In recognizing the growing impact of third-party risks on operational resilience, the Prudential Regulation Authority (PRA) has established new regulatory requirements in the areas of third-party risk management and outsourcing. The details were published in a Supervisory Statement that has been put into effect since March 2022.
To strengthen the operational resilience component of the PRA rulebook, SS2/21 specifies security requirements across two categories of third-party relationships - material outsourcing and non-outsourcing third parties.
To help PRA-regulated entities navigate these new cybersecurity standards, this post outlines a compliance framework for all of the third-party risk management requirements of PRA SS2/21.
PRA SS2/21 Terminology Definitions
Because PRA SS2/21 implements the Guidelines on Outsourcing Arrangements by the European Banking Authority (EBA), much of its terminology has been borrowed from the EBA.
Below, key terms making up the backbone of the PRA SS2 are defined
The definitions of key terms are outlined below.
- Material Outsourcing - Outsourcing any service or function critical to a firm's ability to maintain adequate financial resources.
- Outsourcing Third-Party - Any service provider performing a service, process, or activity, whether directly or by sub-outsourcing, which would otherwise be undertaken by the firm itself.
- Non-Outsourcing Third-Party - Any third-party entity from which hardware, software, and other ICT products are purchased. Non-outsourcing third-party relationships involve:
a. The design and build of an on-premise IT platform.
b. The purchase of data collated by third-party providers (data brokers), e.g., geospatial data or data from in-app device activity, social media, etc.;
c. 'off-the shelf' machine learning models, including samples of the data, used to train and test the models, open source software, and machine learning libraries developed by third-party providers
Complying with the TPRM Requirements of the PRA Supervisory Statement SS2/21
The PRA SS2/21 outlines its third-party risks and due diligence requirements across four primary risk categories.
- Data security
- Access, audit, and information rights.
- Sub-outsourcing.
- Business continuity and exit strategies.
The third-party risk management requirements across these four categories are addressed in the sections of the PRA SS2/21 outlined below.
The official PRA Supervisory Statement SS2/21 document can be accessed here.
Section 2.8 of the Supervisory Statement SS2/21.
In line with the expectations in Chapter 4 of this SS, firms may implement a holistic, single third-party risk management policy covering outsourcing and non-outsourcing third-party arrangements. Alternatively, they may have separate policies on each of those respective areas provided that they are aligned, consistent, effective, and suitably risk-based.
Learn how to communicate third-party risk to the Board >
How to comply with Section 2.8 of the Supervisory Statement SS2/21
To comply with Section 2.8 of the Supervisory Statement SS2/21, firms have two options for managing third-party risk:
- Implement a holistic, single third-party risk management policy that covers both outsourcing and non-outsourcing third-party arrangements. This policy should be comprehensive and address all relevant risks associated with third-party relationships.
- Develop separate policies for outsourcing and non-outsourcing third-party arrangements. These separate policies must be aligned, consistent, effective, and risk-based to ensure proper management of third-party risks.
In either case, the key is to create a robust risk management framework that addresses all aspects of third-party relationships and maintains regulatory compliance.
How UpGuard can Help You Comply with Section 2.8 of the Supervisory Statement SS2/21
With a suite of features securing the entire vendor lifecycle, UpGuard offers a holistic approach to third-party risk management from a single intuitive solution. Some of the features supporting the security of outsourcing and non-outsourcing third-party arrangements include:
- A built-in remediation management solution for instantly addressing all identified vendor security risks.
- A library of security questionnaires mapping to popular frameworks and regulations to identify compliance gaps
- A vendor tiering feature for prioritizing third-party vendors with the most significant security risks
- Security rating competitor tracking for comparing your cybersecurity efforts against your competitors.
Request a free trial of UpGuard >
Section 2.9 of the Supervisory Statement SS2/21.
