Hero compliance soc2

Bank of England Prudential Regulation Authority SS2/21 Compliance

PRA SS2/21 and Third-Party Risk Management

The Bank of England’s Prudential Regulation Authority (PRA) Supervisory Statement SS2/21 sets expectations for how PRA-regulated firms should comply with regulatory requirements relating to outsourcing and third-party risk management to improve business resilience.

The Supervisory Statement applies to all UK banks, investment and insurance firms, and UK branches of overseas banks and insurance firms, and

  • Clarifies the difference between material outsourcing and non-outsourcing third-party arrangements
  • Sets expectations for assessments and third-party due diligence
  • Identifies areas that require detailed examination, including data security, auditing, sub-outsourcing, and business continuity and exit strategies

Supervisory Statement SS2/21 requires that PRA-regulated firms conduct a Materiality Assessment for each vendor during onboarding and periodically thereafter. It is therefore important to follow the third-party business and operational resilience practices necessary to be compliant and minimize risk to your organization.

Relevant Requirements

  • Conduct Materiality Assessments and continuously monitor outsourcing and non-outsourcing third parties for business resilience risks

  • Identify and regularly report on third party business resilience

  • Measure third-party performance against operational risk, conduct risk, information risk and legal risk

  • Proactively set business resilience requirements in third-party contracts

The PRA SS2/21 Third-Party Compliance Checklist

Uncover third-party risk management requirements in the Bank of England's Prudential Regulatory Authority SS2/21, and learn how Prevalent can help.

Read Now
Featured resource pra ss2 21 checklist

Complying with PRA Supervisory Statement SS2/21

The summary table below maps capabilities in the Prevalent Third-Party Risk Management Platform to select outsourcing and non-outsourcing third-party requirements.

NOTE: This table is a summary of the most relevant requirements only, and it should not be considered comprehensive, definitive guidance. For a complete list of requirements, please review the complete Supervisory Statement in detail and consult your auditor.

PRA SS2/21 Requirements How We Help

2 Definitions and scope

2.8 “In line with the expectations in Chapter 4 of this SS, firms may implement a holistic, single third party risk management policy covering outsourcing and non-outsourcing third party arrangements. Alternatively, they may have separate policies on each of those respective areas provided that they are aligned, consistent, effective, and suitably risk-based.”

The Prevalent Third-Party Risk Management Platform simplifies the management of third parties, enabling organizations to unify and automate the critical tasks required to identify, assess, manage, continuously monitor, and remediate third-party security, privacy, compliance and operational risks across every stage of the vendor lifecycle. The solution delivers:

  • Profiling, tiering, and inherent and residual risk scoring based on comprehensive criteria to identify material and non-material outsourcing third-parties

  • More than 100 standardized templates and custom risk assessments tuned to material and non-material third parties with built-in workflow, task and evidence management

  • Remediation management with built-in guidance to act on identified risks from material outsourcing third parties

  • Compliance and risk reporting by framework or regulation to simplify the auditing process

2.9 “The following standards apply to all third party ICT arrangements:
[…]
relevant legal requirements and standards on ICT security (e.g., Cyber Essentials Plus) and data protection, including but not necessarily limited to General Data Protection Regulation (GDPR) and the Data Protection Act 2018.”

The Prevalent Platform includes a library of more than 100 questionnaire templates that address a multitude of ICT security-based frameworks, including Cyber Essentials, ISO 27001, NIST 800-53, GDPR, and many others.

3 Proportionality

3.6 “Depending on its level of control and influence in respect of intragroup outsourcing arrangements, a firm may, for example:

  • adjust its vendor due diligence, although firms should still carefully assess whether a potential service provider that is part of its group has the ability, capacity, resources, and appropriate organisational structure to support the performance of the outsourced function or third party service;

  • …”

The Prevalent TPRM Platform enables security and risk management teams to automatically tier suppliers according to their inherent risk scores. Results can be used to set appropriate levels of further due diligence and determine the scope of ongoing assessments.

