By Jason Harrell, Managing Director, Operational and Technology Risk and Head of External Engagement, DTCC
The financial services industry is increasingly leveraging new technology to improve the delivery of existing products and services and to provide increased value across market segments. Given this rapid growth in the adoption of new technology and the addition of numerous new technology providers, financial authorities and institutions are increasingly focused on the risks created by these changing dynamics and how to further protect consumers and the safety and soundness of the financial markets.
Financial institutions often leverage third-party solutions alongside their existing legacy technology to facilitate the use of new technology and the delivery of services to clients. While these technology service providers have augmented the network architecture of many financial institutions, they have also expanded the surface area of potential attack vectors for cyber threat actors and have increased interconnectedness risks within the financial services sector. It is critical for the industry to understand these risks and how they may be addressed.
Financial institutions have long been required to assess the risks of third parties, but recent cyber incidents at such as ION Derivatives and SolarWinds have led financial authorities and market participants to reexamine existing frameworks against the current threat landscape. This examination has led to several financial authorities updating their third-party risk management rules and guidance. Now, financial institutions should not only understand how their third parties manage risk, but also be familiar with the resilience capabilities of those critical third parties. For their most critical service providers, financial institutions must develop exit strategies, gain assurance that those third parties can rapidly recover their services, and require that these providers regularly test resilience plans. By further enhancing how firms execute their oversight of third parties, the industry can continue to raise the bar on preparedness and response.
The financial markets are an intricate web of financial firms, market utilities, technology providers, central banks, and other institutions. For certain technology and service providers, there may be broad adoption of concentrations within the industry, which could lead to financial stability risks. As financial institutions increase their reliance on a finite set of technology service providers and extend the supply chain, it is important that institutions recognize these risks within their traditional third-party risk management programs. While an individual institution may not understand sector-wide risks, each firm can do its part to understand its individual concentration of risk and develop strategies to mitigate those risks.
To address these risks and bolster resiliency, financial institutions should work to identify their critical services and how third parties may be leveraged to deliver those services. Doing so will provide a clearer picture of the institution’s potential vulnerabilities and the potential impact these vulnerabilities may have on the institution’s operations. Further, financial institutions should develop strategies for managing potential operational incidents that could impact one or more of its critical services. By proactively developing resilience capabilities, financial institutions can support a rapid and safe recovery from an operational incident and decrease the operational friction that may occur during such an event. These steps are critical as firms increase their reliance on third parties and continue to develop innovative strategies leveraging new technologies and service providers.
As the financial services sector continues to introduce new technology and increase its use of third parties, it is critical that institutions remain focused on fully assessing and addressing the risks that come with this evolution. Technology will be a key enabler in the delivery of new capabilities and services, but it must be introduced cautiously and prudently. As this ecosystem evolves, understanding how new technology will be used to facilitate the delivery of new financial products and services, and critically assessing the potential vulnerabilities and impacts will facilitate increased market stability and resiliency.