The following standards apply to all third-party ICT arrangements:
• EBA ICT GL, including but not limited to Sections 3.2.3, 3.3.2, 3.4.5, and 3.7 (in particular, paragraph 86). These GL should be interpreted consistently with: the Operational Resilience/Insurance – Operational Resilience Parts, the expectations in this SS, and SS1/21, and;
• relevant legal requirements and standards on ICT security (e.g., Cyber Essentials Plus) and data protection, including but not necessarily limited to General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
How to comply with Section 2.9 of the Supervisory Statement SS2/21
To comply with Section 2.9 of the Supervisory Statement SS2/21, firms can follow these steps:
- Adhere to EBA ICT Guidelines:
a. Familiarize yourself with the EBA ICT Guidelines, focusing on Sections 3.2.3, 3.3.2, 3.4.5, and 3.7 (particularly paragraph 86).
b. Ensure consistency with the Operational Resilience/Insurance – Operational Resilience Parts, the expectations in SS2/21, and SS1/21 while interpreting and implementing the EBA ICT Guidelines.
c. Establish internal processes, controls, and governance structures to monitor and manage ICT risks per the EBA ICT Guidelines.
d. Regularly review and update your firm's ICT risk management policies and procedures to align with any changes in the EBA ICT Guidelines and other relevant supervisory statements.
- Comply with relevant legal requirements and standards on ICT security and data protection:
a. Familiarize yourself with legal requirements and standards such as Cyber Essentials Plus, GDPR, and the Data Protection Act 2018.
b. Implement appropriate security measures, including technical and organizational controls, to protect sensitive data and ensure compliance with ICT security standards like Cyber Essentials Plus.
c. Establish a comprehensive data protection framework in line with GDPR and the Data Protection Act 2018, including processes for managing data subject rights, data breaches, and data processing agreements with third parties.
d. Train employees on data protection and ICT security requirements, ensuring they understand their responsibilities and adhere to the firm's policies and procedures.
e. Regularly review and update your firm's ICT security and data protection policies and procedures to ensure ongoing compliance with legal requirements and industry standards.
How UpGuard can Help You Comply with Section 2.9 of the Supervisory Statement SS2/21
UpGuard offers a library of industry-leading security questionnaires mapping to popular cybersecurity frameworks and regulations, including the GDPR regulation specified in section 2.9 of the Supervisory Statement SS2/21.
All security risks and compliance gaps are automatically identified from questionnaire submissions, allowing seamless transitioning from risk discovery to remediation. UpGuard also offers a custom questionnaire builder for high-targeted risk assessments based on your organization's unique cybersecurity objectives.
Learn more about UpGuard's security questionnaires >
Section 3: Proportionality
Section 3.6 of the Supervisory Statement SS2/21.
Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, for example:
• Adjust its vendor due diligence, although firms should still carefully assess whether a potential service provider that is part of its group has the ability, capacity, resources, and appropriate organisational structure to support the performance of the outsourced function or third party service [...]
How to comply with Section 3.6 of the Supervisory Statement SS2/21
To comply with Section 3.6 of the Supervisory Statement SS2/21, firms can follow these steps:
- Develop a tailored due diligence process for intragroup outsourcing:
a. Design a specific vendor due diligence framework for intragroup service providers, considering the unique characteristics and relationships within the group.
b. Establish clear guidelines and criteria for assessing intragroup providers, including their capabilities, financial stability, and track record.
- Conduct comprehensive assessments of intragroup providers:
a. Perform detailed assessments of the intragroup service provider's capacity, resources, and organizational structure, considering the firm's specific needs and requirements.
b. Identify potential risks or issues related to the intragroup provider and develop appropriate risk mitigation strategies.
c. Continuously monitor and review the performance of the intragroup provider to ensure ongoing compliance with regulatory requirements and internal policies.
How UpGuard can Help You Comply with Section 3.6 of the Supervisory Statement SS2/21
UpGuard combines point-in-time risk assessments with continuous attack surface monitoring vendor security posture changes. This allows organizations to track the impact of due diligence efforts on each vendor's security posture over time - a metric that could reflect the reliability and safety of a vendor's outsourcing function.
Because UpGuard supports the complete lifecycle of Vendor Risk Management, a vendor's cybersecurity program will readily adapt to any due diligence process adjustment,
Request a free trial of UpGuard >
Section 3.7 of the Supervisory Statement SS2/21.
"Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements."
How to comply with Section 3.7 of the Supervisory Statement SS2/21
To comply with Section 3.7 of the Supervisory Statement SS2/21, firms can follow these steps:
- Identify overlapping regulations:
a. Review all relevant regulations and identify areas where compliance requirements overlap with intragroup outsourcing arrangements.
b. Determine how existing compliance efforts can be utilized to fulfill the obligations related to intragroup outsourcing.
- Align compliance efforts:
a. Ensure that your compliance processes for intragroup outsourcing are consistent with other regulatory requirements, where applicable.
b. Streamline and integrate compliance efforts to avoid duplication and maximize efficiency.
