Boosting the resiliency of third-party technology service providers

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Tactical considerations that financial services firms outsourcing critical processes to Third-Party Technology Service Providers need to know

Financial services firms outsourcing critical processes to Third-Party Technology Service Providers (TSPs) need their partners to have robust recovery and resiliency capabilities. The continuity of customer services could be at stake. Firms can address this challenge by putting into action the Federal Financial Institutions Examination Council’s (FFIEC) Appendix J recommendations on Third-Party Risk Management programs, capacity management, testing with TSPs, and resilience when leveraging TSPs.

PwC offers tactical considerations around third-party tech providers

Overview of the FFIEC Appendix J recommendations

Cyber resiliency capabilities that enable organizations to withstand cyberattacks and recovery quickly are critical not only for institutions, but also to their customers who rely on continuity of services. Many financial industry firms, however, are opting to outsource internal processes to achieve savings and gain efficiencies. This has resulted in many banks and other financial institutions becoming dependent upon TSPs to perform or support their critical processes. Accordingly, financial institutions are increasingly reliant upon third parties to have sufficient recovery capabilities related to the specific services they perform.

Financial institutions should establish continuity of service and partner with their TSPs to improve resiliency capabilities across their enterprises. To that end, they can put into action the recommendations presented in the FFIEC Appendix J while factoring in tactical considerations. When outsourcing critical business processes to TSPs, management should look to increase business resiliency efficiencies through:

  • Third-Party Risk Management (TPRM) programs, which incorporate validation of resiliency capabilities at each stage of the relationship management lifecycle 
  • Capacity management, which considers third parties' abilities to deliver essential services under adverse scenarios, in addition to possible alternatives in the event of third-party failure 
  • Testing with TSPs, which involves testing the business continuity resilience between the financial institutions and TSPs, in addition to reviewing test results and remediating any observed weaknesses 
  • Cyber resilience when leveraging TSPs, which involves identifying and mitigating cyber threats to data and operational infrastructure, as well as establishing effective incident response procedures to cyberattacks

Contact us

T.R. Kane

Principal, PwC US

Dean Spitzer

Principal, Cybersecurity, Privacy & Forensics, PwC US

Jonathan Pastore

Director, Cybersecurity and Privacy, PwC US

Andrew Namoury

Director, Advisory, PwC US

Follow us