The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both the financial institution and the service provider across the entire business relationship.
It begins by stressing that although outsourced relationships with technology service providers (TSP’s) are an effective way for institutions to perform or support critical operations, the responsibility for overseeing these relationships resides with the Board and senior management. It focuses on these 4 key elements of resiliency:
- Managing the continuity risks of critical third-party relationships.
- Understanding the “concentration” risk when a third-party provides multiple services to you, or to multiple clients.
- Validating BCP’s (theirs and yours) through testing.
- Assuring that your BCP can accommodate a disruption caused by a cyber-event.
The third party management life-cycle begins prior to engaging the service provider, in the due diligence phase. At this point in the pre-contract stage, institutions should evaluate and thoroughly understand both the effectiveness of the vendor’s BCP, as well as the process the vendor uses to manage its subcontractors. Institutions should also make sure the vendors recovery time objectives (RTO’s) are in alignment with their own RTO’s for processes dependent upon vendor services. For example, if the institution has a 24 hour RTO for its teller processes, it must assure that any outsourced services required for those processes meet or exceed that RTO.
Important Contract Provisions
Once the decision is made to engage the service provider, a contract is the best way to define the obligations on both sides. Some important contract provisions are:
- The right-to-audit clause. This gives the institution the right to either audit the provider directly, or have access to any audit reports addressing the provider’s recovery capabilities. For most institutions, the ideal audit report to establish confidence in the resiliency of the provider is the SOC 2 report.
- Contractually defined service level agreements (SLA’s) relating to business continuity, such as clear recovery time and recovery point objectives.
- In the event that the service provider defaults or otherwise does not meet their contractual obligations, what are your potential remedies?
- If the vendor subcontracts, all contractual provisions (including SLA’s) must also apply to the subcontractor.
- Because foreign countries may have different data and information security standards, the contract must specify that any contractor based in a foreign country must agree to adhere to U.S. regulatory standards.
- The contract should specify BCP testing requirements for service providers, including test frequency, and the ability of the financial institution to periodically participate.
- Data governance, including data ownership, backup and handling during and after the relationship.
- Service providers must respond and adhere to all relevant regulatory guidance, and contracts should allow the institution to request those responses.
- Contracts must clearly specify how the provider addresses a security incident, including when and how the institution is notified.
Business continuity requirements and capabilities on both sides of the relationship will change over time, making on-going monitoring the critical last phase in the management life-cycle. Periodic summary reports should be presented to the appropriate management committee(s) and to the Board, and any material changes should be reflected in the institutions BCP and (if necessary) in the vendor contract.
The guidance also requires institutions to consider the realization that a critical provider may not be able to fulfill its obligations, and may need to be replaced. This could occur over time, such as with a gradually deteriorating financial condition, or suddenly, because of a severe cyber-event or wide-spread disaster. Regardless of the circumstances, the institution must be prepared to minimize the impact and meet their internal recovery time objectives without the failed service provider. This means having a plan in place to either convert to a new service provider, or (as a last resort) to move the out-sourced operations in-house.
Testing with the third-party is given increased importance, and regulators will expect that institutions either participate in, or at the very least review the results of, service provider testing. Testing scenarios should include service provider outages, disruptions at the financial institution, cyber-events affecting either party, and cyber-attacks affecting both parties simultaneously. Test results should be presented to management committees and the Board for review, with a gap analysis and action plans for strengthening resiliency if necessary.
Finally, the guidance addresses the importance of preventing, mitigating, detecting, and responding to a cyber-event. Since the cybersecurity landscape is constantly changing, preparedness is the key to resiliency. This includes periodically updating and testing the institution’s incident response plan, and including the third-party in testing whenever possible. It also includes identifying potential third-party forensic and incident management service providers if necessary.
Driving Compliance Through Technology
The implications of this guidance will be felt throughout the industry. Financial institutions will be expected to gain a much deeper understanding of provider recovery capabilities, which will require service providers to be much more transparent about all aspects of their business resiliency. Existing business continuity plans will require expansion to include more detailed information about recovery capabilities of critical service providers, including their RTO’s and RPO’s. Service provider contracts may need to be modified to include new expectations, and perhaps most significantly, institutions should understand much more about any vendor subcontracted relationships. Simply put, both the vendor and the financial institution must work more closely together across the entire spectrum of the relationship to ensure the optimal resiliency of the institution.