PRA SS2/21 Third Social gathering Threat Compliance Information | Cybersecurity

In recognizing the rising impression of third-party dangers on operational resilience, the Prudential Regulation Authority (PRA) has established new regulatory necessities within the areas of third-party threat administration and outsourcing. The main points have been printed in a Supervisory Assertion that has been enforce since March 2022.

To strengthen the operational resilience element of the PRA rulebook, SS2/21 specifies safety necessities throughout two classes of third-party relationships – materials outsourcing and non-outsourcing third events.

To assist PRA-regulated entities navigate these new cybersecurity requirements, this submit outlines a compliance framework for the entire third-party threat administration necessities of PRA SS2/21.

PRA SS2/21 Terminology Definitions

As a result of PRA SS2/21 implements the Pointers on Outsourcing Preparations by the European Banking Authority (EBA), a lot of its terminology has been borrowed from the EBA. 

Under, key phrases making up the spine of the PRA SS2 are outlined 

The definitions of key phrases are outlined under.

Materials Outsourcing – Outsourcing any service or perform important to a agency’s capability to keep up sufficient monetary assets.‍Outsourcing Third-Social gathering – Any service supplier performing a service, course of, or exercise, whether or not instantly or by sub-outsourcing, which might in any other case be undertaken by the agency itself.‍Non-Outsourcing Third-Social gathering – Any third-party entity from which {hardware}, software program, and different ICT merchandise are bought. Non-outsourcing third-party relationships contain:

a. The design and construct of an on-premise IT platform.

b. The acquisition of information collated by third-party suppliers (information brokers), e.g., geospatial information or information from in-app machine exercise, social media, and so forth.;

c. ‘off-the shelf’ machine studying fashions, together with samples of the information, used to coach and check the fashions, open supply software program, and machine studying libraries developed by third-party suppliers

Complying with the TPRM Necessities of the PRA Supervisory Assertion SS2/21

The PRA SS2/21 outlines its third-party dangers and due diligence necessities throughout 4 major threat classes.

Knowledge securityAccess, audit, and knowledge rights.Sub-outsourcing.Enterprise continuity and exit methods.

The third-party threat administration necessities throughout these 4 classes are addressed within the sections of the PRA SS2/21 outlined under.

The official PRA Supervisory Assertion SS2/21 doc will be accessed right here.

Part 2.8 of the Supervisory Assertion SS2/21.In keeping with the expectations in Chapter 4 of this SS, companies could implement a holistic, single third-party threat administration coverage masking outsourcing and non-outsourcing third-party preparations. Alternatively, they could have separate insurance policies on every of these respective areas supplied that they’re aligned, constant, efficient, and suitably risk-based.

Learn to talk third-party threat to the Board >

The right way to adjust to Part 2.8 of the Supervisory Assertion SS2/21

To adjust to Part 2.8 of the Supervisory Assertion SS2/21, companies have two choices for managing third-party threat:

Implement a holistic, single third-party threat administration coverage that covers each outsourcing and non-outsourcing third-party preparations. This coverage needs to be complete and handle all related dangers related to third-party relationships.‍Develop separate insurance policies for outsourcing and non-outsourcing third-party preparations. These separate insurance policies have to be aligned, constant, efficient, and risk-based to make sure correct administration of third-party dangers.

In both case, the bottom line is to create a sturdy threat administration framework that addresses all elements of third-party relationships and maintains regulatory compliance.

How Cybersecurity can Assist You Adjust to Part 2.8 of the Supervisory Assertion SS2/21

With a collection of options securing the whole vendor lifecycle, Cybersecurity gives a holistic method to third-party threat administration from a single intuitive answer. A number of the options supporting the safety of outsourcing and non-outsourcing third-party preparations embrace:

A built-in remediation administration answer for immediately addressing all recognized vendor safety dangers.A library of safety questionnaires mapping to fashionable frameworks and laws to establish compliance gapsA vendor tiering function for prioritizing third-party distributors with essentially the most vital safety risksSecurity ranking competitor monitoring for evaluating your cybersecurity efforts in opposition to your opponents.

Request a free trial of Cybersecurity >

Part 2.9 of the Supervisory Assertion SS2/21.The next requirements apply to all third-party ICT preparations:

‍• EBA ICT GL, together with however not restricted to Sections 3.2.3, 3.3.2, 3.4.5, and three.7 (particularly, paragraph 86). These GL needs to be interpreted persistently with: the Operational Resilience/Insurance coverage – Operational Resilience Components, the expectations on this SS, and SS1/21, and;

‍• related authorized necessities and requirements on ICT safety (e.g., Cyber Necessities Plus) and information safety, together with however not essentially restricted to Basic Knowledge Safety Regulation (GDPR) and the Knowledge Safety Act 2018.