- Monitor and update compliance efforts:
a. Continuously monitor regulatory changes and their impact on intragroup outsourcing arrangements.
b. Update compliance processes as needed to maintain alignment with evolving regulations and best practices.
How UpGuard can Help You Comply with Section 3.7 of the Supervisory Statement SS2/21
UpGuard's library of security questionnaires and assessments maps to the standards of popular regulation to identify compliance gaps. Thanks to its in-built remediation workflow, UpGuard helps security teams readily address compliance gaps before they result in costly violations.
Request a free trial of UpGuard >
Section 5: Pre-Outsourcing Phase
Section 5.8 of the Supervisory Statement SS2/21
"Firms are responsible for assessing the materiality of their outsourcing and third-party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed:
• prior to signing the written agreement;
• at appropriate intervals thereafter, eg during scheduled review periods;
• where a firm plans to scale up its use of the service or dependency on the service provider; and/or
• if a significant organisational change at the service provider or a material suboutsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider's ownership or financial position.
How to comply with Section 5.8 of the Supervisory Statement SS2/21
To comply with Section 5.8 of the Supervisory Statement SS2/21, firms can follow these steps:
- Pre-contract assessment:
a. Before signing a written agreement, evaluate the materiality of the outsourcing or third-party arrangement.
b. Identify potential risks impacting the firm's operations and regulatory compliance.
- Regular reviews:
a. Schedule periodic reviews of materiality throughout the duration of the arrangement.
b. Adjust your risk management strategies as necessary based on the results of these reviews.
- Assessing changes in service usage:
a. Re-evaluate materiality when scaling up the use of the service or increasing dependency on the service provider.
b. Update risk management processes to account for increased reliance on the service provider.
- Monitor service provider changes:
a. Keep track of significant organizational changes at the service provider or material sub-outsourced service provider that could affect the risks in the outsourcing arrangement.
b. Reassess materiality in light of changes in the service provider's ownership, financial position, or other relevant factors.
How UpGuard can Help You Comply with Section 5.8 of the Supervisory Statement SS2/21
UpGuard's risk assessment feature includes a library of questionnaires mapping to popular frameworks and regulations and an in-built questionnaire builder. The combination of these two features allows organizations to track the performance of any vendor performance metric impacting regulatory compliance, including custom metrics like material outsourcing.
Request a free trial of UpGuard >
Section 5.10 of the Supervisory Statement SS2/21
Firms should develop their own processes for assessing materiality as part of their outsourcing or third-party risk management policy [...]
How to comply with Section 5.10 of the Supervisory Statement SS2/21
To comply with Section 5.10 of the Supervisory Statement SS2/21, firms can follow these steps:
- Develop a clear framework:
a. Create a comprehensive framework that outlines how your firm will assess the materiality of outsourcing or third-party arrangements.
b. Include relevant criteria, risk factors, and potential impact on the firm's operations, financial stability, and regulatory compliance.
- Establish clear processes and procedures:
a. Detail the specific processes and procedures to be followed when assessing materiality.
b. Assign roles and responsibilities to appropriate staff members and ensure they understand their tasks.
- Implement monitoring and reporting mechanisms:
a. Set up monitoring and reporting systems to track materiality assessments, including any changes in the materiality of existing arrangements.
b. Ensure relevant stakeholders are informed of materiality assessment results and any necessary actions to be taken.
- Integrate materiality assessment into risk management policy:
a. Incorporate the materiality assessment framework into your firm's broader outsourcing or third-party risk management policy.
b. Align materiality assessment processes with other risk management activities to ensure a consistent approach to risk management.
How UpGuard can Help You Comply with Section 5.10 of the Supervisory Statement SS2/21
UpGuard's custom security questionnaire builder allows organizations to develop bespoke questionnaires based on their unique materiality assessment requirements.
Request a demo of UpGuard's custom questionnaire builder >
Section 5.11 of the Supervisory Statement SS2/21
Consistent with the definition of 'material outsourcing' in the PRA Rulebook and, where applicable, the criteria in the EBA Outsourcing GL, a firm should generally consider an outsourcing or third-party arrangement as material where a defect or failure in its performance could materially impair:
• The financial stability of the UK;
• The firms':
- ability to meet the Threshold Conditions;
- compliance with the Fundamental Rules;
- requirements under 'relevant legislation and the PRA Rulebook;36
- safety and soundness
[...]