3.7 “Where relevant, firms may be able to leverage compliance with existing requirements in other areas of regulation to help meet their regulatory obligations in respect of their intragroup outsourcing arrangements.”

The Prevalent Platform automatically maps information gathered from control-based assessments to regulatory frameworks including ISO 27001, GDPR and dozens more. This enables you to quickly visualize and address important compliance requirements and simplify auditing processes.

Customers can also choose to use the Prevalent Compliance Framework (PCF), a single, comprehensive assessment that enables security and risk management teams to map answers to several regulatory requirements.

5 Pre-outsourcing phase

5.8 “Firms are responsible for assessing the materiality of their outsourcing and third party arrangements. Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed:

  • prior to signing the written agreement;

  • at appropriate intervals thereafter, eg during scheduled review periods;

  • where a firm plans to scale up its use of the service or dependency on the service provider; and/or

  • if a significant organisational change at the service provider or a material sub-outsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the service provider’s ownership or financial position.”

The Prevalent Platform enables organizations to assess, monitor and remediate risks at all stages of the third-party lifecycle. Key capabilities include:

  • RFx management, enabling organizations to automate and add risk intelligence to vendor selection decisions

  • Contract lifecycle management, delivering automation to improve the vendor contracting experience and conduct continuous SLA monitoring

  • The largest library of standardized and custom risk assessments with built-in workflow, tasks, and evidence management for regular risk assessments

  • Native cyber, breach, business, reputational and financial risk monitoring to continuously assess vendor risks between annual assessments and correlate findings against assessment results to determine if further investigation is needed

5.10 “Firms should develop their own processes for assessing materiality as part of their outsourcing or third party risk management policy (see Chapter 4).”

The Prevalent Platform automates the identification, assessment, analysis, ongoing monitoring and remediation of third-party risks at every stage of the vendor lifecycle – from selection to offboarding. The Platform includes an extensive library of assessment templates, including those to determine the materiality of a third-party arrangement and the risks involved.

5.11 “Consistent with the definition of ‘material outsourcing’ in the PRA Rulebook and, where applicable, the criteria in the EBA Outsourcing GL, a firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the financial stability of the UK or firms';

  • ability to meet the Threshold Conditions;

  • compliance with the Fundamental Rules;

  • requirements under ‘relevant legislation’ and the PRA Rulebook;36

  • safety and soundness, including its:
    financial resilience, ie assets, capital, funding, and liquidity; or operational resilience, ie its ability to continue providing important business services;

  • for insurers only, the: ability to provide an appropriate degree of protection for those who are or may become policyholders in line with the PRA’s statutory objectives; and
    requirement not to undermine the ‘continuous and satisfactory service to policyholders’ in line with Conditions Governing Business 7.2.

  • OCIR and if applicable, resolvability.”

The Prevalent TPRM Platform automates the assessment, continuous monitoring, analysis, and remediation of outsourcing and non-outsourcing third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks to demonstrate compliance.

To complement business resilience assessments and validate results, Prevalent:

  • Automates continuous cyber monitoring to predict possible third-party business impacts

  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability

  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns

5.12 “The PRA also expects firms to classify an outsourcing arrangement as material if the service being outsourced involves an:

  • entire ‘regulated activity’, eg portfolio management; or

  • ‘internal control’ or ‘key function’, unless the firm is satisfied that a defect or failure in performance would not adversely affect the relevant function.”

Prevalent enables organizations to classify third parties based on multiple criteria, including:

  • Type of content required to validate controls

  • Criticality to business performance

  • Location(s) and related legal or regulatory considerations

  • Level of reliance on fourth parties

  • Exposure to operational or client-facing processes

  • Interaction with protected data

  • Financial status and implications

  • Reputation

An effective tiering and categorization process enables organizations to assess third parties according to their criticality to business operations, while informing further due diligence efforts.

