Third party risk management for non-vendors
Our Third Party Risk Management Framework focuses on operational resilience and data protection. The TPRM Framework reflects our commitments to our customers, investors, Board, regulators, society and employees to continue meeting expected service levels and safeguard confidential data against malicious attacks. Below is a summary of what we expect from our Third Parties. For Third Parties who are our Suppliers, please also refer to the Supplier Charter.
1. Operational Resilience
Standard Chartered expects its Third Parties to maintain operational resilience through minimum standards of continuity planning, crisis management and resolution planning capabilities, which should serve to minimize the impact of operational disruption to the Bank and its clients.These requirements may be demonstrated via the contractual agreement that Third Parties hold with the Bank or the Third Party’s adherence to industry certifications and standards, financial sector regulation or governance oversight by a trusted party.
2. Information and Cyber Security
Standard Chartered expects its Third Parties to collaborate in its efforts to preserve and manage the Confidentiality, Integrity and Availability of its Information and data when used or accessed so as to maintain client, regulator, and investor confidence. Standard Chartered is committed to achieving a high standard of protection of its clients’ Information, data and hence expects its Third Parties to provide the same level of security and protection. The Third Parties should apply adequate physical, technical and organisational security measures and shall adopt recommended security best practices by the industry. The Third Parties are encouraged to undertake compliance exercises against applicable regulations, relevant industry Standards & obtain certifications as a demonstration to their cybersecurity maturity.
3. Data Protection
Standard Chartered is committed to achieving a high standard of protection of our clients’ and colleagues’ personal data and privacy, and we expect our suppliers and other third parties to provide the same level of protection for any data that they process on our behalf. Our suppliers and other third parties should apply adequate technical and organizational measures to protect data made available to them, in line with all applicable data protection laws and regulations. Wherever data is processed by a Third Party on behalf of Standard Chartered or Standard Chartered obtains data from a Third Party, we expect the Third parties to collect, handle and otherwise process the data in a lawful manner. Third Parties acting in the capacity of a data processor are expected to inform Standard Chartered of any data incidents, data subject requests and requests for data disclosure from governmental authorities within the time periods set forth in applicable laws (unless they are prohibited to do so by applicable laws or regulations).
We expect all Relevant Sub-Contractors, managers and staff employed by our Third Parties to also be made aware of the above.
Should you have any questions or clarifications, please reach out to your counterpart in the Bank.