In late July, C-Edge Technologies, serving over 300 cooperative banks, was hit by a ransomware attack, disrupting payment services. This pivotal player in cloud-based financial services, fell victim to a ransomware attack by RansomEXX — a hacker group with a history of brazen attacks on high-profile entities, including Peru’s government and brands like Ferrari.
Just weeks prior, another global cybersecurity crisis unfolded when a botched content configuration update by CrowdStrike sent Windows operating systems crashing worldwide. Although unintentional, its repercussions were profound, affecting sectors as diverse as healthcare, banking, and travel.
Cyber vulnerabilities
Together, these events underscore the vulnerabilities of cybersecurity in the financial sector, where both deliberate attacks and unintended errors at a Third-Party Service Provider (TSP) level can wreak havoc on critical businesses and institutions.
As financial institutions increasingly rely on TSPs for cloud computing and software services, the risk of systemic failures originating from TSPs grows. The RBI Governor recently remarked that over-reliance on third-party vendors — especially without proper oversight — can be risky.
RBI has been regulating the way REs outsource material financial and informational technology services.
However, when REs are over-reliant on TSPs for their integral functions, a class of ‘critical third parties’ (CTPs) emerges.
When a few major TSPs become CTPs for a significant number of financial firms, they become systemically important CTPs.
Regulators should assess systemic risks posed by such CTPs based on the number, materiality and type of services provided.
Now, considering the emergence of CTPs, we are witnessing renewed review of regulations for information and communication technology (ICT) perspective, especially in the EU, UK and US.
Individual financial firms are likely to be unable to guard against market concentration risks, TSP’s supply chain risks, and risks emerging from internationally active TSPs operating at a large scale, without direct regulation. Regulators and standard setting bodies have begun reimagining regulation of CTPs directly, without diminishing the final accountability of the financial firms towards customers.
EU’s Digital Operational Resilience Act entered into force last year, covers ICT and ICT third-party risk management, digital operational resilience testing, information sharing and oversight of critical third-party providers.
Global moves
Similarly, the UK Treasury has now been empowered to designate certain TSPs as ‘critical’ to the financial sector, which may be regulated, audited, and investigated by the regulators. The US also has legislative controls in place to regulate services provided by banks through third parties.
These interventions do not replace but supplement existing frameworks which regulate TSPs through financial firms. India’s outsourcing framework has worked well so far, but with growing reliance on TSPs, the idea to directly regulate third parties may warrant closer consideration.
The writers are with Cyril Amarchand Mangaldas