The right way to adjust to Part 2.9 of the Supervisory Assertion SS2/21

To adjust to Part 2.9 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Adhere to EBA ICT Pointers:

a. Familiarize your self with the EBA ICT Pointers, specializing in Sections 3.2.3, 3.3.2, 3.4.5, and three.7 (significantly paragraph 86).

b. Guarantee consistency with the Operational Resilience/Insurance coverage – Operational Resilience Components, the expectations in SS2/21, and SS1/21 whereas deciphering and implementing the EBA ICT Pointers.

c. Set up inside processes, controls, and governance buildings to observe and handle ICT dangers per the EBA ICT Pointers.

d. Recurrently assessment and replace your agency’s ICT threat administration insurance policies and procedures to align with any adjustments within the EBA ICT Pointers and different related supervisory statements.‍

Adjust to related authorized necessities and requirements on ICT safety and information safety:

a. Familiarize your self with authorized necessities and requirements similar to Cyber Necessities Plus, GDPR, and the Knowledge Safety Act 2018.

b. Implement applicable safety measures, together with technical and organizational controls, to guard delicate information and guarantee compliance with ICT safety requirements like Cyber Necessities Plus.

c. Set up a complete information safety framework in keeping with GDPR and the Knowledge Safety Act 2018, together with processes for managing information topic rights, information breaches, and information processing agreements with third events.

d. Practice staff on information safety and ICT safety necessities, making certain they perceive their obligations and cling to the agency’s insurance policies and procedures.

e. Recurrently assessment and replace your agency’s ICT safety and information safety insurance policies and procedures to make sure ongoing compliance with authorized necessities and {industry} requirements.

How Cybersecurity can Assist You Adjust to Part 2.9 of the Supervisory Assertion SS2/21

Cybersecurity gives a library of industry-leading safety questionnaires mapping to fashionable cybersecurity frameworks and laws, together with the GDPR regulation laid out in part 2.9 of the Supervisory Assertion SS2/21.

All safety dangers and compliance gaps are routinely recognized from questionnaire submissions, permitting seamless transitioning from threat discovery to remediation. Cybersecurity additionally gives a customized questionnaire builder for high-targeted threat assessments based mostly in your group’s distinctive cybersecurity targets.

Be taught extra about Cybersecurity’s safety questionnaires >

Part 3: ProportionalitySection 3.6 of the Supervisory Assertion SS2/21.Relying on its stage of management and affect in respect of intragroup outsourcing preparations, a agency could, for instance:

‍• Modify its vendor due diligence, though companies ought to nonetheless rigorously assess whether or not a possible service supplier that’s a part of its group has the power, capability, assets, and applicable organisational construction to assist the efficiency of the outsourced perform or third occasion service […]

The right way to adjust to Part 3.6 of the Supervisory Assertion SS2/21

To adjust to Part 3.6 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Develop a tailor-made due diligence course of for intragroup outsourcing:

a. Design a particular vendor due diligence framework for intragroup service suppliers, contemplating the distinctive traits and relationships throughout the group.

b. Set up clear tips and standards for assessing intragroup suppliers, together with their capabilities, monetary stability, and observe file.‍

Conduct complete assessments of intragroup suppliers:

a. Carry out detailed assessments of the intragroup service supplier’s capability, assets, and organizational construction, contemplating the agency’s particular wants and necessities.

b. Establish potential dangers or points associated to the intragroup supplier and develop applicable threat mitigation methods.

c. Repeatedly monitor and assessment the efficiency of the intragroup supplier to make sure ongoing compliance with regulatory necessities and inside insurance policies.

How Cybersecurity can Assist You Adjust to Part 3.6 of the Supervisory Assertion SS2/21

Cybersecurity combines point-in-time threat assessments with steady assault floor monitoring vendor safety posture adjustments. This permits organizations to trace the impression of due diligence efforts on every vendor’s safety posture over time – a metric that might mirror the reliability and security of a vendor’s outsourcing perform.

As a result of Cybersecurity helps the entire lifecycle of Vendor Threat Administration, a vendor’s cybersecurity program will readily adapt to any due diligence course of adjustment,

Request a free trial of Cybersecurity >

Part 3.7 of the Supervisory Assertion SS2/21.”Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements.”The right way to adjust to Part 3.7 of the Supervisory Assertion SS2/21

To adjust to Part 3.7 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Establish overlapping laws:

a. Evaluate all related laws and establish areas the place compliance necessities overlap with intragroup outsourcing preparations.

b. Decide how current compliance efforts will be utilized to satisfy the obligations associated to intragroup outsourcing.‍

Align compliance efforts:

a. Be certain that your compliance processes for intragroup outsourcing are in step with different regulatory necessities, the place relevant.

b. Streamline and combine compliance efforts to keep away from duplication and maximize effectivity.‍

Monitor and replace compliance efforts:

a. Repeatedly monitor regulatory adjustments and their impression on intragroup outsourcing preparations.

b. Replace compliance processes as wanted to keep up alignment with evolving laws and finest practices.

