Third-Party Risk Management

“We are ISO 27001 certified, are we DORA compliant?” Not so fast. ISO 27001 and DORA both focus on cybersecurity and risk management, but they serve very different purposes. If you're a financial institution or an ICT provider working with financial institutions in the EU, DORA compliance is mandatory, and ISO 27001 alone won’t get you there. Let’s break it down: 1. Regulatory vs. Voluntary Framework ↳ ISO 27001 – A voluntary international standard for information security management. ↳ DORA – A mandatory EU regulation for financial entities and their ICT providers, with strict oversight and penalties for non-compliance. 2. Scope and Focus ↳ ISO 27001 – Offers a customizable scope tailored to organizational needs, focusing on information security (confidentiality, integrity, availability) based on specific risk assessments and chosen controls. ↳ DORA – Enforces a standardized scope across financial entities, extending beyond security to operational resilience. It ensures institutions can withstand, respond to, and recover from ICT disruptions while maintaining service continuity. 3. Key Compliance Gaps 🔸 Incident Reporting ↳ ISO 27001 – Requires incident management but doesn’t impose strict deadlines or mandate reporting to regulators, as it is a flexible standard. ↳ DORA – 4 hours to report a major incident, 72 hours for an update, 1 month for a root cause analysis. 🔸 Security Testing ↳ ISO 27001 – Requires vulnerability management but leaves testing methods and frequency to organizational risk. ↳ DORA – Annual resilience testing, threat-led penetration testing every 3 years, continuous vulnerability scanning. 🔸 Third-Party Risk Management: ↳ ISO 27001 – Covers supplier risk but with general security controls. ↳ DORA – Enforces contractual obligations, exit strategies, and regulatory audits for ICT providers working with financial institutions. 4. How financial institutions and ICT providers can address the delta? ✅ Perform a DORA Gap Analysis – Identify missing controls beyond ISO 27001. (Hopefully, you're not still at this stage now that DORA has been mandatory since January 17, 2025.) ✅ Upgrade Incident Response – Implement real-time monitoring and reporting mechanisms to meet DORA’s deadlines. ✅ Enhance Security Testing – Introduce formalized resilience testing and threat-led penetration testing. ✅ Strengthen Third-Party Risk Management – Update contracts, prepare for regulatory audits, and ensure exit strategies comply with DORA. ✅ Improve Business Continuity Planning – Move from cybersecurity alone to full digital operational resilience. 💡 ISO 27001 is just the tip of the iceberg - beneath the surface lie significant gaps that only DORA addresses. 👇 What’s the biggest challenge in aligning with DORA? Let’s discuss. ♻️ Repost to help someone. 🔔 Follow Amine El Gzouli for more.

While the shift towards Zero Trust Architecture (ZTA) offers a robust solution to modern cyber threats, it also raises important considerations regarding organizational security dynamics and the role of third-party providers. Here are some key points to consider: 1. Third-Party Dependency: - The move to Zero Trust often shifts security responsibilities from the organization to a third-party provider like Zscaler. - This approach assumes that these providers have superior capabilities and expertise in securing organizational networks. 2. Microsegmentation: - Proponents of ZTA argue that solutions like Zscaler can achieve effective microsegmentation. - However, they often overlook that east-west traffic within an organization doesn't always pass through firewalls. - Implementing microsegmentation internally can be more efficient than routing all traffic to the internet for scanning. 3. Supply Chain Vulnerabilities: - Incidents like the SolarWinds breach and recent attacks on CrowdStrike are grim reminder that third-party providers can become weakest link. - Relying solely on these providers creates a single point of failure in the security architecture. 4. Myth of Complete Zero Trust: - The belief that Zero Trust can be fully realized through providers like Zscaler is a myth. - True security requires a comprehensive, multi-layered approach. 5. Defense in Depth: - Organizations should adopt a defense-in-depth strategy, integrating multiple security technologies and controls across various layers. - This ensures that if one layer is compromised, others remain to mitigate the damage. 6. Diversified Security: - Security risks should be diversified by implementing multiple technologies and partnering with various vendors. - This approach prevents over-reliance on a single provider and enhances overall security resilience. 7. Organizational Control: - While leveraging third-party solutions, organizations must retain control over their security posture. - Building and maintaining internal controls is crucial to ensure comprehensive protection and minimize reliance on external entities. In conclusion, while Zero Trust Architecture provides valuable security enhancements, it should be part of a broader, diversified defense strategy. Organizations must balance third-party solutions with robust internal controls and multiple layers of defense to ensure comprehensive protection against evolving cyber threats. What’s your thoughts? I would like to understand from you to further refine our defense strategy

