G7 FUNDAMENTAL ELEMENTS FOR THIRD PARTY CYBER RISK
MANAGEMENT IN THE FINANCIAL SECTOR
October 2022
Context and Scope
Private and public sector entities in the financial sector (‘entities’) continue to expand their use of
third-party relationships to support their business operations. In recent years, this proliferation of
third-party use has included the expanded utilization of Information and Communications
Technology (ICT) providers. ICT providers may provide benefits to entities, which include
strengthening operational resilience, reducing reliance on legacy IT systems, and increasing the
potential for innovation, diversification, and efficiency in the provision of financial services.
Further, the use of external ICT services allows entities to concentrate on their core business
operations and efficiently manage IT expenditures.
The use of third parties, including ICT providers, may also introduce added cyber risks that entities
should consider and manage. In recent years, cyber incidents have shown that critical parts of the
ICT supply chain can involve cyber risk for an individual entity as well as systemic cyber risk to
the financial sector. Cyber incidents resulting from third-party vulnerabilities could, for example,
lead to fraud, disruption of entities’ services, inappropriate access to sensitive customer or
corporate information, or impact the safety and soundness of the financial markets. As the scale
and complexity of these relationships continue to grow, understanding, measuring, and mitigating
cyber risks becomes increasingly challenging for entities using third-party services.
Third-party relationships, within the definition of these Fundamental Elements, are any business
relationships or contracts between an entity and an organization to provide a product or service,
regardless of the organization being an intra-group company or an external provider. One
important type of third-party relationship is outsourcing, whereby a third party provides a business
function, service or process that would otherwise be provided by the entity itself.
The ICT supply chain, within the definition of these Fundamental Elements, comprises the
interconnected web of third parties that form the ICT ecosystem that an entity uses in supporting
its business. The ICT supply chain also contains all products, services, and infrastructure, as well
as their providers, suppliers or manufacturers. Entities may consider maintaining adequate
approaches for detection, recovery, ongoing testing and incident response for the ICT supply chain
that supports critical operations.
TLP WHITE: Subject to standard copyright rules, this document may be distributed freely, without restriction.
1