Workshop reviews risks to the economy, financial system from third parties

Financial and nonfinancial companies increasingly rely on third parties to provide critical services. These services can include software and data, computing infrastructure, generative artificial intelligence (AI), and energy and telecommunications. This reliance creates a tension between increased efficiency and specialized expertise on the one hand and potential introduction of vulnerabilities on the other.

Such trade-offs were the focus of a research workshop on third-party service provider risks in the economy and financial system hosted by the Federal Reserve Banks of Boston, Chicago and Dallas in Houston.

Three key themes emerged: how firms can identify and monitor service provider risks; how firms and regulators can weigh the balance between fostering innovation and mitigating risk; and how researchers can identify sources and contagion channels of service provider risk while attempting to quantitatively measure systemic risk.

Building on a working paper published earlier this year, the conference brought together researchers, regulators and practitioners to explore how vulnerabilities can best be identified, monitored and mitigated.

Third-party vendors can pose notable systemic risks. Providing any given service is frequently highly concentrated among a very small number of entities, often because of economies of scale or network capabilities. Thus, problems at one vendor could pose systemic vulnerabilities to the economy, across major economic sectors or to the financial system. Compounding the effect of such vulnerabilities, an individual provider may serve many clients, with interconnectedness increasing spillover risk.

The workshop agenda combined research paper presentations and moderated panel discussions among industry representatives. Participants represented sectors that included finance, health care, transportation and professional services.

Outsourcing poses challenges to individual firm risk management

While providers can offer high quality, specialized services at lower cost than if a client firm undertook such services itself, the subsequent reliance creates unique risk management challenges. They include providing effective oversight for a potentially large number of vendors that the firm may retain, workshop participants said.

Outside providers may follow differing standards and regulations for service quality and risk controls relative to their client firms. Additionally, a dearth of competing providers may leave clients with a lack of bargaining power when entering contracts.

Participants discussed how they identify the scope of these risks and offered ways to manage them, stressing the challenges of overseeing a range of service providers. One participant illustrated the scope of the oversight involved when dealing with their firm’s approximately 5,000 providers.

Facing the large scale of outsourcing, many participants emphasized the importance of evaluating how critical each provider is to essential business activities and prioritizing oversight accordingly.

Client firms may also seek ways to focus risk management efforts on service providers most vulnerable to cyberattacks. Commercially available data on firms and their cyber-health ratings can help identify potential areas of concern within a service provider portfolio, participants said.

Holding providers accountable is challenging

Participants reported struggles holding providers accountable to the client’s standards of service quality and risk control. Firms may lack bargaining power in contract negotiations to set robust service-level agreements when a provider is the only game in town.

This is particularly true for small clients and in cases of highly specialized services, though this dynamic affects firms of all sizes. Some firms use accountability measures imposed by their boards of directors or regulators to negotiate better service-level agreements.

One firm indicated it obtained stronger governance terms in a negotiation with a critical service provider because one of its oversight bodies would not approve using the provider until certain conditions were met. Some service providers’ own reliance on third-party providers further complicates maintaining accountability. This “nth-party” problem can be addressed with contracts that assign to providers the responsibility for their own vendors, though the providers face the same enforcement challenges as their clients.

Participants expressed a desire for more transparency about third-party vendors who serve multiple clients in particular industries and more tools to identify supply chain concentration and interconnectedness beyond those firms with whom they directly contracted.

Participants also indicated a desire to hold providers more accountable for protecting their customers through service-level agreements or other obligations written into contracts. Participants also noted risk management would be stronger if they had more robust risk assessments of the control environment at their third-party providers.

Developing a plan for incident response is important

Participants stressed the importance of developing playbooks and engaging in tabletop exercises with all levels internally to guard against disruptions, including cyberattacks. Maintaining updated playbooks and performing risk-management scenario tabletop exercises are key to strengthening relationships within a firm, with its service providers and with regulators who are important when navigating an actual risk event.

Simply knowing where the playbooks are and whom to contact based on relationships developed during tabletop exercises are important starting points to manage adverse situations, speakers said. Some participants noted the challenge of preventing all risk events. Another said recovering from a risk event is just as important as preventing it. Others said that sometimes the best result would be learning from events that inevitably happen.

Service providers’ limited visibility into the playbooks of their clients or counterparties is an added complication—the actions of firm A during an operational disruption may have unanticipated impacts on firm B and vice versa.

Firms balance fostering innovation with mitigating risk

Participants discussed the need to balance fostering innovation while mitigating risk. Standardization across providers could enable interoperability, they said. This could increase resilience, lower switching costs, enable more competition between providers and ultimately improve how services are provided.

For example, developing a common application programming interface—how cloud computing services communicate with one anther—could ease switching and enhance backup resiliency.

Developments, including AI innovation and the growth of private capital markets, complicate provider oversight.

While AI tools supplied by third parties provide efficiency and performance benefits, firms must ensure the AI does not access and train on a firm’s proprietary intellectual property, one participant said.

Private equity’s acquisition of technology service providers can result in increased prices and degraded quality of services, another participant said, noting the same private equity firm acquired nearly 40 of that participant’s firm’s service providers, increasing concerns about interconnectedness. Determining firm ownership, which is sometimes difficult, also could be relevant in a geopolitical and national security context.

How to quantify and monitor systemic risk

While panel discussions focused on risks and mitigation efforts at the firm level, research papers highlighted how third-party service provider risks can spread across sectors or the economy through interconnectedness and offered ways to quantify the cost of risk events.

• One presentation on the 100 largest banks and non-bank financial institutions showed that the cyber health of financial institutions is on average greater than that of the universe of service providers they use. Authors pointed out that the lesser cyber health of providers can become an important source of financial sector systemic risk. The paper also performed scenario analyses of catastrophic cyber events targeting third-party service providers, which indicated potential losses 15 and 10 times larger than those from routine incidents for banks and non-bank financial institutions, respectively.
• Another analysis highlighted risks that software companies pose to their customer firms via the digital supply chain, increasing the likelihood of cyberattacks and negatively impacting customer investment rates and sales growth.
• A third paper used transaction-level data and institutional cybersecurity ratings to simulate disruptions to key cash lenders in the Treasury repurchase (repo) market. The paper indicated outages can disrupt more than $100 billion in funding and cause repo rates to rise by more than 50 basis points (a half-percentage point) due to the bilateral and time-sensitive nature of funding markets.
• Another paper underscored the importance of using data to proactively manage third-party cybersecurity risk in the health care sector, showing how cyber risk events can impair the sector’s payment flows.
• Yet another paper discussed the European Union’s approach to managing risk in the payments system from third-party service providers. The EU’s Digital Operational Resilience Act designates critical service providers and sets detailed requirements for such firms. By comparison, the U.S. has limited macroprudential oversight of service providers and instead places responsibility on financial institutions for effective management of technology and related risks, regardless of whether services have been outsourced. The EU approach also differed from other methods highlighted during the workshop that, for example, did not favor more regulation to address gaps in supply chain transparency and contract negotiations.

Workshop identifies areas for future study

The workshop identified areas of potential future research, including mapping exercises to discover points of concentration and levels of interconnectedness in an industry. Case studies of past risk events, including their financial impact, are also of value. Such exercises could be made even more impactful by using data from cybersecurity vendors and payments providers to better understand how third parties can create financial risk at the firm level or systemic risk in important industries such as finance, aviation and health care.