5.13 “The PRA expects firms to have regard to all applicable criteria in Table 5 below, both individually and in conjunction, when assessing the materiality of an outsourcing or third party arrangement not otherwise covered by paragraphs 5.8 and 5.9. Although in practice many material outsourcing and third party arrangements involve ICT products or services (eg cloud), the presence of a given ICT product or service does not, in itself, automatically render an outsourcing arrangement material.

Recreated from Table 5:

Direct connection to the performance of a regulated activity.

Size and complexity of relevant business area(s) or function(s).

The potential impact of a disruption, failure, or inadequate performance on the firm’s:

  • business continuity, operational resilience, and operational risk, including: conduct risk; ICT risk; legal risk; and reputational risk.

  • ability to: comply with legal and regulatory requirements; conduct appropriate audits of the relevant function, service, or service provider; and identify, monitor, and manage all risks

  • obligations under the PRA Rulebook;
    the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity of the institution or payment institution and its clients, including but not limited to GDPR and the Data Protection Act 2018

  • counterparties, customers, or policyholders.

  • early intervention, recovery and resolution planning, OCIR, and resolvability.

The firm’s ability to scale up the outsourced service.

Ability to substitute the service provider or bring the outsourced service back in-house, including estimated costs, operational impact, risks, and timeframe of an exit in stressed and non-stressed scenarios.”

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices. This enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business

  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)

  • Centralize system inventory, risk assessments, RACI charts, and third-party company profiles

  • Ensure consistent communications with suppliers during business disruptions

5.18 “The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers where available. If no alternative or back-up providers for a material outsourcing arrangement are available, firms should consider alternative business continuity, contingency planning, and disaster recovery arrangements to ensure they can continue providing relevant important business within their impact tolerances in the event of material disruption at their chosen service provider (see Chapter 10).”

Prevalent RFx Essentials centralizes and automates the distribution, comparison, and management of requests for proposals (RFPs) and requests for information (RFIs). RFx Essentials makes it easy for procurement teams to not only select solutions and vendors that meet the organization’s functionality and risk requirements, but also take a critical first step in managing risk throughout the third-party lifecycle.
Prior to selecting the vendor, Prevalent enables teams to compare and monitor vendor demographics, fourth-party technologies, ESG scores, recent business and reputational insights, data breach history, and financial performance.

Organizations can also take advantage of the Prevalent Vendor Intelligence Networks, which are on-demand libraries of thousands of vendor risk reports based on security, privacy, business resilience and operational risks. Prevalent Vendor Networks are continuously updated and populated with supporting evidence.

5.19 “In the case of material outsourcing, the PRA expects firms’ due diligence to consider the potential providers’:

  • business model, complexity, financial situation, nature, ownership structure, and scale;

  • capability, expertise, and reputation;

  • financial, human, and technology resources;

  • ICT controls and security; and

  • sub-outsourced service providers, if any, that will be involved in the delivery of important business services or parts thereof.”

5.20 “The due diligence should also consider whether potential service providers:

  • have the authorisations or registrations required to perform the service;

  • comply with GDPR, the Data Protection Act, and other applicable legal and regulatory requirements on data protection;

  • can demonstrate certified adherence to recognised, relevant industry standards;

  • can provide, where applicable and upon request, relevant certificates and documentation (eg data dictionaries); and

  • have the ability and capacity to provide the service that the firm needs in a manner compliant with UK regulatory requirements (including in the event of a sudden spike in demand for the relevant service, for instance as a result of a shift to remote working during a pandemic). A ‘general’ track-record of previous performance may not be sufficient evidence by itself.”

The Prevalent Platform includes 100+ pre-defined assessment templates including standardized information security vendor risk assessment questionnaires, as well as business resilience, GDPR, FCA, ISO 27001, Modern Slavery, Anti-Bribery, Health & Safety, Financial Performance, Management & Ethics and more.

