Despite growing awareness of third-party risks, it is still difficult for financial services companies to keep track of the complex ecosystem of service providers that support their supply chains. They must rise to the challenge as regulators insist that financial institutions improve their third-party risk posture, says Hirun Tantirigama, national technology risk and resilience leader at Protiviti Australia.

“Global regulators are pushing for good visibility, oversight and assurance among your organization’s service providers, especially in the financial services industry,” says Tantirigama.

“The industry needs to recognize that while they may outsource the provision of key services to a third party, they cannot outsource responsibility – the onus is still on the financial services firm to manage third party risk.”

Address material operational risk

This drive for greater accountability is reflected in the UK’s operational resilience policy documents as well as the European Union’s Digital Operational Resilience Act (DORA). Closer to home, the Australian Prudential Regulation Authority (APRA) has also placed greater responsibility on financial services to address third-party risk.

APRA’s Prudential Standard CPS 230 (Operational Risk Management) requires regulated entities to protect the resilience of their critical operations while broadening the scope of service providers they need to consider when addressing their third party risk.

Effective July 2025, the new standard emphasizes board responsibility when it comes to managing service provider exposure and impact, as well as setting realistic recovery times to minimize and manage customer harm.

APRA draws particular attention to “significant service providers” that regulated entities rely on to undertake a critical operation or, if unavailable, would expose the regulated entity to significant operational risk.

Past performance the best indicator

Australian Directorate of Signals Procurement and Outsourcing Guidelines emphasizes the importance of cyber supply chain risk management during the procurement of applications, IT, and operational technology (OT) systems. The nation’s top government cybersecurity body urges organizations to assess security risks throughout the lifecycle of products and services, from design to decommissioning, particularly with regard to jurisdictional and governance issues when using offshore providers . The guidelines recommend using providers with proven track records of security and transparency.

A key aspect is service provider relationship management, which involves developing a list of approved service providers and ensuring regular security assessments, particularly for high-risk parties. For managed services and cloud outsourcing, providers must go through security assessments to mitigate the risks associated with accessing an organization’s data or systems.

“Organizations should prefer service providers that have demonstrated a commitment to the security and transparency of their products and services,” the report says, reinforcing the model of shared responsibility for security across the supply chain.

Finally, sound procurement practices help ensure system integrity by reducing the risks associated with foreign suppliers and outsourcing of critical infrastructure.

Look at the big picture

Addressing third-party risk requires dependency mapping and response planning that takes practical and commercially realistic ways to identify key dependencies. Instead of relying on spreadsheets and manual processes, this requires investing in the right tools to manage end-to-end supply chain management workflows.

A holistic assessment must include each service provider’s own material service providers, classified as fourth-party risk, says Protiviti CEO Leslie Howatt.

“Many large organizations don’t necessarily know who all of their third-party vendors are, let alone their critical vendors,” says Howatt.

“This means they don’t know where to put assurance processes in place or who to contact in the event of an operational issue. For example, a third-party managed security provider using tools like CrowdStrike might be critical to their operations, but they might lack visibility into that relationship.”

“This must change if financial services organizations are to meet their new regulatory obligations. They need to understand exactly which suppliers are most at risk and adapt their management action plans accordingly.”

Meeting this obligation requires improved due diligence processes and service provider lifecycle management. Going forward, financial institutions should also expect contract negotiations with third parties to include new clauses and KPIs related to operational risk, compliance and resilience requirements.

“The financial services industry needs to work hand in hand with its own service providers to become more resilient in the long term,” says Howatt.

“Instead of viewing resilience as a liability, organizations that see it as a competitive advantage should outperform competitors as their own customers expect and indeed demand demonstrated resilience superiority.”

Are your relationships with third parties as secure as they should be? Please visit Opponents to strengthen your business with resilient and secure operations.