ie, whether it is dedicated or shared hardware), securi… (12.(a), Circular to Licensed Corporations - Use of external electronic data storage)
  • risk management framework and capabilities, including technology risk management and business continuity management in respect of the outsourcing arrangement; (5.4.3 (e), Guidelines on Outsourcing)
  • disaster recovery arrangements and disaster recovery track record; (5.4.3 (f), Guidelines on Outsourcing)
  • An institution should ensure that its business continuity is not compromised by outsourcing arrangements, in particular, of the operation of its critical systems as stipulated under the Technology Risk Management Notice. An institution should adopt the sound practices and standards contained in the … (5.7.1, Guidelines on Outsourcing)
  • Proactively seek assurance on the state of BCP preparedness of the service provider, or participate in joint testing, where possible. It should ensure the service provider regularly tests its BCP plans and that the tests validate the feasibility of the RTO, RPO and resumption operating capacities. S… (5.7.2 (b), Guidelines on Outsourcing)
  • the institution's ability to effectively monitor the service provider, and execute its business continuity management plans and exit strategy. (5.10.1 ¶ 1 (d), Guidelines on Outsourcing)
  • The FI should verify the service provider’s ability to recover the outsourced systems and IT services within the stipulated recovery time objective (“RTO”) prior to contracting with the service provider. (§ 5.2.5, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Where information assets are managed by service providers, the FI should assess the service provider's disaster recovery capability and ensure disaster recovery arrangements for these information assets are established, tested and verified to meet its business needs. The FI should engage its service… (§ 8.3.4, Technology Risk Management Guidelines, January 2021)
  • in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and (4.12.2 66(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact… (4.1 19, Final Report on EBA Guidelines on outsourcing arrangements)
  • With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, … (4.12.3 70, Final Report on EBA Guidelines on outsourcing arrangements)
  • business continuity and operational resilience; (4.4 31(b)(ii), Final Report on EBA Guidelines on outsourcing arrangements)
  • where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; (4.4 31(b)(v), Final Report on EBA Guidelines on outsourcing arrangements)
  • the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; (4.12.2 68(d)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • the systemic impact on the stability, continuity or quality of the provision of financial services in the event that the relevant ICT third-party service provider would face a large scale operational failure to provide its services, taking into account the number of financial entities and the total … (Art. 31.2.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Have the BC capabilities of suppliers been evaluated and mitigated? (Operation ¶ 14, ISO 22301: Self-assessment questionnaire)
  • operational resilience, ie its ability to continue providing important business services; (§ 5.11 Bullet 2 Sub-Bullet 4 Sub-Sub-Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • OCIR and if applicable, resolvability. (§ 5.11 Bullet 2 Sub-Bullet 6, SS2/21 Outsourcing and third party risk management, March 2021)
  • An important objective of the access, audit, and information rights in Chapter 8 is to enable firms, the PRA, and the Bank to assess the effectiveness of service providers' business continuity plans. In particular, they should be able to assess the extent to which they may enable the delivery of imp… (§ 10.4, SS2/21 Outsourcing and third party risk management, March 2021)
  • business continuity, operational resilience, and operational risk, including: (Table 5 Column 2 Row 3 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Identify and mitigate risks relating to suppliers' ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Risk management should further … (DS2.3 Supplier Risk Management, CobiT, Version 4.1)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • conduct evaluations of the business continuity capabilities of relevant partners and suppliers; (§ 8.6 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Review procurement processes (including importation and customs) for medical and other essential supplies, and encourage local sourcing to ensure sustainbility (Pillar 8 Step 2 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Determine whether management has engaged other firms in the discussion of scenarios, performed continuity planning using wide-scale or severely disruptive scenarios, and assessed capacity and feasibility of resuming normal operations. (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event; (TIER I OBJECTIVES AND PROCEDURES Business Continuity Planning (BCP) - General Objective 5:1 Bullet 3 Sub-Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management and the BCP addresses critical third parties and outsourced activities and whether there is appropriate oversight in place. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine if the financial institution's due diligence processes considered its service provider's business continuity program. Consider whether management assessed: (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Recovery capabilities and capacity of the service provider; (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether institution management has assessed the adequacy of the TSPs' business continuity program through their vendor management program (e.g. contract requirements, third-party reviews). (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:11, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine the extent to which core and significant firms have demonstrated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames addressed in the BCP guidelines and applicable industry standards. (TIER I OBJECTIVES AND PROCEDURES Testing With Third-Party Service Providers Objective 12: Testing Expectations for Core Firms and Significant Firms 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Management's assessment of the foreign-based provider's resilience architecture and strategy. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:12 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Assessed critical third-party service providers' susceptibility to multiple event scenarios. (App A Objective 6:5c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Participation with critical third-party service providers to confirm that entity personnel understand integration with all related recovery processes. (App A Objective 10:8f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Evaluate the adequacy and effectiveness of financial institution and service provider contingency and business continuity planning. Consider: (App A Tier 1 Objectives and Procedures Objective 3:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the institution uses a technology service provider, determine whether it performed appropriate due diligence prior to engagement and has appropriate contractual agreements governing the relationship. Determine whether the institution monitors compliance with the governing contract. Determine if t… (App A Tier 1 Objectives and Procedures Objective 8:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider's ability to respond to service disruptions; (App A Tier 2 Objectives and Procedures O.3 Bullet 7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Availability of services. The resilience of the TSP, including effective disaster recovery, business continuity plans, and adherence to service-level agreements. (Risk-Based Supervision ¶ 2 Bullet 4, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Business resilience and recovery capabilities. Operations moved to cloud computing environments should have resilience and recovery capabilities commensurate with the risk of the service or operation for the financial institution. Management should review and assess the resilience capabilities and s… (Risk Management Resilience and Recovery Bullet 1, FFIEC Security in a Cloud Computing Environment)
  • Geographic area: distance from the organization and the probability of the storage site being affected by the same disaster as the organization's primary site; (§ 3.4.2 ¶ 2 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))