As cyber threats grow in complexity and scale, the financial sector continues to double down on resilience—particularly when it comes to third-party service providers. The resilience of a single financial institution increasingly hinges on the robustness of the upstream and downstream partners it depends upon. These third-party vendors often support multiple large institutions, potentially creating systemic risk if their systems falter.

In response, industry leaders are calling for greater transparency and higher standards around recovery transparency and cyber resilience. One valuable resource is the Third-Party Resilience: Increasing Transparency whitepaper from SIFMA and Protiviti.

Why Third-Party Resilience Matters

Financial institutions have invested heavily in capabilities that help them recover from cyber events. But when third parties fall short—whether due to opaque practices or insufficient recovery protocols—they introduce risks that no internal controls can fully mitigate. Institutions need confidence that their service providers are as prepared as they are to handle destructive cyber events such as ransomware where we’ve seen recovery times measured in days, weeks and months rather than several hours.

Unfortunately, many third parties remain reluctant to share details about their recovery capabilities. Even when they do, gaps in investment and preparedness are often revealed. This misalignment leaves institutions vulnerable and limits their ability to meet regulatory requirements for operational resilience.

What’s Expected of Third Parties

To align with evolving expectations, third-party providers should demonstrate core resilience capabilities in four critical areas:

1. Planning

Third parties should have detailed recovery plans that:

• Map out IT infrastructure recovery strategies for hardware, operating systems, applications, data and networks.
• Account for business dependencies and document impact tolerance levels.
• Include bare metal restore capabilities and use of immutable backups to allow for quicker recovery from ransomware attacks.
• Address how to redeploy applications, validate data backups, and communicate with clients and the media during disruptions.

2. Recovery Testing

Effective testing should:

• Stress test systems using realistic and extreme but plausible scenarios.
• Reflect the service level agreements (SLAs) of their financial partners.
• Include joint testing with key partners where applicable.
• Demonstrate readiness for bare metal rebuilds, including full systems, applications and data restoration.

3. Data Recovery Testing:

• Regular tests of the ability to restore from immutable, air-gapped backups that meet or exceed Recovery Point Objectives  (RPOs).
• Verification of backup frequency that meets retention policies.
• Logical/physical segregation from live systems.
• Role-based access controls to prevent credential overlaps and security breaches.

4. Evidence

Third-parties should provide tangible proof of their resilience testing and backup efforts to include:

• Documented recovery plans and test results.
• Full transparency or secure onsite access to sensitive materials.
• Disclosure of any gaps between current capabilities and required outcomes.
• Ongoing improvement processes to evolve alongside threat landscapes.

Raising the Bar Across the Sector

As third-party services become more critical and concentrated, the expectations placed on those vendors are increasing. Financial institutions are no longer accepting vague assurances—they want proof that third-party providers can withstand and recover from modern cyber threats.

The guidance outlined here serves as a baseline for what third parties should offer:

• Thorough documentation and evidence.
• Regular and realistic recovery testing.
• Clear, open communication about capabilities and gaps.
• Continuous alignment with industry and regulatory expectations.

Financial firms should also make their third-parties aware of SIFMA’s Reconnection Guidance Reconnection Framework – SIFMA – Reconnection Framework – SIFMA which documents what the sector expects from an impacted third-party around their recovery status.

Most importantly, the third party needs to convince the sector that they have found and fixed that problem and are ready to reconnect to the financial ecosystem and get back to business as usual. (Link to reconnection guidance)

Final Thoughts: Transparency is Resilience

As the financial system grows more interconnected, third-party resilience is no longer a “nice-to-have”—it’s a regulatory and operational necessity. By prioritizing transparency and committing to rigorous testing and recovery practices, third-party providers not only support their clients but contribute to the broader stability of global financial markets.

Financial institutions should actively assess and push their vendors toward these higher standards. And third parties should view transparency not as a risk, but as a competitive advantage in a trust-based ecosystem.

Author

Thomas M. Wagner is Managing Director of Financial Services Operations for SIFMA.

Related Resources

• Whitepaper

  Third-Party Resilience: Increasing Transparency

• Resource

  Cybersecurity Resource Center