How Cybersecurity can Assist You Adjust to Part 3.7 of the Supervisory Assertion SS2/21

Cybersecurity’s library of safety questionnaires and assessments maps to the requirements of fashionable regulation to establish compliance gaps. Due to its in-built remediation workflow, Cybersecurity helps safety groups readily handle compliance gaps earlier than they lead to pricey violations.

Request a free trial of Cybersecurity >

Part 5: Pre-Outsourcing PhaseSection 5.8 of the Supervisory Assertion SS2/21″Firms are responsible for assessing the materiality of their outsourcing and third-party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed:

• prior to signing the written agreement;‍• at appropriate intervals thereafter, eg during scheduled review periods;‍• where a firm plans to scale up its use of the service or dependency on the service provider; and/or‍• if a significant organisational change at the service provider or a material suboutsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider’s ownership or financial position.

How to comply with Section 5.8 of the Supervisory Statement SS2/21

To comply with Section 5.8 of the Supervisory Statement SS2/21, firms can follow these steps:

Pre-contract assessment:

a. Before signing a written agreement, evaluate the materiality of the outsourcing or third-party arrangement.

b. Identify potential risks impacting the firm’s operations and regulatory compliance.‍

Regular reviews:

a. Schedule periodic reviews of materiality throughout the duration of the arrangement.

b. Adjust your risk management strategies as necessary based on the results of these reviews.‍

Assessing changes in service usage:

a. Re-evaluate materiality when scaling up the use of the service or increasing dependency on the service provider.

b. Update risk management processes to account for increased reliance on the service provider.‍

Monitor service provider changes:

a. Keep track of significant organizational changes at the service provider or material sub-outsourced service provider that could affect the risks in the outsourcing arrangement.

b. Reassess materiality in light of changes in the service provider’s ownership, financial position, or other relevant factors.

How UpGuard can Help You Comply with Section 5.8 of the Supervisory Statement SS2/21

UpGuard’s risk assessment feature includes a library of questionnaires mapping to popular frameworks and regulations and an in-built questionnaire builder. The combination of these two features allows organizations to track the performance of any vendor performance metric impacting regulatory compliance, including custom metrics like material outsourcing.

Request a free trial of UpGuard >

Section 5.10 of the Supervisory Statement SS2/21Firms should develop their own processes for assessing materiality as part of their outsourcing or third-party risk management policy […]How to comply with Section 5.10 of the Supervisory Statement SS2/21

To comply with Section 5.10 of the Supervisory Statement SS2/21, firms can follow these steps:

Develop a clear framework:

a. Create a comprehensive framework that outlines how your firm will assess the materiality of outsourcing or third-party arrangements.

b. Include relevant criteria, risk factors, and potential impact on the firm’s operations, financial stability, and regulatory compliance.‍

Establish clear processes and procedures:

a. Detail the specific processes and procedures to be followed when assessing materiality.

b. Assign roles and responsibilities to appropriate staff members and ensure they understand their tasks.‍

Implement monitoring and reporting mechanisms:

a. Set up monitoring and reporting systems to track materiality assessments, including any changes in the materiality of existing arrangements.

b. Ensure relevant stakeholders are informed of materiality assessment results and any necessary actions to be taken.‍

Integrate materiality assessment into risk management policy:

a. Incorporate the materiality assessment framework into your firm’s broader outsourcing or third-party risk management policy.

b. Align materiality assessment processes with other risk management activities to ensure a consistent approach to risk management.

How UpGuard can Help You Comply with Section 5.10 of the Supervisory Statement SS2/21

UpGuard’s custom security questionnaire builder allows organizations to develop bespoke questionnaires based on their unique materiality assessment requirements.

