Implementing the PRA Supervisory Statement on outsourcing ...

The Prudential Regulation Authority (PRA) released its much anticipated “Outsourcing and third party risk management” Policy Statement and ... SearchUKFinance YoucanusethesearchfunctiontofindarangeofUKFinancematerial,fromconsultationresponsestothoughtleadershiptoblogs,ortofindcontentonarangeoftopicsfromBrexittocommercialfinance. Searchform Downloadagreement Bydownloadingthisdocument,youunderstandandagreethatanysharing,distributionorrepublishingofthecontent,withoutpriorwrittenauthorisationfromtheauthororcontentmanagersatUKFinance,shallbeconstitutedasabreachoftheUKFinancewebsitetermsofuse. Acceptandcontinue Clickthrougharrow Home NewsandInsight Blogs Implementingthe... ThePrudentialRegulationAuthority(PRA)releaseditsmuchanticipated“Outsourcingandthirdpartyriskmanagement”PolicyStatementandfinalSupervisoryStatementson29March.ThisfollowstheconsultationperiodwhichincludedaresponsefromUKFinancetothePRAonbehalfofourmembers.  ThetimingoftheSupervisoryStatementisverywelcome.Thefinancialsectorhasseenagrowingfocusontheneedtoregulateandmanageitsoutsourcingandthird-partyrelationships. ItisimportanttonotethatfirmsareexpectedtocomplywiththeexpectationsintheSupervisoryStatementby31March2022(whichalignswiththedatesetoutinthePRA’soperationalresilienceSupervisoryStatement)andmustseektoreviewandupdatelegacyoutsourcingagreementsenteredintobeforethisdate.Lookingahead,someofthekeychangesthatfirmsmustconsiderinclude,butarenotlimitedto: Definitionsandscope:Firmsshouldassessthematerialityandrisksofallthird-partyarrangementsusingallrelevantcriteriasetoutintheSupervisoryStatementirrespectiveofwhethertheyfallwithinthedefinitionofoutsourcing.Wherenon-outsourcing,thirdpartyarrangementsaredeemedtobematerialorhighrisk,thePRAexpectsfirmstoimplementeffective,risk-basedcontrols. Proportionality:Firmsareencouragedtoreviewtheguidancearoundcontrolandinfluencealongwithminimumexpectationsandadditionalexamplesofproportionalityforthirdcountries. Pre-outsourcingphase:FirmsshouldassessthematerialityofalloutsourcingarrangementsusingthecriteriasetoutintheSupervisoryStatement.TheyareexpectedtonotifythePRAofallmaterialarrangementswiththechoicetosubmitasingleblanketnotification. Datasecurity:Firmsresponsibilityfordataincludeitsclassification,thedefinitionandadoptionofarisk-basedapproachtodatalocationandoverallsecuritymeasures.Thisisparticularlyimportantforhowfirmsapproachdatasecuritywithcloudservices. Access,audit,andinformationrights:Firmsshouldensurethattheserightsareexercisedinanoutcomefocusedwaywhichmayincludepooledauditsandthird-partycertification,butonlyifthisissufficientforfirmstomeettheirobligations. Businesscontinuityandexitplans:Firmsmustdevelop,documentandtestabusinesscontinuityplanandexitstrategycoveringbothstressedandnon-stressedexits. InresponsetothePolicyStatementandfinalSupervisoryStatement,UKFinanceconvenedtworoundtableswiththePRAsupportedbyEY.ThesesessionsprovidedmemberswithanopportunitytohearfromthePRAonthechangesthatwereimplementedfollowingtheconsultationperiod,andthekeyareasthatfirmsshouldfocusupon,andalsowithanopportunitytoposequestionstothePRAinaQ&Asession. Ifyouoracolleaguewereunabletoattendthesessions,theywererecordedandcanbefoundhereandhere.Youmayneedtoregistertowatchthese. ForfurtherinformationonhowUKFinanceissupportingmemberswithnavigatingtheimplementationoftheSupervisoryStatement,[email protected]. Tags: CybercollaborationDigitalEconomiccrimeRisk Writtenby OgeUdensi, Principal,CyberSecurity, UKFinance Publisheddate: 29.04.2021 Share TheSolarWindsimpact:HowtheFSCCCreacted