How to Stay Ahead of Third-Party and Operational Resilience Risk: Key Takeaways

When it comes to third party vendor risk, technology is something of a double-edged sword. While it drives unprecedented efficiency and innovation, it also introduces significant risk. The widespread adoption of AI and cloud services has led to a boom in third-party vendor relationships, with a staggering 91% of insurers adopting AI technologies in 2025.

This proliferation creates a complex ecosystem where risk is no longer confined to internal operations; with 60% of data breaches also originating from third-party vendors, managing this external risk is critical for operational resilience. Yet, technology itself offers a powerful solution, enabling the very oversight and control that this new reality demands.

Third-party failures are fast becoming reputational flashpoints – especially in regulated markets like Lloyd’s.  From cloud vendors to AI-enabled tools, insurance firms are facing increased scrutiny over how they manage critical outsourced services. 

This reality coincides with a wave of new regulations designed to ensure operational resilience. In March 2025, the FCA’s new operational resilience rules (SYSC 15A & PS21/3) took effect, requiring firms to identify important business services, set impact tolerances, and establish continuous testing. Similarly, Europe’s Digital Operational Resilience Act (DORA) became law in January 2025, giving supervisors greater oversight over critical IT providers.

This was followed in July by the European Supervisory Authorities’ (ESA) guide on oversight activities, providing practical insights into how they will oversee critical third parties.

What does this convergence of risk and regulation mean for the re/insurance sector? This was the topic Kristy Lovegrove, Group Head of Technology and Digital Services at Pro Global, and Mike Dalzell, Group Head of Governance, Risk and Compliance (GRC) at Pro Global, discussed on the recent Webinar: How to Stay Ahead of Third-Party and Operational Resilience Risk.

AI: A Double-Edged Sword for Due Diligence

The proliferation of AI is a game-changer, but it’s not without its challenges. Mike pointed out, “there is an increase in cyber attacks involving AI: a great number of data breaches originate from third party vendors, which is just increasing the risk.”

Yet, AI is also part of the solution. The industry is beginning to leverage this technology to streamline time-intensive due diligence processes. Kristy noted, “it is really interesting to lean into AI for due diligence when AI in itself is driving the need for deeper due diligence processes, but this is a smart way to initiate the process.”

However, she was quick to add a crucial caveat: the human element remains vital. “The document itself isn’t going to tell you whether that policy being upheld in reality – so you do still need that human in the loop to make sure that you’re analysing and making sure that you’re looking at trends that an AI wouldn’t necessarily pick up on its own.” The key takeaway: AI can triage and generate questions, but people are needed to verify that the answers align with real-world practices.

The Regulatory Wake-Up Call: DORA and the FCA

The regulatory environment is also evolving, with new frameworks designed to address these heightened risks. The Digital Operational Resilience Act (DORA) and updated FCA rules (SYSC 15A & PS21/3) are no longer just suggestions; they are mandates that demand a proactive approach.

Mike explained that under the new FCA rules, firms “must identify important business services and set impact tolerances. Having done this they must also have effective processes and ensure regular testing from which to learn and develop. It’s a continual process now.”

This shift means that responsibility for managing third-party risk is front and centre. Mike said: “The FCA and other regulators all acknowledge that firms who use outsourced and other third-party service providers should take responsibility for managing risk arising from those arrangements.” The days of treating compliance as a one-and-done exercise are over; it’s now a core business function.

The Move from Tick-Box to Holistic Oversight

With the complexity of modern supply chains – which can now include fourth parties – and the constant evolution of technology, the old ways of doing business are no longer fit for purpose. Relying on “spreadsheets and word documents” for due diligence is a recipe for disaster.

Kristy emphasised the importance of a holistic view: “Having a more centralised view of operational resilience as an organisation can often help optimisation because often what we see is for instance some areas of the organisation won’t know that they actually work with certain providers. So that cross sharing of information means you can often use your outsource partners for more.”

This is no longer a siloed task for the compliance department. Mike highlighted that this is a board-level issue. “This isn’t just something that’s done in the compliance department. This is something that senior leadership will take an active interest in and the board they want to know that all risks are managed throughout the business.”

To stay resilient and compliant, insurers must embrace a new approach: centralising their risk management, using technology to automate and refine processes, and fostering a culture of continuous improvement across the entire organisation.

Do these new regulations present an opportunity for your business to optimise its operations, or are they a daunting challenge you’re not yet equipped to face?