Third-Party Risk Management (TPRM) in #GRC— As organizations increasingly rely on vendors, contractors, and service providers, third-party risk management (TPRM) has become a critical part of GRC programs. Poor vendor management can expose companies to data breaches, regulatory penalties, and operational disruptions. 1. TPRM • Regulatory Compliance: Frameworks like PCI DSS, GDPR, and ISO 27001 require organizations to assess and monitor third-party risks. • Vendors often manage critical business functions, so disruptions in their processes directly impact your operations. • A vendor breach could tarnish your brand and lead to legal or financial penalties. 2. TPRM Lifecycle • Assess vendor security practices before engagement (e.g., security questionnaires, contract reviews). • Identify risks specific to the vendor (e.g., data handling practices, access to systems). • Continuously monitor vendor performance and compliance through audits, reporting, and SLAs. • Ensure proper data disposal and de-provisioning of access after vendor offboarding. 3. Frameworks / best practices • NIST SP 800-161 focuses on supply chain risk management for federal systems. • ISO 27001/27036 provides guidance on third-party security requirements. • Shared Assessments Program offers standardized tools like SIG (Standardized Information Gathering) for vendor assessments. 4. Key Tools • Vendor management platforms like OneTrust, BitSight, or Prevalent help automate risk assessments and ongoing monitoring. • Use third-party security ratings to assess vendor vulnerabilities in real time. 5. Building strong TPRM programs • Establish clear policies and procedures for vendor risk management. • Conduct periodic risk assessments and ensure vendors comply with applicable regulations. • Collaborate with stakeholders across procurement, legal, IT, and compliance teams. TPRM integrates seamlessly into GRC.

DORA isn’t failing because of controls. It’s failing because ownership is unclear. Do you agree? 💁🏻♀️ Over the past year, many financial institutions have built solid DORA programs on paper: ✔ Policies approved ✔ Gap assessments completed ✔ Tools selected ✔ Vendor inventories documented Yet in supervisory reviews and internal audits, the same question keeps surfacing: “Who actually owns this when something breaks?” Not who drafted the policy. Not who runs the tool. Not who approved the budget. But who is accountable when: - A critical ICT vendor has a major outage - An incident crosses regulatory reporting thresholds - A subcontractor introduces hidden concentration risk Exit plans need to be executed under pressure That’s where a well-designed RACI becomes operational, not theoretical. ✅ What a DORA-ready RACI actually needs to do A RACI for DORA isn’t a spreadsheet exercise. It should: 1️⃣ Anchor accountability at the right level Regulators expect ultimate accountability to sit with the Board and senior risk leadership, not buried inside IT or vendor teams. If accountability is fragmented, escalation breaks down when speed matters. 2️⃣ Give the Third-Party Risk Manager true execution ownership The TPRM lead should be: - Responsible for lifecycle execution - Driving assessments, monitoring, remediation, exit planning - Coordinating across IT, legal, procurement, and business owners - Maintaining audit-ready evidence TPRM should not be a coordinator without authority. 3️⃣ Separate technical truth from governance ownership Best practice clearly separates: - IT / CISO → Responsible for technical security, resilience testing, detection - Risk / TPRM → Accountable for risk decisions, escalation, regulatory alignment Blurring this line creates blind spots during incidents and supervisory reviews. 4️⃣ Treat contracts as a regulatory control, not procurement admin Under DORA, contractual clauses are enforceable controls: - Audit and access rights - Subcontracting visibility - Exit and portability - Incident cooperation Legal must remain accountable, but TPRM must ensure clauses are operationally usable, not just legally compliant. 5️⃣ Build RACIs around operational scenarios, not departments Strong RACIs map ownership across real situations: - Vendor outage - Data breach - Cloud concentration risk - Failed exit test - Regulatory notification - Subcontractor failure If your RACI only reflects org charts, it won’t hold up during stress. Below is a practical DORA-aligned RACI visual for Third-Party Risk Managers in financial entities, designed to reflect how programs actually operate under regulatory pressure. If you’re building or refreshing your DORA operating model, this is a good place to start. #DORA #ThirdPartyRisk #OperationalResilience #ICTRisk #VendorRisk #RiskGovernance #FinancialServices #TPRM #RegulatoryCompliance #ResilienceEngineering

