Michael Kemmer works in the Information Security department of Julius Baer. In this article, he shares three points to consider when conducting the risk assessment of a technology provider.
Outsourcing, i.e. the use of an external service provider, is nothing new for intermediaries. In recent years, the rapid development in the field of digitisation has led to a host of new applications and has seen the need for external expertise increase accordingly. A good example is the continuous use of external portfolio management systems.
It is one thing to trust that the external service provider will exercise responsibility by doing their job reliably. However, it remains the responsibility of the intermediary to remain accountable and closely manage this third party for its own protection and that of its clients. For this purpose, an in-depth risk analysis is required. In connection with the introduction of an external service, the product (i.e. the digital platform) and the company must be subject to a risk analysis.
An intermediary with, for example, four employees might argue that such an in-depth risk analysis is unnecessary for a company with such a relatively simple structure. At this point one should address the following question: What could happen to your company if your IT system experiences a data leak and your customers’ assets are suddenly accessible to the public? The consequences of this scenario would be disastrous to the company’s reputation and would most likely result in the intermediary having to cease all business activity.
How to conduct the risk assessment of a technology provider
The following information delves into three points that might be relevant for the risk assessment of a technology provider:
Understand the nature of the business relationship
Conducting a risk analysis for each service provider presents insights into the respective level of security and compliance. Possible aspects to consider include:
Organisation: Management expertise, founding date, key staff, size of the company.
Service: Accurate description of the services/functions provided, including service level descriptions.
Process documentation and instructions: Insight should be provided into all relevant documentation and instructions, especially regarding information security.
Data: Establishment of where the data is stored, which communication channels are used, what type of encryption is used.
Subcontractors: It is not uncommon for technology providers to obtain services from other partners as well. Here, it should also be clarified exactly which subcontractors are involved and which safety standards they meet.
Certification: If the provider has an ISO 27001 certification, practising due diligence is much easier. With this certification, companies demonstrate that their information security meets certain standards. ISO 27001 requires the introduction of a certified Information Security Management System (ISMS). This ensures confidentiality, integrity, and availability of information in the areas of organisation, processes, technology, and legal aspects.The Federal Council also offers an ‘Information security checklist for SMEs.
Evaluate potential risks and vulnerabilities
Once all necessary information about the upcoming business relationship has been gathered, it can be evaluated in a risk matrix. There are a variety of sources available for this on the Internet. The primary aim of the risk evaluation is to list all possible risks and assess them (low, mid, high) and their impact on the business of the intermediary. After classifying the risks, possible measures should be defined to reduce them. For example, by contractually stipulating that the external service provider will meet more stringent requirements or has to perform inspections at shorter intervals.
Examine the timing of the risk assessment
It is highly recommended to practise thorough due diligence before the business relationship begins. The best time to perform a service provider assessment is during the evaluation phase, as this phase offers the first opportunity to ask specific questions and understand the intricacies of the relationship. For Request for Proposals (RFPs), questionnaires can be used to gather a preliminary set of information, on the basis of which an initial assessment can be performed.
Continue the cycle
Once the risk assessment has been completed and the business relationship has been contractually agreed, it is advisable to conduct repeated assessments throughout the duration of the relationship. The risk assessment of a service provider is not a one-time task. Subcontractors may change over time or processes used by the service provider may evolve.
Repeated risk assessments ensure that the goals are achieved (via the Service Level Agreement) and that expectations are met. The time required for repeated reviews is based on the degree of risk. For example, higher-risk services (e.g., technology, security, etc.) may require more frequent evaluations or thorough risk assessments.
About the author
Michael Kemmer is Executive Director – Information Security at Julius Baer.