In recognizing the growing impact of third-party risks on operational resilience, the Prudential Regulation Authority (PRA) has established new regulatory requirements in the areas of third-party risk management and outsourcing. To help PRA-regulated entities navigate these new cybersecurity standards, this post outlines a compliance framework for all of the third-party risk management requirements of PRA SS2/21.
To comply with Section 5.22 of the Supervisory Statement SS2/21, firms can follow these steps: Monitor outsourcing arrangements: Keep track of the performance of the outsourcing arrangements, and watch for any signs of serious or continued breaches of the agreement or crystallized risks.
To comply with Section 5.23 of the Supervisory Statement SS2/21, firms can follow these steps: Identify risks: Determine the risks created or increased by the outsourcing arrangement, as well as the risks that are reduced or managed more effectively.
To comply with Section 6.3 of the Supervisory Statement SS2/21, firms can follow these steps: Include contractual safeguards: Incorporate clauses in the written agreements that address risk management and monitoring for non-material outsourcing arrangements.