🚨 Big Update on #DORA’s RTS for ICT #Subcontracting 🚨 After six months of review, the European Commission (EC) has rejected the adoption of the DORA RTS on subcontracting ICT services supporting critical or important functions (CIFs). 🔹 The RTS outlined risk assessment requirements for financial entities when subcontracting ICT services, including due diligence, contract management, and ongoing monitoring. 🔹 However, the EC believes certain provisions exceed the mandate given to the ESAs under DORA, particularly around monitoring subcontractors. 🔹 As a result, the ESAs must revise the RTS within six weeks, removing Article 5 & Recital 5, or the EC will step in and make the changes itself. 📌 Why this matters: This is the final missing piece of DORA’s technical standards for ICT third-party risk management (though the TLPT RTS is also still pending). Some financial institutions have already incorporated Article 5 provisions into their contracts with tech providers, creating a compliance challenge. The next few weeks will be crucial. Will the ESAs comply, or will we see further regulatory back-and-forth? #DORA #ICT #FinancialServices #RegTech #Regulation #EU #EY #EBA #ECB #EIOPA #ESMA #ITRM #Riskmanagement #RTS

Procurement: Treat suppliers as extensions of your enterprise, not transactions. Procurement Excellence | 23 NOV 2025 - In complex global markets, resilient supply chains demand partnerships built on shared destiny, not just contracts. Here are 9 Steps to Create Long-Term Supplier Partnerships: #1. Transparent Communication ↳ Co-develop comms protocols e.g. QBR ↳ Clearly share expectations, goals & challenges #2. Long-Term Contracts ↳ Replace short-term with multi year agreements. ↳ Share long-term roadmaps & cost-savings initiatives. #3. Shared Performance Metrics ↳ Jointly agree and track SMART KPIs. ↳ Define escalation paths & RCA templates #4. Early Supplier Involvement ↳ Involve and recognize vendor’s contributions. ↳ Include key suppliers in product development cycles. #5. Guarantee Timely Payments ↳ Automate payment & consider early payment discounts. ↳ Audit internal processes for bottlenecks. #6. Co-Create Innovation ↳ Create supplier ideation portals & protect IP collaboratively. ↳ Fund joint proof-of-concept projects. #7. Recognize & Reward Excellence ↳Formally acknowledge & reward outstanding suppliers. ↳Bronze (Operational Excellence), Silver (Innovation), Gold (Strategic Impact). #8. Uphold Fairness & Ethics ↳ Interactions & contractual terms are mutually beneficial. ↳ Ensure cost pressures don't force unethical labor. #9. Jointly Manage Risks ↳ Jointly identify risks & develop contingency plans. ↳ Map tier-2/3 suppliers collaboratively. In today's volatile market, Resilient supply chains are built on deep, strategic supplier partnerships. Achieving lasting, mutually beneficial supplier partnerships requires: ✅️ Deliberate strategy ✅️ Centered on trust ✅️ Shared objectives ✅️ Continuous collaboration ♻️ Repost if you find this helpful. ➕️ Follow Frederick for Procurement insights. #ProcurementExcellence #SupplierCollaboration

After reviewing 30+ SaaS contracts last quarter.... I've identified the 50 most commonly overlooked provisions that could save your business from costly disasters. The average enterprise now uses 130+ SaaS solutions, with critical business functions entirely dependent on third-party software. Yet 67% of SaaS agreements lack basic protections for: - Service interruptions - Data breaches - Vendor acquisition/bankruptcy - Unauthorized data usage The cost of these gaps? Companies lose an average of $218,000 per SaaS-related incident. 1. Service Level Agreement (SLA) Terms ☑️ Specific uptime commitments (99.9% isn't enough—define the measurement period) ☑️ Exclusions from SLA calculations (planned maintenance should be capped) ☑️ Meaningful compensation tied to impact (not symbolic credits) ☑️ Response time commitments for different severity levels ☑️ Escalation procedures with named contacts 2. Data Protection Provisions ☑️ Data residency requirements (specify geographic locations) ☑️ Processing limitations beyond standard privacy policies ☑️ Prohibition on de-anonymization attempts ☑️ Detailed breach notification timelines (24 hours should be standard) ☑️ Data return procedures upon termination (specify format) 3. Integration & API Requirements ☑️ API stability commitments with deprecation notice periods ☑️ Rate limiting disclosures and guarantees ☑️ Integration support obligations ☑️ Third-party connector maintenance responsibilities ☑️ Technical documentation updating requirements 4. Termination Rights & Processes ☑️ Partial termination rights for specific modules/services ☑️ Data extraction assistance requirements ☑️ Transition services obligations ☑️ Wind-down periods with reduced functionality ☑️ Post-termination data retention limitations 5. Liability Protections ☑️ Exception to liability caps for data breaches ☑️ Separate liability caps for different violation categories ☑️ Indemnification for vendor's regulatory non-compliance ☑️ Third-party claim procedures with vendor-provided defense ☑️ IP infringement remediation obligations 6. Service Evolution Safeguards ☑️ Feature removal notification periods (90+ days) ☑️ Version support commitments ☑️ Mandatory backward compatibility periods ☑️ Price protection for existing functionality ☑️ Training for significant interface changes Last month, a client using this checklist discovered their mission-critical SaaS provider had no formal commitments on API stability. After negotiation, they secured: - 180-day notice for any API changes - Technical support during transitions - Compensation for integration rework Three weeks later, the vendor announced a major API overhaul that would have cost $200K to adapt to without these protections. Want the expanded 50-point SaaS contract checklist with negotiation strategies for each provision? Comment "CHECKLIST" below and I'll send you the full resource. #contracts #saasagreements #saas #agreements #contractdrafting