Prevalent Vendor Threat Monitor continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Prevalent manages centralized vendor profiles that unify demographics, Modern Slavery statements, ESG scores, and mapped fourth parties.

Prevalent integrates and correlates continuous monitoring and profile insights against assessment results to provide a central location to view and act on risks.

5.21 “In line with Risk Control 3.4(2) and Risk Management 3.1, firms should, in a proportionate manner, assess the potential risks of all third party arrangements, including outsourcing arrangements, regardless of materiality. As part of the risk assessment, the PRA expects firms to consider:

  • operational risks based on an analysis of severe but plausible scenarios, for instance a breach or outage affecting the confidentiality and integrity of sensitive data and/or availability of service provision (see Chapter 10); and

  • financial risks, including the potential need for the firm to provide financial support to a material outsourced or sub-outsourced service provider in distress or take over its business, including as a result of an economic downturn (‘step-in’ risk).”

The Prevalent Third-Party Incident Response Service enables teams to rapidly identify and mitigate the impact of third-party vendor breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.

Prevalent taps into financial information from a global network of 2 million businesses. This includes 5 years of organizational changes and financial performance, such as turnover, profit and loss, shareholder funds, and other data useful for evaluating company health and viability.

5.22 “The PRA expects firms to carry out risk assessments in the circumstances referred to in paragraph 5.6 and also if they consider that there may have been a significant change to an outsourcing arrangement’s risks due to, for instance, a serious breach/continued breaches of the agreement or a crystallised risk.”

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

The Platform offers access to a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

These capabilities help to fill gaps in between regular third-party risk assessments, with results triggering automated actions such as additional assessments and remediations.

5.23 “A firm’s risk assessment should balance any risks that the outsourcing arrangement may create or increase against any risks it may reduce or enable the firm to manage more effectively (for instance, a firm’s resilience to disruption). The assessment should also take into account existing or planned risk mitigation, eg staff procedures and training.”

The Prevalent Platform includes built-in remediation recommendations to accelerate risk mitigations with third parties. Organizations can use the platform to communicate with vendors and coordinate remediation efforts, as well as capture and audit conversations; record estimated completion dates; accept or reject individual assessment responses; assign tasks based on risks, documents or entities; and match documentation and evidence to risks.

5.24 “The PRA expects firms and groups to periodically (re)assess and take reasonable steps to manage their overall reliance on third parties; and
concentration risks or vendor lock-in at the firm or group, due to:

  • multiple arrangements with the same or closely connected service providers;

  • fourth party/supply chain dependencies, for instance, where multiple otherwise unconnected service providers depend on the same sub-contractor for the delivery of their services;

  • arrangements with service providers that are difficult or impossible to substitute; and/or

  • concentration of outsourcing and other third party dependencies in a close geographical location, such as one jurisdiction. This type of concentration may arise even if a firm uses multiple, unconnected third party service providers, for instance, a business process outsourcing or offshoring hub.”

Prevalent mitigates concentration risks by identifying fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.

Suppliers discovered through this process are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

6 Outsourcing agreements

6.3 “Firms should ensure that written agreements for non-material outsourcing arrangements include appropriate contractual safeguards to manage and monitor relevant risks. Moreover, regardless of materiality, firms should ensure that outsourcing agreements do not impede or limit the PRA’s ability to effectively supervise the firm or outsourced activity, function, or service.”

Prevalent Contract Essentials centralizes the distribution, discussion, retention, and review of vendor contracts. It also includes workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With Contract Essentials, organizations can centrally track all contracts and contract attributes that can impact service levels, effectively enforcing contractual safeguards.

7 Data security

Prevalent delivers a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks. Key data security and privacy assessment capabilities include:

  • Scheduled assessments and relationship mapping to reveal where personal data exists, where it is shared, and who has access to it – all summarized in a risk register that highlights critical exposures.

