Case Study: Facilitating Third Party Risk Management for Insurer Regulatory Assurance

THE CHALLENGE

A large multinational insurer engaged InConsult to strengthen its third party risk management (TPRM) program and gain a transparent, year-on-year view of vendor information security capability, modern slavery obligations and operational risk management processes. Key drivers included: clearer alignment with prudential regulation expectations for service-provider oversight (APRA CPS 234/230), better evidence collection aligning with auditing standards and to provide sufficient assurance, and external visibility of vendors’ exposed attack surface through vulnerability assessments.

The existing process included basic questionnaires and some attestations, but lacked:

• independent passive vulnerability / external attack-surface visibility,

• bespoke assurance questionnaires tuned to different vendor tiers and services,

• consistent evidence trails for control verification, and

• comparative reporting showing cohort trends and year-on-year changes.

OUR APPROACH

We delivered a comprehensive, evidence-based third party risk management uplift including the complete end-to-end facilitation of the program to truly define supply-chain risk:

• Program Design & Standards Alignment: Mapped the insurer’s TPRM processes to APRA CPS 234 (information security, including third parties) and CPS 230 (operational risk and service providers), and considered international supply-chain standards (e.g. ISO/IEC 27036) to structure controls, evidence and assurance activities.
• Third Party Ecosystem, Tiering & Bespoke Assessments: Confirmed vendor details, services, data sensitivity and criticality, assigned tiers and set tier-based assessments combining questionnaires, workshops, external scanning and targeted evidence requests (e.g., ISO 27001 certificates, penetration test reports, backup/MFA configurations).
• Passive Vulnerability Scanning of External Attack Surface: Performed non-intrusive scanning to identify exposed services, weak configurations and stale assets for in-scope vendors, aligned with the Open Worldwide Application Security Project (OWASP) vulnerabilities database. Findings fed into each vendor’s risk profile and remediation recommendations.
• Bespoke Assurance Questionnaires: Built tier-specific questionnaires leveraging prudential standard requirements that the insurer is required to comply with internally and across their supply chain. Designed scoring and an easy-to-follow risk rating matrix for identified weaknesses.
• Facilitated Workshops & Evidence Collection: Ran multi-hour workshops with high-dependency vendors to validate responses, walk through configurations, and agree remediation timelines. Collected artefacts to create defensible audit-quality workpapers mapped to each control and risk theme.
• Reporting, Scoring & Trend Analysis: Issued a customised report to each vendor and a portfolio summary report for the insurer showing cohort performance, heat-maps, trend lines versus prior years, and prioritised recommendations. Prioritised residual risks based on severity, regulatory implications, costs, time to rectify and our experience as risk management experts.

OUTCOMES & BENEFITS

As a result of our engagement:

• Enterprise-Wide View of Third-Party Risk
  A consolidated view and summary report covering all vendors with tier-based grades, material issues, and remediation status, supporting executive and audit/risk committee oversight.

• Independent External Visibility
  Passive scanning surfaced misconfigurations and exposed services missed by self-attestations, enhancing remediation and reducing time-to-detect for vendor weaknesses.

• Stronger Evidence & Assurance
  Complete workpapers tied to recognised supply-chain standards to give internal audit and regulators confidence in the control assessments.

• Year-on-Year Comparability
  Vendor and cohort trend analysis showed measurable improvement against the previous year, with risk-based sequencing of “next best” actions per vendor.

• Trusted Partnership
  The structured, transparent approach strengthened the insurer’s confidence in InConsult as a trusted provider for ongoing third party risk management assurance and uplift initiatives.

Would you like to know more about our cyber resilience services? Contact us today.

This case study is drawn from a real-life engagement/project between InConsult and our client. While client details are not disclosed for commercial and confidentiality reasons, this case study is based on a real engagement and reflects genuine results and outcomes. Specific client references and project details can be shared with prospective clients during the proposal process.