G7 Fundamental Elements for third party cyber risk management in the financial sector

The HM Treasury has published a second guidance drafted by the G7 Cyber Expert Group entitled G7 Fundamental Elements for third party cyber risk management in the financial sector. The guidance is part of a collection of documents, the so-called „G7 Fundamental Elements series“, provided by the Group to assist firms, supervisory authorities, and third parties alike in their handling and monitoring of cyber security risks.
This particular guidance was obviously already developed in October 2022 – although not published in the UK until now – and supersedes a previous guidance on same issue. It is intended to assist financial market participants in their performance of activities to mitigate cyber-security risks arising from third party service arrangements. The guidance thereby covers the following key issues:
(1) the implementation of adequate corporate governance, including the documentation of a corporate strategy „addressing the reliance on third parties“, the drafting of adequate third party and cyber risk policies, the development of risk tolerance thresholds, and the assignment of „clear roles, responsibilities, and accountabilities for third party cyber risk management“.
(2) the adoption of adequate management processes for third party cyber security risks, including the identification and inventorization of third parties providing services to the firm, the determination of significance or „criticality“ of the services provided, the initial and continuing assessment of cyber security risks posed to the firm by a third party service provider, and the continuing oversight of such.
(3) the adoption of adequate incident response policies which shall take into account the criticality of the services provided and which shall clearly outline the responsibilities of both the firm and the third party in case of cyber incidents and define risk mitigation measures.
(4) the development of contingency plans and exit strategies to ensure that a firm is able to terminate the contract with a third party service provider if such fails to adhere to the provisions of the contract. In this context, the document also provides guidance as to the monitoring and oversight of the contingency plans of the third party service provider.
The guidance also covers some issues beyond a firm’s control and particularly relevant for competent authorities such as the monitoring of „potential systemic risks“, e.g. in case of market (service) concentration on one or two third party service providers or the possible cross-sectoral impacts of cyber security incidents.