Request a demo of UpGuard’s custom questionnaire builder >

Section 5.11 of the Supervisory Statement SS2/21Consistent with the definition of ‘material outsourcing’ in the PRA Rulebook and, where applicable, the criteria in the EBA Outsourcing GL, a firm should generally consider an outsourcing or third-party arrangement as material where a defect or failure in its performance could materially impair:

• The financial stability of the UK;

• The firms’:‍- ability to meet the Threshold Conditions;- compliance with the Fundamental Rules;- requirements under ‘relevant legislation and the PRA Rulebook;36- safety and soundness

[…]

How to comply with Section 5.11 of the Supervisory Statement SS2/21

To comply with Section 5.11 of the Supervisory Statement SS2/21, firms can follow these steps:

Develop materiality criteria:

a. Create a list of criteria based on the PRA Rulebook’s definition of material outsourcing and the EBA Outsourcing GL, where applicable.

b. Consider factors such as financial stability, threshold conditions, compliance with Fundamental Rules, relevant legislation, PRA Rulebook requirements, and the firm’s safety and soundness.‍

Assess materiality:

a. Evaluate each outsourcing or third-party arrangement against the developed criteria to determine its materiality.

b. Regularly reassess the materiality of arrangements to account for any changes in the risk profile, requirements, or performance of the service provider.‍

Monitor performance:

a. Continuously monitor the performance of material outsourcing and third-party arrangements to identify any defects or failures.

b. Implement corrective measures and risk mitigation strategies to address any issues that could impair the firm’s stability or compliance.‍

Documentation and reporting:

a. Document the materiality assessment process and outcomes, including the criteria used, assessment results, and any actions taken.

b. Report materiality assessment results to relevant stakeholders, including senior management and regulators.

How UpGuard can Help You Comply with Section 5.11 of the Supervisory Statement SS2/21

By combining point-in-time assessment with security rating and data leak detection, UpGuard keeps organizations continuously informed of the state of their third-party attack surface, allowing security risks impacting vendor performance to be readily identified and addressed.

Request a free trial of UpGuard >

Section 5.12 of the Supervisory Statement SS2/21The PRA also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an:

– entire ‘regulated activity,’ e.g., portfolio management; or‍- internal control’ or ‘key function,’ unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function.”

The right way to adjust to Part 5.12 of the Supervisory Assertion SS2/21

To adjust to Part 5.12 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Establish outsourcing preparations:

a. Evaluate all outsourcing preparations and establish these involving whole regulated actions, inside controls, or key capabilities.‍

Assess potential impression:

a. Consider the potential penalties of defects or failures within the efficiency of the recognized outsourcing preparations.

b. Decide if a defect or failure would adversely have an effect on the related perform or the agency’s total efficiency and compliance.‍

Classify materials preparations:

a. If an outsourcing association entails a complete regulated exercise, inside management, or key perform, and a defect or failure may adversely have an effect on the related perform, classify it as a cloth outsourcing association.

b. If the agency is glad {that a} defect or failure wouldn’t adversely have an effect on the related perform, the association might not be thought-about materials.‍

Implement threat administration measures:

a. For materials outsourcing preparations, set up applicable threat administration, monitoring, and contingency plans to handle potential defects or failures.‍

Documentation and reporting:

a. Doc the classification course of and outcomes, together with the rationale behind the classification of fabric and non-material preparations.

b. Report materials outsourcing preparations to related stakeholders, together with senior administration and regulators, as required.

How Cybersecurity can Assist You Adjust to Part 5.12 of the Supervisory Assertion SS2/21

Cybersecurity’s assault floor scanning capabilities prolong to the fourth-party panorama for essentially the most complete protection of vulnerabilities doubtlessly impacting regulatory compliance.

With its vendor tiering function, Cybersecurity helps customized vendor categorization, permitting you to group distributors based mostly on:

Outsourcing preparations.Degree of safety dangers.Entry to delicate buyer information.Status.Regulatory compliance.

Or any class that is related to your vendor safety targets

Request a free trial of Cybersecurity >

Part 5.13 of the Supervisory Assertion SS2/21.The PRA expects companies to have regard to all relevant standards in Desk 5 under, each individually and in conjunction, when assessing the materiality of an outsourcing or third-party association not in any other case coated by paragraphs 5.8 and 5.9. Though in follow many materials outsourcing and third occasion preparations contain ICT services or products (eg cloud), the presence of a given ICT services or products doesn’t, in itself, routinely render an outsourcing association materials […]The right way to adjust to Part 5.13 of the Supervisory Assertion SS2/21

To adjust to Part 5.13 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Evaluate outsourcing preparations:

a. Establish outsourcing and third-party preparations not coated by paragraphs 5.8 and 5.9.‍

Contemplate relevant standards:

a. Consult with Desk 5 and look at all related standards, each individually and collectively.

b. Consider the outsourcing association in opposition to every criterion to find out its potential materiality.‍

Assess materiality:

a. Decide if the outsourcing association is materials based mostly on the evaluation of the relevant standards from Desk 5.

b. Acknowledge that an ICT services or products doesn’t routinely make an association materials.‍

Doc the evaluation:

a. Document the materiality evaluation course of, together with the standards thought-about and the rationale behind the materiality willpower.‍

Implement threat administration measures:

a. For materials outsourcing preparations, set up applicable threat administration, monitoring, and contingency plans to handle potential defects or failures.‍

Reporting:

a. Report materials outsourcing preparations to related stakeholders, together with senior administration and regulators, as required.

