Critical National Infrastructure: How secure is your country?


Understanding developing regulation around Critical Third Parties

Risk Management

Understanding developing regulation around Critical Third Parties

All companies in Financial Services are subject to Financial Conduct Authority (FCA) regulations and Prudential Regulation Authority (PRA) regulations, on assessment of third-party risk.

This sector is increasingly relying on third parties outside the finance sector for key functions or services (e.g., cloud-based computing services) through outsourcing and other arrangements. These arrangements can come with many benefits but can also create risks. The potential for such disruption was highlighted in 2019 when the Treasury Select Committee published a report on Information Technology (IT) failures in the financial services sector. International bodies, including the International Monetary Fund (IMF) and the Financial Stability Board (FSB) have also noted these potential systemic risks.

Since then, firms have become increasingly reliant on cloud and other third-party providers. By the 31st of March 2022, institutions in the financial services sector are expected to have identified and assessed their critical third parties, “in a manner appropriate to: their size and internal organisation; the nature, scope and complexity of their activities; and the criticality or importance of the outsourced functions, in line with the principle of proportionality.”

The Bank of England’s Financial Policy Committee concluded in 2021 that “the increasing reliance on a small number of cloud service providers and other critical third parties could increase HM Treasury has confirmed that it will implement a regime whereby third-party firms designated as critical” will be subject to direct regulatory oversight by the financial regulators (FCA, PRA, Bank of England etc).

The Treasury published a policy statement on 8 June 2022, setting out its framework for mitigating the risks caused by financial services firms outsourcing important functions to third-party service providers. The financial regulators will have a suite of statutory powers, including the power to direct critical third parties from taking or refraining from taking specific actions; and enforcement powers including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms. The financial regulators’ powers in relation to CTPs will be set out in primary legislation.

The government intends to legislate for this regime when parliamentary time allows. The financial regulators’ joint Discussion Paper will be published shortly after such legislation is introduced. The financial regulators anticipate publishing a further Consultation Paper on their proposed rules, building on feedback to their Discussion Paper and based on their proposed, new statutory powers. Following the finalisation of the regulators’ rules, HM Treasury will then expect to begin designating the first critical third parties under this new regime.

Source link

About C2

C2 is a UK risk management scaleup on a mission to help businesses survive and thrive in the digital economy. C2 helps organisations manage security and compliance in a way that’s unique to their business and that does more than simply ticking off digital checkboxes. C2’s industry-leading platform supports the public and private sectors in managing their threat landscape and improving vendor controls, project, privacy, and ESG risks.