How to comply with Section 5.11 of the Supervisory Statement SS2/21
To comply with Section 5.11 of the Supervisory Statement SS2/21, firms can follow these steps:
- Develop materiality criteria:
a. Create a list of criteria based on the PRA Rulebook's definition of material outsourcing and the EBA Outsourcing GL, where applicable.
b. Consider factors such as financial stability, threshold conditions, compliance with Fundamental Rules, relevant legislation, PRA Rulebook requirements, and the firm's safety and soundness.
- Assess materiality:
a. Evaluate each outsourcing or third-party arrangement against the developed criteria to determine its materiality.
b. Regularly reassess the materiality of arrangements to account for any changes in the risk profile, requirements, or performance of the service provider.
- Monitor performance:
a. Continuously monitor the performance of material outsourcing and third-party arrangements to identify any defects or failures.
b. Implement corrective measures and risk mitigation strategies to address any issues that could impair the firm's stability or compliance.
- Documentation and reporting:
a. Document the materiality assessment process and outcomes, including the criteria used, assessment results, and any actions taken.
b. Report materiality assessment results to relevant stakeholders, including senior management and regulators.
How UpGuard can Help You Comply with Section 5.11 of the Supervisory Statement SS2/21
By combining point-in-time assessment with security rating and data leak detection, UpGuard keeps organizations continuously informed of the state of their third-party attack surface, allowing security risks impacting vendor performance to be readily identified and addressed.
Request a free trial of UpGuard >
Section 5.12 of the Supervisory Statement SS2/21
The PRA also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an:
- entire 'regulated activity,' e.g., portfolio management; or
- internal control' or 'key function,' unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function."
How to comply with Section 5.12 of the Supervisory Statement SS2/21
To comply with Section 5.12 of the Supervisory Statement SS2/21, firms can follow these steps:
- Identify outsourcing arrangements:
a. Review all outsourcing arrangements and identify those involving entire regulated activities, internal controls, or key functions.
- Assess potential impact:
a. Evaluate the potential consequences of defects or failures in the performance of the identified outsourcing arrangements.
b. Determine if a defect or failure would adversely affect the relevant function or the firm's overall performance and compliance.
- Classify material arrangements:
a. If an outsourcing arrangement involves an entire regulated activity, internal control, or key function, and a defect or failure could adversely affect the relevant function, classify it as a material outsourcing arrangement.
b. If the firm is satisfied that a defect or failure would not adversely affect the relevant function, the arrangement may not be considered material.
- Implement risk management measures:
a. For material outsourcing arrangements, establish appropriate risk management, monitoring, and contingency plans to address potential defects or failures.
- Documentation and reporting:
a. Document the classification process and outcomes, including the rationale behind the classification of material and non-material arrangements.
b. Report material outsourcing arrangements to relevant stakeholders, including senior management and regulators, as required.
How UpGuard can Help You Comply with Section 5.12 of the Supervisory Statement SS2/21
UpGuard's attack surface scanning capabilities extend to the fourth-party landscape for the most comprehensive coverage of vulnerabilities potentially impacting regulatory compliance.
With its vendor tiering feature, UpGuard supports custom vendor categorization, allowing you to group vendors based on:
- Outsourcing arrangements.
- Level of security risks.
- Access to sensitive customer data.
- Reputation.
- Regulatory compliance.
Or any category that's relevant to your vendor security objectives
Request a free trial of UpGuard >
Section 5.13 of the Supervisory Statement SS2/21.
The PRA expects firms to have regard to all applicable criteria in Table 5 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third-party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and third party arrangements involve ICT products or services (eg cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement material [...]
How to comply with Section 5.13 of the Supervisory Statement SS2/21
To comply with Section 5.13 of the Supervisory Statement SS2/21, firms can follow these steps:
- Review outsourcing arrangements:
a. Identify outsourcing and third-party arrangements not covered by paragraphs 5.8 and 5.9.
- Consider applicable criteria:
a. Refer to Table 5 and examine all relevant criteria, both individually and collectively.
b. Evaluate the outsourcing arrangement against each criterion to determine its potential materiality.
- Assess materiality:
a. Determine if the outsourcing arrangement is material based on the analysis of the applicable criteria from Table 5.
b. Recognize that an ICT product or service does not automatically make an arrangement material.
- Document the assessment:
a. Record the materiality assessment process, including the criteria considered and the rationale behind the materiality determination.
- Implement risk management measures:
a. For material outsourcing arrangements, establish appropriate risk management, monitoring, and contingency plans to address potential defects or failures.
