Back to General Resources

Third-Party Resilience: Increasing Transparency

A Paper from SIFMA and Protiviti

Dated: April 9, 2025

Overview

The threats faced by financial institutions are vast, multi-faceted and constantly evolving. The industry has responded in kind, in part by investing in resilience capabilities that enhance their ability to recover from destructive attacks, including attacks that may lead to data loss or critical system unavailability. The resilience of an individual organization or service often depends on the resilience of necessary upstream and downstream partners and suppliers. Many of these third parties are common to large financial institutions, creating potential systemic risk should the third party suffer a significant operational incident. Risks can emerge from, among other things, a lack of transparency from these third parties over their resilience and recovery capabilities. This lack of transparency impedes efforts to strengthen the resilience of global financial markets.

Third parties have historically been reluctant to divulge details of their resilience capabilities. When information in shared, it is often clear that the third party has not invested in appropriate cyber resilience measures necessary to address the modern threat environment. This paper identifies and examines the operational recovery capabilities that are increasingly becoming standard expectations for third parties providing services to financial institutions. Importantly, while financial institutions are primarily concerned about the resilience of the service they receive, the overall resilience of the third party’s critical systems and infrastructure is no less important. By adopting these capabilities, institutions can ensure the continuity of their critical business services consistent with their regulatory obligations and in support of the overall resilience of the financial system.

The focus on these capabilities within third parties is a continuation of the financial sector’s own consideration of data and system recovery risks. For additional information on related topics, please see Principles for Data Recovery From a Severe Cyber Scenario and SIFMA’s Cybersecurity Resource Center.

Download