How Cybersecurity can Assist You Adjust to Part 5.13 of the Supervisory Assertion SS2/21

Cybersecurity’s industry-leading questionnaire library and questionnaire builder helps the invention of customized safety threat necessities, together with:

ICT risksReputational risksSensitive information integrity dangers.

These assessments additionally map to requirements of fashionable laws to make sure third-party safety dangers do not hinder your regulatory compliance efforts.

Cybersecurity’s assault floor administration device constantly displays your entire property for rising threats, passing all of this information to the platform remediation workflow, simplifying threat administration – a function set assembly the danger identification, monitoring, and administration necessities of part 2.13 of the Supervisory Assertion SS2/21.

See the video under for an summary of Cybersecurity’s assault floor administration options.

Part 5.18 of the Supervisory Assertion SS2/21.The PRA expects companies to conduct applicable due diligence on the potential service supplier earlier than getting into into an outsourcing association, and to establish an appropriate different or backup suppliers the place obtainable. If no different or backup suppliers for a cloth outsourcing association can be found, companies ought to think about different enterprise continuity, contingency planning, and catastrophe restoration preparations to make sure they will proceed offering related necessary enterprise inside their impression tolerances within the occasion of fabric disruption at their chosen service supplier (see Chapter 10).The right way to adjust to Part 5.18 of the Supervisory Assertion SS2/21

To adjust to Part 5.18 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Conduct due diligence:

a. Analysis and assess the potential service supplier’s capability, capability, assets, and organizational construction.

b. Examine the service supplier’s monetary stability, repute, and regulatory compliance.

c. Consider the service supplier’s current contracts and efficiency historical past.‍

Establish different or backup suppliers:

a. Analysis and assess the market to establish appropriate different or backup suppliers for materials outsourcing preparations.

b. Doc the choice course of and rationale for selecting the first supplier and any alternate options.‍

Plan for contingencies:

a. If no different or backup suppliers can be found, develop different enterprise continuity, contingency planning, and catastrophe restoration preparations.

b. Guarantee these plans align with the agency’s impression tolerances and allow the agency to proceed offering necessary enterprise providers throughout materials disruptions.‍

Implement and monitor:

a. Set up contracts with the first service supplier and, if relevant, different or backup suppliers.

b. Monitor the efficiency and threat profile of the first service supplier, and guarantee different suppliers stay viable choices.

c. Recurrently assessment and replace contingency plans as wanted.

How Cybersecurity can Assist You Adjust to Part 5.18 of the Supervisory Assertion SS2/21

With Cybersecurity’s safety ranking function based mostly on 70+ assault vectors, you possibly can immediately decide a possible vendor’s threat publicity and the way these dangers sit inside your threat urge for food. This permits distributors with poor cybersecurity efficiency to be immediately disqualified from partnership issues, saving time and stopping the introduction of extreme safety dangers.

Cybersecurity additionally permits distributors to share accomplished threat assessments and any related safety documentation in a Belief Web page to streamline the onboarding course of for all events.

Cybersecurity’s Belief Web page function

Request a free trial of Cybersecurity >

Part 5.19 of the Supervisory Assertion SS2/21″In the case of material outsourcing, the PRA expects firms’ due diligence to consider the potential providers’:

• business model, complexity, financial situation, nature, ownership structure, and scale;‍• capability, expertise, and reputation;‍• financial, human, and technology resources;‍• ICT controls and security; and‍• sub-outsourced service providers, if any, that will be involved in delivering important business services or parts thereof.”

The right way to adjust to Part 5.19 of the Supervisory Assertion SS2/21

To adjust to Part 5.19 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Assess potential suppliers’ enterprise traits:

a. Study their enterprise mannequin, complexity, monetary scenario, nature, possession construction, and scale.

b. Decide how these components could impression the supplier’s capability to ship the required providers.‍

Consider functionality, experience, and repute:

a. Evaluate the supplier’s observe file and {industry} expertise.

b. Contemplate shopper testimonials, case research, and any related awards or recognitions.‍

Analyze monetary, human, and expertise assets:

a. Assess the supplier’s monetary stability and useful resource allocation.

b. Consider the talents, experience, and expertise of the supplier’s workers.

c. Study the supplier’s expertise infrastructure, instruments, and methods.‍

Evaluate ICT controls and safety:

a. Examine the supplier’s info and communication expertise (ICT) controls and safety measures.

b. Make sure the supplier complies with related laws, requirements, and finest practices.‍

Assess sub-outsourced service suppliers, if any:

a. Establish any sub-outsourced service suppliers concerned in delivering necessary enterprise providers or elements thereof.

b. Conduct due diligence on these sub-outsourced suppliers, following the identical steps talked about above

How Cybersecurity can Assist You Adjust to Part 5.19 of the Supervisory Assertion SS2/21

Cybersecurity’s library of industry-leading threat assessments maps to the necessities of fashionable cybersecurity requirements, together with ISO 27001, GDPR, NIST SP 800-53, HECVAT, Trendy Slavery, and extra.

