A possible holistic framework to manage ICT third-party risk in the age of cyber risk

Third-party risk for external ICT services, which concerns both the outsourced services and the third-party products, is a crucial issue for a financial institution, because a cyber attack on a vendor can be a threat for the data of its customers. For this reason, financial institutions should adopt a holistic risk management framework to stress the effectiveness of the mitigating actions even when they engage a third-party provider. Risk analysis of external ICT services is necessary to prepare proper mitigation plans that provide enough resources allocation. This paper proposes a possible management framework whose aim is providing indications on security measures and controls to implement against the possible sources of ICT third-party risk, and defining a proper internal process that a financial institution should adopt. In this context, the framework also embodies a model to pick the best vendor among those that a financial institution could choose for an ICT service, which is based on a risk assessment technique focused on the three information security dimensions (confidentiality, integrity, and availability) and on the Borda method.