The Third-Party Threat for Financial Organisations

DORA’s supply chain security requirements

IT Governance’s research for November 2023 found that 48% of the month’s incidents originated from the supply chain (i.e. were third-party attacks). For Europe, this number rises to 61%.

Admittedly, it only takes a comparatively small number of supply chain attacks to skew the number of incidents. It’s in their nature for one attack to compromise potentially hundreds or even thousands of organisations.

However, that doesn’t stop the numbers from being worrying. It can be challenging to secure your supply chain – organisations tend to simply trust that the products and services they use are safe. But where they aren’t, every organisation that uses them can be at risk, with potentially far-reaching consequences. That those consequences originate from just one source doesn’t make them any less serious.

Higher risks for the finance sector

For the finance sector, the risk is higher than average. As a recent Trustwave report pointed out, the businesses in this sector are extremely interconnected, even by the modern world’s standards. That interconnectedness makes the sector even more susceptible to supply chain attacks.

EU lawmakers are aware of this too. For that reason, supply chain security is a core requirement of the upcoming DORA Regulation (Digital Operational Resilience Act). Although it’s an EU law, it will affect UK organisations too, if they operate in the EU.

What can financial entities do to secure their supply chain?

When we put the question to Alan Calder, CEO of GRC International Group, he explained:

Financial entities must review ICT security across their supply chains, deploying audit and compliance teams to ensure that third-party ICT service providers are secure and compliant. That means looking for certifications like ISO 27001, ISO 22301 and Europrivacy.

Where critical suppliers are concerned, you should look at their resilience, including:

  • Their penetration testing regimes;
  • How their incident response mechanisms work; and
  • Whether they are DORA compliant.

If they fall short of your standards or requirements, you need to find alternative suppliers.

What are the requirements under DORA?

DORA requires financial entities to have robust contracts in place with ICT service providers. Financial organisations must also maintain a register of service providers and report on this to the competent authority every year.

The key here is to manage risks. This includes managing the risk of having too many critical or important functions supported by a small number of service providers.

In addition, DORA requires that financial entities only contract with providers that “comply with appropriate information security standards”. Where the ICT service provider supports critical or important functions, the financial entity must ensure the standards are “the most up-to-date and highest quality”.

What “information security standards” are considered “appropriate”?

Unlike the GDPR (General Data Protection Regulation), DORA does not require that these standards be identified by a specific authority, so it’s reasonable to assume that ISO 27001 – since it sets the international benchmark for information security management – would qualify as such a standard.

As Alan mentioned, certifications like ISO 22301 and Europrivacy™/® add further assurance, as do due diligence checks on suppliers’ resilience, particularly for critical suppliers.

In fact, DORA sets out a process for the ESAs (European Supervisory Authorities) to designate ‘critical suppliers’ for financial entities. These suppliers will have stricter requirements due to their importance to the financial industry.

But the burden doesn’t just lie with the authorities. Ultimately, it is the organisation’s responsibility to find suppliers that can offer assurances – preferably backed up by certifications to standards like ISO 27001 – that they are secure.

As Alan explained:

Financial entities will need to work ever more closely with their key suppliers to ensure they are genuinely resilient. That will include, for instance, running large-scale cyber attack simulations that involve significant elements of the supply chain, to test and improve the depth of their resilience.

Certified DORA Foundation Training Course

To learn more about DORA’s core requirements, including supply chain security, consider taking our Certified DORA Foundation Training Course.

This course covers:

  • An introduction to DORA and the regulatory landscape;
  • ICT risk management principles in DORA;
  • ICT incident management principles in DORA;
  • Resilience testing requirements;
  • Managing third-party risk; and
  • Information-sharing principles.

The course is the prerequisite to further specialist DORA training courses, including C-DORA Practitioner, C-DORA Compliance Officer and C-DORA Lead Auditor.