Risk Associated with Third-party IT Solutions

Introduction

On 27 Sep 2024, the Hong Kong Monetary Authority (HKMA) issued a circular reminding Authorized Institutions (AIs) to strengthen risk management practices concerning third-party IT solutions following a global incident involving a cybersecurity provider's faulty update.

Context and Incident Analysis

The HKMA highlighted that the widespread impact of the recent global IT incident stemmed from the service provider's inadequate testing protocols, automatic update mechanisms lacking user controls, and insufficient third-party risk management frameworks. This incident underscored systemic vulnerabilities in third-party IT dependencies.

HKMA's Regulatory Expectations

The HKMA expects senior management of all AIs to incorporate the good industry practices outlined in the Annex into their existing risk management controls. These practices reinforce the HKMA's existing supervisory requirements under the Cyber Risk Assessment Framework (C-RAF), third-party risk management circulars, and the Supervisory Policy Manual, specifically addressing third-party software failure scenarios.

Action Required

AIs must review and enhance their operational resilience measures to mitigate risks associated with third-party IT solutions, ensuring controls align with the referenced industry best practices. The HKMA emphasized that these measures are not new regulatory requirements but an application of existing frameworks to address identified vulnerabilities.