Every of those assessments evaluates the impression of controls on a variety of classes listed in Part 5.19 of the Supervisory Assertion SS2/21, together with ICT controls, human and expertise providers, and, in fact, safety.

By additionally constantly monitoring the darkish internet for inside and third-party information leaks, Cybersecurity mitigates the monetary and repute impacts of compromised credentials and delicate information dumps.

Request a free trial of Cybersecurity >

Part 5.20 of the Supervisory Assertion SS2/21The due diligence also needs to think about whether or not potential service suppliers:

• have the authorisations or registrations required to carry out the service;

• adjust to GDPR, the Knowledge Safety Act, and different relevant authorized and regulatory necessities on information safety;

• can display licensed adherence to recognised, related {industry} requirements;

• can present, the place relevant and upon request, related certificates and documentation (e.g., information dictionaries); and

• have the power and capability to offer the service that the agency wants in a fashion compliant with UK regulatory necessities (together with within the occasion of a sudden spike in demand for the related service, as an illustration because of a shift to distant working throughout a pandemic). A ‘basic’ observe file of earlier efficiency might not be enough proof by itself.”

How to comply with Section 5.20 of the Supervisory Statement SS2/21

To comply with Section 5.20 of the Supervisory Statement SS2/21, firms can follow these steps:

Confirm authorizations or registrations:

‍

a. Verify if potential providers have the necessary authorizations or registrations to perform the service.‍‍Check compliance with data protection laws: 

a. Ensure potential providers comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection.‍‍

Verify adherence to industry standards: 

a. Determine if potential providers can demonstrate certified adherence to recognized, relevant industry standards.‍‍

Request relevant certificates and documentation: 

a. Obtain, where applicable and upon request, relevant certificates and documentation (e.g., data dictionaries) from potential providers.‍‍

Assess ability and capacity to provide compliant services: 

a. Evaluate potential providers’ ability and capacity to provide the service in compliance with UK regulatory requirements, even during sudden spikes in demand (e.g., due to remote working during a pandemic).

b. Note that a “basic” track record of previous performance may not be sufficient evidence by itself.

How UpGuard can Help You Comply with Section 5.20 of the Supervisory Statement SS2/21

When a vendor submits a GDPR questionnaire on the UpGuard platform, the platform automatically identifies all of the compliance gaps preventing complete compliance with the regulation.

UpGuard’s Trust Page feature allows service providers to easily share completed questionnaires and certifications with their partners to demonstrate certified adherence to relevant industry standards.

Request a free trial of UpGuard >

Section 5.21 of the Supervisory Statement SS2/21In line with Risk Control 3.4(2) and Risk Management 3.1, firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects firms to consider:

• operational risks based on an analysis of severe but plausible scenarios, for instance, a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and

• financial risks, including the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn (‘step-in’ risk).”

The right way to adjust to Part 5.21 of the Supervisory Assertion SS2/21

To adjust to Part 5.21 of the Supervisory Assertion SS2/21, companies can comply with these steps:

Assess operational dangers:  ‍a. Analyze extreme however believable situations, similar to a breach or outage affecting the confidentiality, integrity of delicate information, and/or availability of service provision.‍b. Contemplate the operational dangers related to these situations (see Chapter 10).‍‍Assess monetary dangers: ‍a. Consider the potential want for the agency to offer monetary assist to a cloth outsourced or sub-outsourced service supplier in misery or take over its enterprise, together with because of an financial downturn (step-in threat).How Cybersecurity can Assist You Adjust to Part 5.21 of the Supervisory Assertion SS2/21

Cybersecurity’s holistic method to third-party threat administration, together with point-in-time assessments and assault floor scanning, gives real-time updates of vendor threat publicity, even between scheduled assessments.

This complete third-party threat protection might be leveraged to find out impacts throughout different threat classes, together with operational and monetary.

