IV.A.5 Third-Party Service Providers
Many entities depend on third-party service providers to perform or support critical operations. A disruption in the delivery of those services can have a direct impact on entities’ resilience. A critical failure at a widely used third-party service provider could have large-scale consequences. Management should assess critical third-party service providers’ susceptibility to multiple event scenarios and verify such third parties’ resilience capabilities. An entity’s third-party service provider can be a single point of failure if management has not considered alternative providers or other contingency plans. If an alternative third-party service provider is not readily available, management should consider options to continue business operations and reevaluate resilience options periodically as conditions may change. Resilience planning should be closely coordinated with third-party service providers.
Establishing well-defined expectations with third-party service providers is important to business resilience. Contracts and SLAs with third-party service providers should detail roles and responsibilities of each party to promote resilience. Ongoing monitoring of the entity’s third-party service providers helps management identify potential weaknesses in the third-party service provider’s resilience that could affect the entity’s operations.
Management’s review of an entity’s third-party service provider’s BCM program may include independent audit reports or SOC reports. SOC reports can contain valuable information about the third-party service provider’s products and processes. If management relies on SOC reports, it should verify whether business continuity activities are audited, including whether the scope and depth of review are sufficient to allow management to evaluate the third-party service provider’s control environment.SOC 1 reports cover controls at the third-party service provider that affect financial reporting. Business continuity activities are usually reported in unaudited sections of SOC 1 reports because they often do not have a direct correlation to the preparation of the financial statements, unless an event happened during the audit period. SOC 2 reports cover trust services criteria and include activities such as security, confidentiality, availability, privacy, and integrity. Audit firms typically do not opine on the quality of the business continuity activities, because it is difficult to predict what would happen during an actual event. Activities related to business continuity such as replication, plan development, and testing may be included in SOC 2 reports covering availability. Depending on the scope of the audit testing, additional inquiry and activities may be appropriate to understand the resilience of the third-party service provider.
Management should consider the same risks outlined in their entity’s own internal BCP(s) in relation to third-party service providers, as well as:
- Capacity of third-party service provider to meet client recovery objectives in the agreements, relative to other clients’ needs.
- Ability to participate in recovery testing with third-party service providers and access to testing results.
- Ability to move outsourced processes either in-house or to another third-party service provider.
- Alternative resource options (e.g., personnel and systems) for when primary services cannot be delivered.
- Data confidentiality, integrity, and availability (e.g., transportability and interoperability).
- Financial capacity to continue meeting contractual obligations.
- Services concentrated in a limited number of third-party service providers.
Business continuity-related provisions found in contracts and SLAs may include the following:
- Time parameter(s) for contracted service(s).
- Appropriate baseline metrics describing management’s resilience and recovery expectations (e.g., an incident response metric to ensure timely response to events impacting business continuity and resilience).
- Periodic service reviews to ensure up-to-date agreements with all parties involved.
If operations at a third-party service provider cease, the length of time required to convert to an alternate system would, for most applications, exceed a reasonable RTO. To the extent possible, management should establish plans for the resilience of third-party service providers supporting critical operations.