This thesis examines the cyber security challenges of leveraging third-party ICT in the financial sector (FS). Although new EU regulation such as DORA (2023) has taken steps to mitigate the...Show moreThis thesis examines the cyber security challenges of leveraging third-party ICT in the financial sector (FS). Although new EU regulation such as DORA (2023) has taken steps to mitigate the challenges of adopting third-party providers (TPPs) in the recently securitised financial sector, there remains limited qualitative research on this phenomenon. Academic research is urgently needed to explore the reasons behind the FS’s reliance on TPPs, despite their apparent risks and the organisational challenges they are likely to face whilst outsourcing their critical services. Using a qualitative, deductive approach, the thesis collected its data from interviews with cyber security experts and from secondary literature. Using Atlas.ti, a qualitative analysis software, the thesis conducted a thematic analysis with pre-defined codes using the organisational behaviour model (OBM) from Graham and Zelikow (1999). The thesis found that despite an awareness of its many risks, the FS has made exceptional use of TPPs. This can be explained by its low costs for installation and shifting market demands. Furthermore, the thesis found that despite a willingness to improve their third- party risk management (TPRM), the FS has difficulty to achieve this due to their organisational behaviour. A culture of minimising costs, not wanting to exceed regulatory compliance and an inability to establish standard operating procedures (SOPs) for their TPPs are only a few of the organisational challenges that will prevent the FS to face the cyber security challenges of expanding its supply chain. The findings of this paper have important implications as a successful supply chain attack on the EU financial sector could cause unprecedented disruptions to the global financial system. Furthermore, this research will support policymakers and FS leaders to better understand and mitigate the cyber challenges of TPPs for the financial sector.Show less