Learn to quantify the monetary impression of cybersecurity dangers >

Part 5.22 of the Supervisory Assertion SS2/21The PRA expects companies to hold out threat assessments within the circumstances referred to in paragraph 5.6 and likewise in the event that they think about that there could have been a big change to an outsourcing association’s dangers as a result of, as an illustration, a critical breach/continued breaches of the settlement or a crystallised threat.”How to comply with Section 5.22 of the Supervisory Statement SS2/21

To comply with Section 5.22 of the Supervisory Statement SS2/21, firms can follow these steps:

Monitor outsourcing arrangements: Keep track of the performance of the outsourcing arrangements, and watch for any signs of serious or continued breaches of the agreement or crystallized risks.‍Conduct risk assessments: Though non-outsourcing third parties usually introduce fewer security threats than their outsourcing counterparts, their compromise could still negatively impact the PRA’s objectives. As such, the PRA expects firms to assess the materiality and risks of all third-party arrangements, including non-outsourcing third parties. Perform risk assessments in the circumstances referred to in paragraph 5.6 or when there is a significant change in the outsourcing arrangement’s risks.‍Review and update risk assessments: Regularly review and update assessments as needed, particularly when circumstances change or new risk exposures are identified.How UpGuard can Help You Comply with Section 5.22 of the Supervisory Statement SS2/21

UpGuard’s security ratings feature indicates whenever a third-party vendor’s security posture decreases – events that could indicate a significant change to an outsourcing arrangements risk exposure.

A security rating drop triggers a notification to security teams to expedite internal investigations. Thanks to UpGuard’s library of customizable risk assessments, investigation efforts can quickly involve targeted risk assessments, in line with the expectations of section 5.22.

Request a free trial of UpGuard >

Section 5.23 of the Supervisory Statement SS2/21A firm’s risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm’s resilience to disruption). The assessment should also take into account existing or planned risk mitigation, e.g., staff procedures and training.How to comply with Section 5.23 of the Supervisory Statement SS2/21

To comply with Section 5.23 of the Supervisory Statement SS2/21, firms can follow these steps:

Identify risks: Determine the risks created or increased by the outsourcing arrangement, as well as the risks that are reduced or managed more effectively.‍Evaluate risk mitigation measures: Assess existing or planned risk mitigation strategies, including staff procedures and training, and how they impact the identified risks.‍Conduct a balanced risk assessment: Perform a comprehensive risk assessment that considers identified risks and mitigation measures and evaluates their potential impact on the firm’s operations and resilience.‍Review and update the risk assessment: Regularly review and update the risk assessment to ensure it reflects any changes in the outsourcing arrangement or the firm’s risk mitigation strategies.How UpGuard can Help You Comply with Section 5.23 of the Supervisory Statement SS2/21

UpGuard offers many collaborative functions to aid with strategic risk management, including:

‍Risk waivers – Risk waivers let you document justifications and approvals for waiving known risks to streamline the risk assessment workflow.Risk Waiver feature on the UpGuard platform.

Learn more about this feature >

‍In-line questionnaire correspondence – Append messages to specific questionnaire items to simplify clarification and expedite submissions.In-line questionnaire feature on the UpGuard platform.

Learn more about this feature >

‍Risk summary reports – This report summarizes risk assessment statuses across your entire vendor network, simplifying progress tracking and follow-up efforts.Risk assessment summary report on the UpGuard platform.

Learn more about this feature >

‍In-app and email notifications – Set triggers for various events to remain informed of emerging third-party risks. Triggers can be divided into groups and personalized with custom names and descriptions to simplify management.Notification manager on the UpGuard platform.

Learn more about this feature >

Section 5.24 of the Supervisory Statement SS2/21The PRA expects firms and groups to periodically (re)assess and take reasonable steps to manage:

• their overall reliance on third parties; and• concentration risks or vendor lock-in at the firm or group,

How to comply with Section 5.24 of the Supervisory Statement SS2/21

To comply with Section 5.24 of the Supervisory Statement SS2/21, firms can follow these steps:

Monitor reliance on third parties: Keep track of all third-party relationships and evaluate the extent of dependence on each provider.‍Assess concentration risks: Identify situations where the firm or group relies heavily on a single provider or a small number of providers for critical services, which may lead to concentration risks.‍Evaluate vendor lock-in: Examine the possibility of vendor lock-in, where the firm or group becomes too reliant on a specific provider, making it difficult to switch providers or find alternatives.‍Develop risk mitigation strategies: Implement measures to manage and mitigate reliance on third parties, concentration risks, and vendor lock-in. This may include diversifying service providers, implementing contingency plans, or negotiating contract terms facilitating provider transitions.‍Regularly reassess: Periodically reassess the firm or group’s reliance on third parties and the associated risks, updating risk mitigation strategies as needed.How UpGuard can Help You Comply with Section 5.24 of the Supervisory Statement SS2/21

UpGuard’s attack surface monitoring solution surfaces your entire asset inventory to help you identify third-party entities unnecessarily bloating your attack surface.

