Managing cyber risk associated with third-party service providers (PDF File, 176.9 KB)Managing cyber risk associated with third-party service providers (PDF File, 116.7 KB)

With the rise in digitalisation in the banking industry, the usage of third-party service providers has risen as well, resulting in cyber attacks growing correlatively. Therefore, Raymond Chan, the Executive Director (Banking Supervision) of the HKMA, has drawn up a circular addressed at all Chief Executives of authorized institutions (AIs) with guidelines on how to handle cyber security when using third-party service providers, referring to the existing Supervisory Policy Manuals, such as the “TM-G-1 General Principles for Technology Risk Management” and/or the “OR-2 Operational Resilience”. Although the circular is primarily addressed at banks, it could be applied to various other financial market participants as well, as the issue is of universal relevance.
Chan thereby stresses the following:
1. The risk governance framework of AIs should take into consideration the cyber risk associated with third-parties
Different areas (e.g. operational risk, data breaching) of third-party cyber risk must be covered by the AIs accordingly.
2. Third-party management cycle should holistically identify, assess, and mitigate cyber risk
The identification, assessment and mitigation of cyber risk should take place before, during and after cooperating with the third-party.
3. Identify the third-party’s supply chain risks when they (= third-parties) are used for critical operations
Especially when third-parties cover critical processes, and/or when they have their own third-parties, it is crucial to identify weaknesses and to understand the service provider’s infrastructure.
4. Broaden the cyber threat scanning scope, and exchange knowledge and experiences with peer institutions
It is crucial that the key technologies and third-party services are monitored with extra care to ensure enough time for action, when required. Sharing experiences with the industry also helps in identifying new threats.
5. Response strategies should cover third-party cyber attack risks
Resilience scenarios should also encompass third-party cyber attacks and include a preventive strategy.
6. Continuously adapt cyber attack strategies and resilience based on the latest standards and practices
The layers of defence should be updated regularly, especially with the rise in the complexity of third-party relationships and/or organisational structures.
—
In Annex I, the above mentioned six best practices above are discussed in more detail. The Executive Director encourages AIs to review their internal controls and adapt them accordingly, if any gaps have been identified.