Japan’s FSA Examines Global Practices to Strengthen Third-Party Cyber Risk Management

Key Takeaways

• Global Benchmarking: The study analyzes how major financial institutions in the US, EU, and UK manage third-party cybersecurity risk.
• Expanding Risk Scope: Institutions are moving beyond traditional outsourcing to include broader third- and even “nth-party” ecosystems.
• Criticality and Concentration: Determining which vendors are critical and managing concentration risk remain central challenges.
• Continuous Monitoring: Leading firms are increasingly relying on cyber threat intelligence and real-time monitoring tools.
• Contractual and Exit Readiness: Stronger contractual controls, audit rights, and exit strategies are emerging as core risk management practices.

Deep Dive

Japan’s Financial Services Agency has published a research report examining how financial institutions can strengthen the management of third-party cybersecurity risks, commissioning Deloitte Tohmatsu Cyber to conduct the study.

The report reflects a clear shift in regulatory and industry thinking. Third-party risk is no longer confined to outsourcing arrangements or vendor checklists. Instead, it is increasingly viewed as a core component of operational resilience, particularly as financial institutions rely more heavily on external providers for critical services.

To ground its findings, the study looked outward, analyzing practices adopted by major banks and large insurance firms across the United States, European Union, and United Kingdom.

From Vendor Lists to Ecosystem Risk

One of the report’s central observations is that leading financial institutions are expanding their definition of third-party risk.

Rather than focusing solely on direct vendors, firms are increasingly accounting for subcontractors and broader supply chain dependencies, often referred to as “nth parties.” These indirect relationships can introduce risks that are harder to identify, particularly when institutions lack direct contractual oversight.

The research found that many firms are attempting to map these extended ecosystems, sometimes down to subcontractor level, while also assessing whether third parties have adequate controls over their own suppliers.

This reflects a broader evolution in third-party risk management. It is no longer about managing vendors in isolation but understanding how risk propagates across interconnected systems.

Defining What Matters Most

A recurring challenge identified in the report is determining which third parties are truly “critical.”

Across jurisdictions, institutions use different approaches. In the United States, criticality is often driven by inherent risk assessments tied to business operations. In the EU and UK, regulatory expectations play a more prominent role. In practice, however, a common thread emerges: a third party is considered critical if its failure would materially disrupt business continuity.

From a cybersecurity perspective, factors such as system connectivity, data sensitivity, and operational dependency are increasingly central to these determinations.

Once identified, critical third parties are subject to enhanced monitoring and more rigorous oversight.

Concentration Risk Moves Into Focus

The report also highlights a growing emphasis on concentration risk, an area gaining traction in global regulatory frameworks.

Institutions are not only assessing dependence on individual vendors but also looking at broader patterns, including geographic concentration and reliance on shared subcontractors.

Some firms are using internal data, such as contract values, vendor counts, and regional exposure, to quantify these risks. Others are deploying centralized tools to visualize dependencies and trigger alerts when concentrations exceed acceptable thresholds.

The implication is clear. Third-party risk is no longer just about individual failures but about systemic vulnerabilities that can cascade across the organization.

The Shift to Continuous Monitoring

Perhaps the most significant shift identified in the report is the move toward continuous monitoring.

Traditional approaches, such as periodic questionnaires and annual reviews, are increasingly seen as insufficient in a rapidly evolving threat landscape. In their place, many institutions are adopting cyber threat intelligence, attack surface monitoring, and risk scoring tools to gain real-time visibility into third-party risk.

These tools allow firms to detect vulnerabilities, monitor external exposure, and identify potential incidents before they escalate. Some institutions have even established dedicated threat intelligence teams focused specifically on third-party risk.

At the same time, the report notes that these tools are not without challenges, including false positives and the need for careful interpretation of results.

Contracts, Controls, and Exit Planning

The study also underscores the importance of strengthening contractual frameworks.

Leading institutions are embedding minimum cybersecurity requirements directly into contracts, covering areas such as encryption, access controls, and data protection. In some cases, firms have declined to engage with third parties that cannot meet these baseline standards.

Audit rights are another key area of focus. While on-site assessments remain important, especially for high-risk providers, many institutions have adopted hybrid approaches that combine remote reviews with targeted in-person verification.

Exit strategies have also become more formalized. The report distinguishes between high-level exit strategies, which outline response approaches, and detailed exit plans, which define the operational steps required to transition to alternative providers.

These measures reflect a growing recognition that resilience depends not only on selecting the right vendors but also on preparing for their potential failure.

The findings point to a broader transformation in how financial institutions approach third-party cybersecurity risk. What was once a compliance-driven exercise is increasingly becoming a strategic discipline tied to operational resilience, business continuity, and enterprise risk management.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.