  • Privacy Impact Assessments to uncover at-risk business data and personally identifiable information (PII) – enabling you to analyze the origin, nature and severity of risk and get remediation guidance.

  • Vendor assessments against GDPR and other privacy regulations via the Prevalent Compliance Framework (PCF) – enabling you to reveal potential hot spots by mapping identified risks to specific controls.

  • GDPR risk and response mapping to controls – equipping you with percent-compliance ratings and stakeholder-specific reports.

  • A database containing 10+ years of data breach history for thousands of companies around the world. Includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

  • Centralized onboarding, distribution, discussion, retention, and review of vendor contracts. This ensures data protection provisions are enforced from the beginning of the relationship.

8 Access, audit, and information rights

8.7 “Firms may use a range of audit and other information gathering methods, including:

  • offsite audits, such as certificates and other independent reports supplied by service providers; and

  • onsite audits, either individually or in conjunction with other firms (pooled audits).”

The Prevalent Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place.

Prevalent experts first review assessment responses, whether from custom or standardized questionnaires. We then map the responses to SIG, SCA, ISO, SOC II,

AITECH, and/or other control frameworks. Finally, we work with you to develop remediation plans and track them to completion. With remote and onsite options available, Prevalent delivers the expertise to help you reduce risk with your existing resources.

8.9 “Certificates and reports supplied by service providers may help firms obtain assurance on the effectiveness of the service provider’s controls. However, in material outsourcing arrangements, the PRA expects firms to:

  • assess the adequacy of the information in these certificates and reports, and not assume that their mere existence or provision is sufficient evidence that the service is being provided in accordance with their legal, regulatory, and risk management obligations; and

  • ensure that certificates and audit reports meet the expectations in Table 8.”

Prevalent centralizes certifications, agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features.

9 Sub-outsourcing

Prevalent identifies fourth-party and Nth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open pathways into an environment.

Suppliers discovered through this process are monitored to identify financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

10 Business continuity and exit plans

10.1 “For each material outsourcing arrangement, the PRA expects firms to develop, maintain, and test a business continuity plan; and documented exit strategy, which should cover and differentiate between situations where a firm exits an outsourcing agreement:

  • in stressed circumstances, (eg following the failure or insolvency of the service provider (stressed exit)); and

  • through a planned and managed exit due to commercial, performance, or strategic reasons (non-stressed exit).”

The Prevalent Third-Party Risk Management Platform automates the assessment, continuous monitoring, analysis, and remediation of third-party business resilience and continuity – while automatically mapping results to NIST, ISO, and other control frameworks.
To complement business resilience assessments and validate results, Prevalent:

  • Automates continuous cyber monitoring to predict possible third-party business impacts

  • Accesses qualitative insights from over 550,000 public and private sources of reputational information that could signal vendor instability

  • Taps into financial information from a global network of 2 million businesses to identify vendor financial health or operational concerns.

This proactive approach enables organizations to minimize the impact of third-party disruptions and stay on top of compliance requirements.

10.3 “Firms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption.”

10.9 “In line with Fundamental Rule 7, in the event of a disruption or emergency (including at an outsourced or third party service provider), firms should ensure that they have effective crisis communication measures in place. This is so all relevant internal and external stakeholders, including the Bank, PRA, FCA, other international regulators, and, if relevant, the service providers themselves, are informed in a timely and appropriate manner.”

The Prevalent Platform includes a comprehensive business resilience assessment based on ISO 22301 standard practices that enables organizations to:

  • Categorize suppliers according to their risk profile and criticality to the business

  • Outline recovery point objectives (RPOs) and recovery time objectives (RTOs)

  • Centralize system inventory, risk assessments, RACI charts, and third parties

  • Ensure consistent communications with suppliers during business disruptions

Prevalent delivers free resources for organizations to use as they build or mature their third-party business continuity programs.

Align Your TPRM Program with 13 Industry Standards

Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.

Read Now
Featured resource compliance handbook industry standards
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo