DORA, Vendor Risk Monitoring, and Adverse Media
Under DORA, financial institutions must demonstrate robust controls around third-party risk management1. While the law focuses on contractual controls, there is much more to TPRM than just having the proper clauses in place with strategic ICT vendors.
To get grips on risks associated with third-party vendors, financial institutions would need to look beyond what is put on paper and check whether their ICT suppliers continue to be able and willing to meet their contractual obligations. In other words, processes for ongoing management of a third-party risk management program are needed to do TPRM properly, which includes continuous monitoring.
Leveraging Technology for Continuous Vendor Risk Monitoring in Financial Institutions
However, continuous monitoring may be challenging for financial entities, as PricewaterhouseCoopers (PWC) describes in its DORA Thought Leadership Pager3:
“Overseeing and managing the ICT risks for the full third-party chain in sufficient depth and responding in the right way to the risks arising from third parties (or their third parties) will be a big undertaking. A key challenge will be getting the relevant information in a timely manner from the third-party chain”.
This blog series explores how financial institutions can leverage technology for continuous vendor risk monitoring. It explores explicitly using adverse media signals as early indicators for ICT-vendor risk.
What is DORA?
The Digital Operational Resilience Act (DORA) is a significant milestone in the ever-evolving financial industry landscape. Scheduled for enforcement in January 2025, this legislative framework imposes binding obligations on financial institutions and their essential suppliers operating within the European Union (EU). DORA requires them to demonstrate they can withstand and effectively navigate ICT-related disruptions.
Figure 1: DORA requires organizations to implement measures across five key risk areas4.
Vendor Risk Monitoring: Assessing and Mitigating Risks from Third-Party Vendors
Monitoring and analyzing vendors’ activities, practices, and performance to identify potential risks or vulnerabilities that could impact the organization is crucial for maintaining a secure and resilient business environment. Vendor risk monitoring involves assessing and evaluating the risks associated with third-party vendors or suppliers that provide an organization with goods, services, or support.
Traditionally, monitoring vendors to detect any changes in their risk profile or operational practices involves regular assessments, site visits, audits, security testing, and reviewing vendor performance against agreed-upon service level agreements (SLAs) or key performance indicators (KPIs).
Adverse Media Monitoring as a crucial element of Vendor Risk Management
Over the recent years, organizations have been focusing more and more on monitoring external factors or signals that could impact the vendor’s stability or security posture. Identifying any negative trends in their performance through external signals can serve as an essential early warning signal that enables organizations to take timely measures to mitigate risks.
A common term for monitoring these external signals is adverse media monitoring, also known as negative news or media monitoring. Adverse media monitoring involves screening vendors for negative news across official and unofficial online sources. For ICT Vendors, various external signals can be considered adverse media, for example, signals indicating financial instability, cybersecurity incidents, or legal and regulatory issues.
Figure 2: Examples of adverse media signals:
Adverse media indicators may involve reports or articles discussing financial instability or distress within an ICT vendor. These could include news of bankruptcy filings, significant financial losses, or ongoing financial difficulties.
Adverse media indicators related to cybersecurity incidents can be critical for assessing an ICT vendor’s risk profile. This could involve reports of data breaches, cyber-attacks, or vulnerabilities in the vendor’s systems or applications.
Legal and Regulatory Issues
Adverse media indicators may highlight legal or regulatory issues associated with an ICT vendor. This could include news articles or reports discussing violations of laws, non-compliance with industry regulations, or investigations into the vendor’s practices by regulatory authorities.
Adverse media monitoring can be carried out in many different ways. Examples include dedicating resources to perform (manual) risk assessments or establishing collaborative networks or industry forums where participants share information and insights regarding adverse media incidents related to vendors.
However, monitoring many vendors continuously can be arduous for humans, especially when it involves promptly screening extensive news sources worldwide in different languages. Therefore, leveraging the capabilities of technology can alleviate this challenge by automating the process and providing relevant insights that may have yet to be noticed. This allows companies to monitor a much larger vendor universe than ever, ensuring that all vendors receive equal attention and scrutiny.
Want to know how to overcome the challenge of continuous Vendor Risk Monitoring?
In our blog ‘Leveraging Technology for Continuous Vendor Risk Monitoring’, we explore the complexity of continuous monitoring and offer practical solutions to overcome this challenge.
How Owlin can help you manage the operational risk of ICT Vendors
Organizations can proactively manage vendor risk with AI platform Owlin. The platform’s machine learning algorithms and natural language processing capabilities quickly identify relevant information in 17 different languages and detect early risk signals, allowing organizations to make informed decisions and proactively manage risks such as cyber-attacks and IT system failures, which are critical areas of focus for DORA.
Owlin’s platform can be customized to meet client needs and integrated into existing workflow systems, making it a flexible and scalable solution for managing operational risks.
- European Commission, 2022, Regulation on digital operational resilience for the financial sector (European Commission)
- Prevalent, 2022, Meeting EU Digital Operational Resilience Act (DORA) Third-Party Risk Requirements
- PWC, 2023, How the digital operational resilience act (DORA) helps your continuity, come rain come shine
- NCC Group, 2023, EU adopts landmark IT resilience laws – a look at the Digital Operational Resilience Act (DORA)