Third-Party Risk Management Policy

This Third-Party Risk Management Policy establishes a structured approach for identifying, assessing, monitoring, and mitigating risks associated with third-party vendors, service providers, and external partners. It ensures compliance with the Digital Operational Resilience Act (DORA) and safeguards operational resilience, data security, and regulatory obligations.

• Vendor Classification: Categorizes vendors as critical or non-critical based on their impact on operations and access to ICT systems.
• Due Diligence: Conducts risk assessments on vendor security posture, compliance, and incident response capabilities.
• Contractual Obligations: Mandates inclusion of security, compliance, and incident management clauses in vendor contracts.
• Monitoring and Auditing: Implements continuous monitoring tools and periodic audits to ensure vendor adherence to SLAs and regulatory requirements.
• Incident Management: Integrates vendor response into the organization's Incident Response Plan and ensures post-incident reviews.
• Termination and Offboarding: Establishes procedures to revoke access, retrieve sensitive data, and complete compliance reviews during vendor offboarding.

This policy supports operational resilience by ensuring robust oversight and management of third-party risks, aligning with DORA’s regulatory standards.