- Reporting:
a. Report material outsourcing arrangements to relevant stakeholders, including senior management and regulators, as required.
How UpGuard can Help You Comply with Section 5.13 of the Supervisory Statement SS2/21
UpGuard's industry-leading questionnaire library and questionnaire builder supports the discovery of custom security risk requirements, including:
- ICT risks
- Reputational risks
- Sensitive data integrity risks.
These assessments also map to standards of popular regulations to ensure third-party security risks don't hinder your regulatory compliance efforts.
UpGuard's attack surface management tool continuously monitors all of your assets for emerging threats, passing all of this data to the platform remediation workflow, simplifying risk management - a feature set meeting the risk identification, monitoring, and management requirements of section 2.13 of the Supervisory Statement SS2/21.
See the video below for an overview of UpGuard's attack surface management features.
Section 5.18 of the Supervisory Statement SS2/21.
The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or backup providers where available. If no alternative or backup providers for a material outsourcing arrangement are available, firms should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of material disruption at their chosen service provider (see Chapter 10).
How to comply with Section 5.18 of the Supervisory Statement SS2/21
To comply with Section 5.18 of the Supervisory Statement SS2/21, firms can follow these steps:
- Conduct due diligence:
a. Research and assess the potential service provider's ability, capacity, resources, and organizational structure.
b. Investigate the service provider's financial stability, reputation, and regulatory compliance.
c. Evaluate the service provider's existing contracts and performance history.
- Identify alternative or backup providers:
a. Research and assess the market to identify suitable alternative or backup providers for material outsourcing arrangements.
b. Document the selection process and rationale for choosing the primary provider and any alternatives.
- Plan for contingencies:
a. If no alternative or backup providers are available, develop alternative business continuity, contingency planning, and disaster recovery arrangements.
b. Ensure these plans align with the firm's impact tolerances and enable the firm to continue providing important business services during material disruptions.
- Implement and monitor:
a. Establish contracts with the primary service provider and, if applicable, alternative or backup providers.
b. Monitor the performance and risk profile of the primary service provider, and ensure alternative providers remain viable options.
c. Regularly review and update contingency plans as needed.
How UpGuard can Help You Comply with Section 5.18 of the Supervisory Statement SS2/21
With UpGuard's security rating feature based on 70+ attack vectors, you can instantly determine a potential vendor's risk exposure and how these risks sit within your risk appetite. This allows vendors with poor cybersecurity performance to be instantly disqualified from partnership considerations, saving time and preventing the introduction of severe security risks.
UpGuard also allows vendors to share completed risk assessments and any relevant security documentation in a Trust Page to streamline the onboarding process for all parties.
Request a free trial of UpGuard >
Section 5.19 of the Supervisory Statement SS2/21
"In the case of material outsourcing, the PRA expects firms' due diligence to consider the potential providers':
• business model, complexity, financial situation, nature, ownership structure, and scale;
• capability, expertise, and reputation;
• financial, human, and technology resources;
• ICT controls and security; and
• sub-outsourced service providers, if any, that will be involved in delivering important business services or parts thereof."
How to comply with Section 5.19 of the Supervisory Statement SS2/21
To comply with Section 5.19 of the Supervisory Statement SS2/21, firms can follow these steps:
- Assess potential providers' business characteristics:
a. Examine their business model, complexity, financial situation, nature, ownership structure, and scale.
b. Determine how these factors may impact the provider's ability to deliver the required services.
- Evaluate capability, expertise, and reputation:
a. Review the provider's track record and industry experience.
b. Consider client testimonials, case studies, and any relevant awards or recognitions.
- Analyze financial, human, and technology resources:
a. Assess the provider's financial stability and resource allocation.
b. Evaluate the skills, expertise, and experience of the provider's staff.
c. Examine the provider's technology infrastructure, tools, and systems.
- Review ICT controls and security:
a. Investigate the provider's information and communication technology (ICT) controls and security measures.
b. Ensure the provider complies with relevant regulations, standards, and best practices.
- Assess sub-outsourced service providers, if any:
a. Identify any sub-outsourced service providers involved in delivering important business services or parts thereof.
b. Conduct due diligence on these sub-outsourced providers, following the same steps mentioned above
How UpGuard can Help You Comply with Section 5.19 of the Supervisory Statement SS2/21
UpGuard's library of industry-leading risk assessments maps to the requirements of popular cybersecurity standards, including ISO 27001, GDPR, NIST SP 800-53, HECVAT, Modern Slavery, and more.
Each of these assessments evaluates the impact of controls on a range of categories listed in Section 5.19 of the Supervisory Statement SS2/21, including ICT controls, human and technology services, and, of course, security.
By also continuously monitoring the dark web for internal and third-party data leaks, UpGuard mitigates the financial and reputation impacts of compromised credentials and sensitive data dumps.
Request a free trial of UpGuard >
Section 5.20 of the Supervisory Statement SS2/21
The due diligence should also consider whether potential service providers:
• have the authorisations or registrations required to perform the service;
• comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection;
• can demonstrate certified adherence to recognised, relevant industry standards;
• can provide, where applicable and upon request, relevant certificates and documentation (e.g., data dictionaries); and
• have the ability and capacity to provide the service that the firm needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand for the relevant service, for instance as a result of a shift to remote working during a pandemic). A 'general' track record of previous performance may not be sufficient evidence by itself."
How to comply with Section 5.20 of the Supervisory Statement SS2/21
To comply with Section 5.20 of the Supervisory Statement SS2/21, firms can follow these steps:
- Confirm authorizations or registrations:
a. Verify if potential providers have the necessary authorizations or registrations to perform the service.
- Check compliance with data protection laws:
a. Ensure potential providers comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection.
- Verify adherence to industry standards:
a. Determine if potential providers can demonstrate certified adherence to recognized, relevant industry standards.
- Request relevant certificates and documentation:
a. Obtain, where applicable and upon request, relevant certificates and documentation (e.g., data dictionaries) from potential providers.
- Assess ability and capacity to provide compliant services:
a. Evaluate potential providers' ability and capacity to provide the service in compliance with UK regulatory requirements, even during sudden spikes in demand (e.g., due to remote working during a pandemic).
b. Note that a "general" track record of previous performance may not be sufficient evidence by itself.
How UpGuard can Help You Comply with Section 5.20 of the Supervisory Statement SS2/21
When a vendor submits a GDPR questionnaire on the UpGuard platform, the platform automatically identifies all of the compliance gaps preventing complete compliance with the regulation.
UpGuard's Trust Page feature allows service providers to easily share completed questionnaires and certifications with their partners to demonstrate certified adherence to relevant industry standards.
Request a free trial of UpGuard >
Section 5.21 of the Supervisory Statement SS2/21
In line with Risk Control 3.4(2) and Risk Management 3.1, firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects firms to consider:
• operational risks based on an analysis of severe but plausible scenarios, for instance, a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and
• financial risks, including the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn ('step-in' risk)."
How to comply with Section 5.21 of the Supervisory Statement SS2/21
To comply with Section 5.21 of the Supervisory Statement SS2/21, firms can follow these steps:
- Assess operational risks:
a. Analyze severe but plausible scenarios, such as a breach or outage affecting the confidentiality, integrity of sensitive data, and/or availability of service provision.
b. Consider the operational risks associated with these scenarios (see Chapter 10).
- Assess financial risks:
a. Evaluate the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn (step-in risk).
How UpGuard can Help You Comply with Section 5.21 of the Supervisory Statement SS2/21
UpGuard's holistic approach to third-party risk management, including point-in-time assessments and attack surface scanning, provides real-time updates of vendor risk exposure, even between scheduled assessments.
This comprehensive third-party risk coverage could be leveraged to determine impacts across other risk categories, including operational and financial.
Learn how to quantify the financial impact of cybersecurity risks >
Section 5.22 of the Supervisory Statement SS2/21
The PRA expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement's risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk."
How to comply with Section 5.22 of the Supervisory Statement SS2/21
To comply with Section 5.22 of the Supervisory Statement SS2/21, firms can follow these steps:
- Monitor outsourcing arrangements: Keep track of the performance of the outsourcing arrangements, and watch for any signs of serious or continued breaches of the agreement or crystallized risks.
- Conduct risk assessments: Though non-outsourcing third parties usually introduce fewer security threats than their outsourcing counterparts, their compromise could still negatively impact the PRA's objectives. As such, the PRA expects firms to assess the materiality and risks of all third-party arrangements, including non-outsourcing third parties. Perform risk assessments in the circumstances referred to in paragraph 5.6 or when there is a significant change in the outsourcing arrangement's risks.
- Review and update risk assessments: Regularly review and update assessments as needed, particularly when circumstances change or new risk exposures are identified.
How UpGuard can Help You Comply with Section 5.22 of the Supervisory Statement SS2/21
UpGuard's security ratings feature indicates whenever a third-party vendor's security posture decreases - events that could indicate a significant change to an outsourcing arrangements risk exposure.
A security rating drop triggers a notification to security teams to expedite internal investigations. Thanks to UpGuard's library of customizable risk assessments, investigation efforts can quickly involve targeted risk assessments, in line with the expectations of section 5.22.
Request a free trial of UpGuard >
Section 5.23 of the Supervisory Statement SS2/21
A firm's risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm's resilience to disruption). The assessment should also take into account existing or planned risk mitigation, e.g., staff procedures and training.
How to comply with Section 5.23 of the Supervisory Statement SS2/21
To comply with Section 5.23 of the Supervisory Statement SS2/21, firms can follow these steps:
- Identify risks: Determine the risks created or increased by the outsourcing arrangement, as well as the risks that are reduced or managed more effectively.
- Evaluate risk mitigation measures: Assess existing or planned risk mitigation strategies, including staff procedures and training, and how they impact the identified risks.
- Conduct a balanced risk assessment: Perform a comprehensive risk assessment that considers identified risks and mitigation measures and evaluates their potential impact on the firm's operations and resilience.
- Review and update the risk assessment: Regularly review and update the risk assessment to ensure it reflects any changes in the outsourcing arrangement or the firm's risk mitigation strategies.
How UpGuard can Help You Comply with Section 5.23 of the Supervisory Statement SS2/21
UpGuard offers many collaborative functions to aid with strategic risk management, including:
- Risk waivers - Risk waivers let you document justifications and approvals for waiving known risks to streamline the risk assessment workflow.
Learn more about this feature >
- In-line questionnaire correspondence - Append messages to specific questionnaire items to simplify clarification and expedite submissions.
Learn more about this feature >
- Risk summary reports - This report summarizes risk assessment statuses across your entire vendor network, simplifying progress tracking and follow-up efforts.
Learn more about this feature >
- In-app and email notifications - Set triggers for various events to remain informed of emerging third-party risks. Triggers can be divided into groups and personalized with custom names and descriptions to simplify management.
Learn more about this feature >
Section 5.24 of the Supervisory Statement SS2/21
The PRA expects firms and groups to periodically (re)assess and take reasonable steps to manage:
• their overall reliance on third parties; and
• concentration risks or vendor lock-in at the firm or group,
How to comply with Section 5.24 of the Supervisory Statement SS2/21
To comply with Section 5.24 of the Supervisory Statement SS2/21, firms can follow these steps:
- Monitor reliance on third parties: Keep track of all third-party relationships and evaluate the extent of dependence on each provider.
- Assess concentration risks: Identify situations where the firm or group relies heavily on a single provider or a small number of providers for critical services, which may lead to concentration risks.
- Evaluate vendor lock-in: Examine the possibility of vendor lock-in, where the firm or group becomes too reliant on a specific provider, making it difficult to switch providers or find alternatives.
- Develop risk mitigation strategies: Implement measures to manage and mitigate reliance on third parties, concentration risks, and vendor lock-in. This may include diversifying service providers, implementing contingency plans, or negotiating contract terms facilitating provider transitions.
- Regularly reassess: Periodically reassess the firm or group's reliance on third parties and the associated risks, updating risk mitigation strategies as needed.
How UpGuard can Help You Comply with Section 5.24 of the Supervisory Statement SS2/21
UpGuard's attack surface monitoring solution surfaces your entire asset inventory to help you identify third-party entities unnecessarily bloating your attack surface.
Request a free trial of UpGuard >
Section 6: Outsourcing Agreements
Section 6.3 of the Supervisory Statement SS2/21
Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA's ability to effectively supervise the firm or outsourced activity, function, or service.
How to comply with Section 6.3 of the Supervisory Statement SS2/21
To comply with Section 6.3 of the Supervisory Statement SS2/21, firms can follow these steps:
- Include contractual safeguards: Incorporate clauses in the written agreements that address risk management and monitoring for non-material outsourcing arrangements. These safeguards may cover performance monitoring, reporting requirements, and escalation procedures.
- Ensure PRA supervision: Make sure outsourcing agreements do not restrict the PRA's ability to supervise the firm or the outsourced activity. This can be achieved by including provisions in the agreements that allow the PRA to access relevant information, documentation, and personnel associated with the outsourced activity.
- Regular reviews: Periodically review written agreements to ensure they remain up-to-date and continue to provide appropriate risk management and monitoring measures.
- Legal and regulatory compliance: Verify that all outsourcing agreements comply with relevant legal and regulatory requirements, and consult with legal experts as needed to ensure compliance
How UpGuard can Help You Comply with Section 6.3 of the Supervisory Statement SS2/21
UpGuard's Trust Page feature streamlines contract access and collaborations between third-party vendors and their partners.
This pathway allows contracts to be reviewed anytime to ensure alignment with risk monitoring requirements. Both vendors and their partners have the option of greater access control by gating contracts with Non-Discloisre Agreements.
Section 7: Data Security
Section 7.10 of the Supervisory Statement SS2/21
The PRA expects firms to implement appropriate measures to protect outsourced data and set them out in their outsourcing policy and, where appropriate, in their written agreements for material outsourcing.
Section 7.11 of the Supervisory Statement SS2/21
The PRA expects firms to implement robust controls for data-in-transit, data-in-memory, and data-at-rest. Depending on the materiality and risk of the arrangement, these controls may include a range of preventative and detective measures [...]
How to comply with Sections 7.10 and 7.11 of the Supervisory Statement SS2/21
To comply with Sections 7.10 and 7.11 of the Supervisory Statement SS2/21, firms can follow these steps:
- Update outsourcing policy: Incorporate data protection measures in the outsourcing policy, and ensure these measures are included in written agreements for material outsourcing arrangements.
- Implement robust controls: Establish and maintain controls for data-in-transit, data-in-memory, and data-at-rest. These controls may include configuration management, encryption, key management, identity, and access management, monitoring of insider threats, access and activity logging, incident detection and response, loss prevention and recovery, data segregation, network and firewall configuration, staff training, and ongoing monitoring of service providers' controls.
- Monitor effectiveness: Regularly assess the effectiveness of the service provider's controls through access and audit rights.
- Incident response: Develop policies and procedures to detect and respond to incidents affecting information security, such as data breaches or misuse of access.
- Data deletion: Establish procedures for deleting firm data from all locations where the service provider may have stored it after exit or termination, considering data protection law obligations and data retention requirements.
How UpGuard can Help You Comply with Sections 7.10 and 7.10 of the Supervisory Statement SS2/21
UpGuard helps organizations protect their sensitive data by securing common attack vectors leading to data breaches, including:
- Data leaks - UpGuard monitors the dark web for data leaks that could expedite third-party breaches.
- Third-party vulnerabilities - With security questionnaires mapping to popular regulations - including the GDPR - and cyber frameworks, UpGuard helps you discover underlying security threats increasing the risk of data breaches and supply chain attacks.
- Over 70 critical breach vectors - Including phishing, ransomware susceptibility (like WannaCry), man-in-the-middle attacks, DNSSEC, vulnerabilities, email spoofing, domain hijacking, DNS issues, and more.
Section 8: Access, audit, and information rights
Section 8.7 of the Supervisory Statement SS2/21
Firms may use a range of audit and other information-gathering methods, including:
• offsite audits, such as certificates and other independent reports supplied by service providers; and
• onsite audits, either individually or in conjunction with other firms (pooled audits).
Section 8.9 of the Supervisory Statement SS2/21
Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider's controls. However, in material outsourcing arrangements, the PRA expects firms to:
• assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and
• ensure that certificates and audit reports meet the expectations in (Table 8).
How to comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21
To comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21, firms can follow these steps:
- Utilize different audit methods: Employ offsite and onsite audits, including certificates and independent reports supplied by service providers, and pooled audits in collaboration with other firms.
- Assess certificate and report adequacy: For material outsourcing arrangements, evaluate the adequacy of the information in these certificates and reports, ensuring they meet the expectations set out in Table 8. Do not assume that their mere existence or provision is sufficient evidence of compliance with legal, regulatory, and risk management obligations.
- Verify compliance: Ensure that certificates and audit reports meet the regulatory expectations and that the service is provided per the firm's legal, regulatory, and risk management obligations.
How UpGuard can Help You Comply with Sections 8.7 and 8.9 of the Supervisory Statement SS2/21
UpGuard's Trust Page feature centralizes vendor agreements, certifications contracts, and any other relevant cybersecurity information in one public-facing page to streamline access across business relationships.