Request a free trial of UpGuard >

Section 6: Outsourcing AgreementsSection 6.3 of the Supervisory Statement SS2/21Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA’s ability to effectively supervise the firm or outsourced activity, function, or service.How to comply with Section 6.3 of the Supervisory Statement SS2/21

To comply with Section 6.3 of the Supervisory Statement SS2/21, firms can follow these steps:

Include contractual safeguards: Incorporate clauses in the written agreements that address risk management and monitoring for non-material outsourcing arrangements. These safeguards may cover performance monitoring, reporting requirements, and escalation procedures.‍Ensure PRA supervision: Make sure outsourcing agreements do not restrict the PRA’s ability to supervise the firm or the outsourced activity. This can be achieved by including provisions in the agreements that allow the PRA to access relevant information, documentation, and personnel associated with the outsourced activity.‍Regular reviews: Periodically review written agreements to ensure they remain up-to-date and continue to provide appropriate risk management and monitoring measures.‍Legal and regulatory compliance: Verify that all outsourcing agreements comply with relevant legal and regulatory requirements, and consult with legal experts as needed to ensure complianceHow UpGuard can Help You Comply with Section 6.3 of the Supervisory Statement SS2/21

UpGuard’s Trust Page feature streamlines contract access and collaborations between third-party vendors and their partners.

This pathway allows contracts to be reviewed anytime to ensure alignment with risk monitoring requirements. Both vendors and their partners have the option of greater access control by gating contracts with Non-Discloisre Agreements.

Section 7: Data SecuritySection 7.10 of the Supervisory Statement SS2/21The PRA expects firms to implement appropriate measures to protect outsourced data and set them out in their outsourcing policy and, where appropriate, in their written agreements for material outsourcing.Section 7.11 of the Supervisory Statement SS2/21The PRA expects firms to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures […]How to comply with Sections 7.10 and 7.11 of the Supervisory Statement SS2/21

To comply with Sections 7.10 and 7.11 of the Supervisory Statement SS2/21, firms can follow these steps:

Update outsourcing policy: Incorporate data protection measures in the outsourcing policy, and ensure these measures are included in written agreements for material outsourcing arrangements.‍Implement robust controls: Establish and maintain controls for data-in-transit, data-in-memory, and data-at-rest. These controls may include configuration management, encryption, key management, identity, and access management, monitoring of insider threats, access and activity logging, incident detection and response, loss prevention and recovery, data segregation, network and firewall configuration, staff training, and ongoing monitoring of service providers’ controls.‍Monitor effectiveness: Regularly assess the effectiveness of the service provider’s controls through access and audit rights.‍Incident response: Develop policies and procedures to detect and respond to incidents affecting information security, such as data breaches or misuse of access.‍Data deletion: Establish procedures for deleting firm data from all locations where the service provider may have stored it after exit or termination, considering data protection law obligations and data retention requirements.How UpGuard can Help You Comply with Sections 7.10 and 7.10 of the Supervisory Statement SS2/21

UpGuard helps organizations protect their sensitive data by securing common attack vectors leading to data breaches, including:

Data leaks – UpGuard monitors the dark web for data leaks that could expedite third-party breaches.‍Third-party vulnerabilities – With security questionnaires mapping to popular regulations – including the GDPR – and cyber frameworks, UpGuard helps you discover underlying security threats increasing the risk of data breaches and supply chain attacks.‍Over 70 critical breach vectors – Including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, DNS issues, and more.Section 8: Access, audit, and information rightsSection 8.7 of the Supervisory Statement SS2/21Firms may use a range of audit and other information-gathering methods, including:

• 

offsite audits, such as certificates and other independent reports supplied by service providers; and‍• onsite audits, either individually or in conjunction with other firms (pooled audits).Section 8.9 of the Supervisory Statement SS2/21Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider’s controls. However, in material outsourcing arrangements, the PRA expects firms to:

•

 assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and

•

 ensure that certificates and audit reports meet the expectations in (Table 8).How to comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21

To comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21, firms can follow these steps:

Utilize different audit methods: Employ offsite and onsite audits, including certificates and independent reports supplied by service providers, and pooled audits in collaboration with other firms.‍Assess certificate and report adequacy: For material outsourcing arrangements, evaluate the adequacy of the information in these certificates and reports, ensuring they meet the expectations set out in Table 8. Do not assume that their mere existence or provision is sufficient evidence of compliance with legal, regulatory, and risk management obligations.‍Verify compliance: Ensure that certificates and audit reports meet the regulatory expectations and that the service is provided per the firm’s legal, regulatory, and risk management obligations.How UpGuard can Help You Comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21

UpGuard’s Trust Page feature centralizes vendor agreements, certifications contracts, and any other relevant cybersecurity information in one public-facing page to streamline access across business relationships.