In 2022, Toyota had to shut down its entire manufacturing operations because of a cyberattack. It was a nightmare that resulted in $375 million loss. But here's an interesting catch – it wasn't an attack on Toyota!   Instead, it was against one of their plastic suppliers' company, Kojima. Because Kojima had third-party access to Toyota manufacturing plants, shutting down was necessary to protect their data. So, a cyber incident with one of its suppliers brought the giant car company to its heels.   Attackers are masters of finding creative ways. By compromising your vendors/suppliers, they can effectively compromise your organization, infiltrating it from within.   So how do attackers exploit vendors to compromise your company?   𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝟰 𝗰𝗼𝗺𝗺𝗼𝗻 𝘃𝗲𝗻𝗱𝗼𝗿 𝘀𝗰𝗲𝗻𝗮𝗿𝗶𝗼𝘀 𝘁𝗵𝗮𝘁 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿𝘀 𝘂𝘀𝗲 𝗳𝗼𝗿 𝗲𝗻𝘁𝗿𝘆:   1) Attacker compromises your vendor staff identities > Uses them directly to access your data.   2) Attacker compromises a vendor device connected to your network > Gain an initial foothold inside your company.   3) Attacker finds a vulnerability in a 3rd party or vendor software > Compromises all systems in your corporate network running that software.   4) Attacker compromises a vendor SaaS app > Steals your company's data from 3rd party servers.   𝗛𝗼𝘄 𝗰𝗮𝗻 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗮𝗻𝗮𝗹𝘆𝘀𝘁𝘀 𝗰𝗼𝘂𝗻𝘁𝗲𝗿 𝘁𝗵𝗲𝗺?   - Firstly, identify how do your vendors authenticate to your systems? Use a centralized identity system that handles the full life cycle of provisioning, tracking and de-provisioning. These accounts can typically live under your primary tenant and should be monitored just like your full-time employee accounts. Apply MFA & RBAC.   - Ensure that every vendor laptops/devices that are connecting to your network meet your company's device compliance standards. Treat vendor employee devices with the same level of security controls as your own company devices. These devices should have the same AV, EDR and other software that you mandate on your company devices.     - Maintain a detailed inventory of vendor apps running in your network along with their versions, systems where they are deployed etc. Having this information enables you to respond swiftly to zero-day vulnerabilities in those 3rd party apps.   - In the event of a security incident, establish right capabilities for your SOC teams to initiate containment actions. Ex: ability to disconnect a vendor's device from your network, reset a vendor account in your tenant, or block a vendor application.   - Conduct a thorough vendor security assessment in scenarios where you need to store sensitive data in vendor's servers. Evaluate their cybersecurity practices, protocols, and incident response capabilities. If you enjoyed this or learned something, follow me at Rohit Tamma for more in future! #vendormanagement #supplychainsecurity #cybersecurity #incidentresponse #identity #applicationsecurity #cyberattack

The National Institute of Standards and Technology (NIST) has released the draft publication “Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems” open for public comment until July 30. The document provides a structured approach for organizations to develop and maintain integrated plans that address security, #privacy, and #supplychain risks across the entire system lifecycle. It introduces a framework built around three interrelated plans: - System Security Plan (SSP): Documents the system’s security controls and requirements. - System Privacy Plan (SPP): Identifies and addresses privacy risks and applicable controls. - #Cybersecurity Supply Chain Risk Management Plan (C-SCRM): Focuses on managing risks related to third-party software, hardware, services, and suppliers. The guidance also outlines how organizations can: - Define roles and responsibilities for developing and maintaining these plans. - Document key system characteristics, including data flows, interconnections, and system boundaries. - Align each plan with organizational risk tolerance, operational needs, and regulatory requirements. - Establish update procedures to keep plans current with evolving threats and technology. - Track changes and maintain documentation using automation and configuration management tools. - Address supply chain risks in modern IT environments, including cloud, open-source, and hybrid systems. This draft is intended to help organizations bring greater consistency and integration to system-level planning and risk management efforts.

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity