Comment Text:
As the CFTC rightly highlights, against a backdrop of increasing reliance on third-party providers, it is essential that sound risk management and improved business continuity is embedded in financial systems’ supply chains. Risks such as supplier failure, route of compromise of institutions through third-party services or products, service deterioration and concentration risk need to be understood and managed.
One area where there is growing consensus amongst financial authorities is the use of practical and proportionate tools such as escrow agreements. As outlined in more detail below, escrow agreements, along with the associated verification testing, are increasingly being built into financial institutions’ risk management and risk control strategies, at the direction of financial authorities. A globally-available service with providers in all regions, escrow agreements enable firms to assume supplier fault by default and cost-effectively mitigate the myriad of risks associated with reliance on third-party providers. Financial authorities who currently promote or mandate escrow agreements within their third-party risk management (TPRM) frameworks include:
• the US Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC)
• the US Cybersecurity and Infrastructure Security Agency (CISA)
• the Bank of England and UK Prudential Regulatory Authority (PRA)
• the Monetary Authority of Singapore
• the Hong Kong Monetary Authority
• the Indonesian Otoritas Jasa Keuangan
• the Reserve Bank of India and Securities and Exchange Board of India
• the State Bank of Pakistan
• the Reserve Bank of New Zealand
• the Bank for International Settlements (BIS) Innovation Hub11
While clearly escrow agreements are already widely recognised as a proven and proportionate risk mitigation tool, we believe that the CFTC has a role to play in promoting further alignment across financial authorities. Indeed, even where escrow agreements are not explicitly named by financial authorities, they are helping financial institutions to meet many of the TPRM rules included in evolving regulatory frameworks. To that end, we ask that an overview of the benefits escrow agreements can bring to mitigating the ramifications of supplier failure, service deterioration and concentration risk be considered for inclusion within this rule.
More broadly, we believe that the CFTCs rule could be strengthened in the following ways, to promote a baseline of operational resilience:
• Scenario testing should be undertaken for all the risks identified by the CTFC, including
supplier failure, service deterioration and concentration risk
• Preventative, detective and corrective risk control techniques should be promoted; and,
• Ownership for third-party risks should be assigned at the highest level.
We are in favour of a broader definition of supply chain resilience that looks beyond technical cyber risk and takes a wider approach to understanding what is needed to safeguard continuity of service and operational continuity against non-technical risks such as insolvency, administration and liquidation, transfer of ownership, service deterioration, and concentration risk. We have sought to introduce to financial authorities’ considerations of operational resilience the concept of ‘Resilience by Design’, assuming supplier failure by default, and taking a two-fold approach to mitigating the associated risks that include:
• prevention of supply chain failure (through cyber resilience solutions); and,
• mitigation of the risk and impact of supply chain failure (through escrow solutions).
In practice, this should include naming supplier failure, service deterioration and concentration risk as risks that require mitigation strategies (e.g. through stressed exit plans and scenario testing), and assigning ownership for third-party risk at the highest-possible level. Indeed, this holistic approach has been adopted across several financial authorities globally, and we are pleased to see some elements already reflected in the CFTCs initial rule.
We would emphasise the difficulties in exhaustively identifying a suppliers’ risk profile, given it is
generally the result of a combination of a multitude of factors. Identifying all possible scenarios is
likely disproportionate to its potential benefits, and would likely lead to increasing costs and creating barriers to innovation. For that reason, we believe that cloud, software and technology escrow solutions can offer legal, technical and proportional assurance to financial institutions in dealing with their third-party suppliers, particularly where they embrace the concept of ‘Resilience by Design’. This would assume supplier failure by default, regardless of their risk profile, and encourage using escrow agreements as a proportionate and cost-effective solution for regulated entities to mitigate against this. Indeed, escrow agreements and verification services act as a technical insurance policy and business continuity strategy, safeguarding the long-term availability of business-critical technologies and applications while protecting intellectual property.
Establishing escrow agreements with supporting verification services creates a baseline to:
• Grant organisations access to the source code and the right to access the cloud environment
where it is hosted, where: an application is material to the organisation’s operational continuity, if the service is deployed in the cloud; or if the application presents a concentration risk. Indeed, as stated above, the role of escrow agreements is reflected in CISA’s guidance on ransomware which states that, in being prepared for a ransomware incident, organisations should ensure the availability of source code through backups or escrow agreements. The details of any access rights and conditions will be set out in individual agreements, offering a legal basis with full transparency for all involved parties over when any such rights can be invoked.
• Specify how the agreement and access rights are to be used in the event of supplier compromise or failure. Principally, financial institutions rely on failed services continuing to operate while full recovery plans are being implemented. That means that continuity and exit planning needs to take account of implementation, testing and training times that impact on the ability to exchange or replace products and services expediently, safely and compliantly.
• Advance capabilities to automate risk tolerance at the application programable interface (API) gateways level to permit control to gracefully failsafe services or providers who may go out of compliance, removing exposure latency in a real-time digital economy.
Escrow agreements can support several risk control functions, including:
• Corrective control: Escrow agreements’ primary function is to act as a corrective control as the source code is only accessed after the supplier fails. By assuming the supplier will fail, a control mechanisms is built cope with that failure. Accessing the source code (or cloud information) allows the end user to limit the damage caused by supplier and buys the time to source an alternate provider.
• Detective control: Escrow verification often discovers problems with in-use software such as intellectual property ownership issues, outdated hardware or software, lack of source code, and inability to rebuild the service.
• Preventive control: Introducing escrow agreements as a requirement of the procurement/onboarding/contractual renewal process helps to prevent failure.
Many financial institutions already use escrow solutions as part of their comprehensive business continuity planning when mitigating supplier risk, and some third-party service providers themselves have opted to build these solutions into their offer to support their customers’ compliance with regulatory requirements. By way of example, NCC Group has worked with a banking technology provider on developing a cloud escrow solution. The provider’s cloud hosted digital banking software-as-a-service (SaaS) solutions supports more than 6,000 loan and deposit products serving over 14 million end customers worldwide. Working with NCC Group, the provider adopted a cloud escrow solution to establish a robust approach to its customers’ regulatory compliance, offering business continuity assurance by ensuring that financial institutions deploying the provider’s solution would have access to their application and specific cloud environment as well as support for the ongoing maintenance and management of their application.
As outlined above, financial authorities globally are increasingly seeing escrow agreements as a core part of TPRM frameworks. Against this backdrop, we believe that there is a role for the CFTC as well as promoting further alignment across financial authorities. This could be done by including escrow agreements in the final rule and promoting a global dialogue on their role across financial authorities.
NCC Group welcomes the opportunity to contribute to the CFTCs new rule. We have positively contributed to other regulatory authorities’ consideration of cyber security, operational resilience and third-party risk management. We would welcome the opportunity to engage in more proactive dialogue with the CFTC to support its objectives. We are able to offer interactive dialogue with our IT technical experts, solutions architects and qualified legal advisers each of which have years of experience in navigating the mitigation of risks for clients.
About NCC Group
With over 30 years’ experience protecting business critical software, data and information through escrow, secure verification testing, and cloud hosted software continuity services, NCC Group has followed regulatory developments regarding supply chain risks and third-party arrangements closely, not least to ensure that we are able to meet our customers’ evolving demands as regulatory requirements change. We work with customers operating across critical infrastructure sectors who understand how cybersecurity and software resilience can add value and represent a competitive advantage both in their own business as well as across their portfolios. We hold a unique position where we see compliance from the end-user’s perspective as well as from the viewpoint of the IT provider, and try to assist both in achieving their aims.
NCC Group is a global cybersecurity and software resilience business headquartered in the UK. Through its $220m acquisition of Iron Mountain’s Intellectual Property Management division (IPM), has an established and significant footprint in North America, alongside our existing presence in Europe, the Middle East and Asia Pacific. This means we are able to take an international perspective to regulatory approaches to cybersecurity and third-party risk management.