Category: Compliance

12 Oct 2016
Banks, Compliance Chuck Copland 0 comment

Simplify Business Continuity Planning for Your Bank with a Structured and Repeatable Approach

Simplify Business Continuity Planning for Your Bank with a Structured and Repeatable Approach

A bank’s Business Continuity Plan (BCP) has evolved to become the crucial blueprint for guiding an institution through the process of recovering from a business outage. Examiners are looking at these plans closely to verify that banks not only have the right plan in place, but are also able to successfully execute it. Many banks choose to keep continuity planning in-house and manually develop their plans. With increased levels of regulatory scrutiny, innovative bankers are embracing technology to make BCP a more efficient and streamlined process.

Many institutions take a qualitative approach to continuity planning, and this requires coordinating meetings between various stakeholders to come to consensus decisions. To create a more efficient BCP process, bankers should be looking to implement an application that will help their financial institution follow the FFIEC-prescribed process and facilitate the collaborative elements of BCP. The end result should include a complete and comprehensive plan that meets regulators’ expectations and equips the financial institution to handle and recover from possible disasters in a timely and efficient manner. 



Enterprise Modeling – The First Step to a Successful Business Continuity Plan

Each bank has a unique operating model based on its specific services, organization, processes, and technologies. Before an institution can figure out how to sustain or recover operations, it must first have a thorough understanding of all the functions and processes that make up those operations. At Safe Systems, we refer to this information gathering step as Enterprise Modeling. This involves breaking the institution into departments (aka Functional Units) and determining the team members responsible for each of these areas. Each department is responsible for one or more business processes, and each of those processes is comprised of multiple functions.

Enterprise modeling can streamline the BCP process and give bankers the ability to assign those most knowledgeable with their department’s operations the task of developing the recovery plan. It is difficult (if not impossible) for a single individual to have all of the knowledge required to recover operations for every department and process. Involving additional people, if not managed properly, can create an even more complex process. By starting with an Enterprise Modeling step, the institution will directly map required functions to those individuals responsible for accomplishing those functions. Organizing the process in this manner will simplify the gathering of business recovery information from each department head, ensure that all processes are addressed, and help institutions develop a more accurate assessment of their risks.

Automating Your Bank’s Manual BCP Processes

Business Continuity Planning is cyclical and assessments should be revisited regularly. Automating repetitive portions of BCP process eliminates the need to update cumbersome spreadsheets, and can carry over information from time-consuming data gathering and reporting activities completed in previous assessments. An automated BCP solution will help guide financial institutions through the entire process of BCP — from assigning department heads, documenting key activities, services, and applications, assessing critical recovery times, testing procedures, and staying on top of key updates related to the plan. 


It is crucial to ensure the BCP will meet regulatory scrutiny while providing an efficient and simplified process for the institution. Community banks, in particular, should have a business continuity plan that is easy to understand, easy to use, and developed specifically for their institution. An automated application should provide the necessary structure to keep banks on track, but should also allow for customization as each institution sees fit.




Free White Paper



Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.



Free White Paper



At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes. For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks, by clicking the image above.

05 Oct 2016
Banks, Compliance, Security, Technology Christine Ray 0 comment

Building Success in the Banking World – Safe Systems’ 2016 NetConnect Conference Recap

Building Success in the Banking World - Safe Systems' 2016 NetConnect Conference Recap

Safe Systems hosted its 2016 NetConnect Customer Success Summit on September 13th in Athens, Georgia. The theme of the three-day conference was focused on customer success. Safe Systems brought together 73 financial institutions from around the country to hear inspiring key note speakers, attend informative educational sessions, and obtain key banking industry insights designed to help them build the best financial institutions for their communities.

A key goal of this year’s conference was to provide our banking clients with the necessary tools and guidance to build successful institutions and meet stringent regulatory demands. Safe Systems presented a short tongue-in-cheek skit that began with an FDIC examiner knocking on the front door of a bank, ready to do a full analysis. The bank felt confident that it would meet the examiner’s expectations, but ended up with less than satisfactory results. The examiner emphasized the need for the senior management and board’s involvement in all areas of exam preparation to ensure success, including cybersecurity, vendor management, business continuity planning and more. This example became an important topic of conversation and a key point that Safe Systems highlighted throughout the day.

Sticking with the theme of success, Safe Systems’ President, Darren Bridges, provided opening remarks encouraging banks to not only know what they do and how they do it, but to also have a strong understanding of why. This is an important part of creating a successful institution because the “why” is what makes a bank stand out from competitors and connect with the critical needs of its customers. During the keynote session, Dr. Randy Ross gave an energetic and memorable speech on designing a remarkable culture within financial institutions. He emphasized that culture is the single most important differentiator for community banks and sets the tone for how customers interact with the institution.

Safe Systems’ vice president of Compliance, Tom Hinkel, rounded out the day’s activities with an engaging presentation, where he highlighted some of the compliance challenges banks are facing today and provided helpful advice on how they can successfully manage this complex function.

Customer feedback sessions during the conference provided insights into current IT, security and compliance issues and trends bankers are most interested in and helped to identify areas where they will need the most support. Community bankers today wear many hats, and it can be daunting to keep up with all of the changes occurring in the world of IT. One big concern for bankers at the conference was being able to manage networks effectively and ensure that all activities are running smoothly for their institutions. Other major topics included understanding cybersecurity, managing new regulations, providing proper IT training for employees, and communicating effectively on IT issues with the board and senior management at the bank.




Free White Paper



Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.



Free White Paper



Safe Systems also worked to create an atmosphere where customers could exchange ideas and learn more about the latest technologies and services in the financial services industry. The conference featured many trusted partners and vendors, who either sponsored the summit, exhibited during the trade show, or both. These companies included:

  • Thigpen, Jones, and Seaton
  • Banc Intranets, LLC
  • Consolidated Banking Services, Inc.
  • Rebycsecurity
  • iTransit Solutions
  • Porter Keadle Moore, LLC
  • Bitdefender
  • Jack Henry & Associates
  • CashTrans
  • ATM Response
  • Kaseya
  • Intronis

Overall, last month’s NetConnect Conference was an engaging and educational experience where bankers received invaluable knowledge and advice regarding technology, compliance, and security. Safe Systems continues to enhance its products and services to help community banks strengthen their businesses and build success! We look forward to the next event to grow and create new opportunities for our clients.

28 Sep 2016
Banks, Compliance Chuck Copland 0 comment

New IT Examination Procedures Impact Banks – Business Continuity Planning Becoming More Important Than Ever!

New IT Examination Procedures Impact Banks - Business Continuity Planning Becoming More Important Than Ever!

Over the coming months, FDIC-examined institutions will phase in new IT examination procedures, the first major overhaul since December 2007. The new format is called the InTREx program (Information Technology Risk Examination), and is designed to provide a more uniform and less subjective examination experience. The new format has cut the pre-examination questions nearly in half. Don’t be fooled though, this will not make for an easier exam, as these questions are more open-ended than a simply “Yes” or “No.” What the InTREx doesn’t cover in the pre-exam phase, it more than makes up for in the on-site examination.

This new process is a much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank. Proper documentation will often make the difference between a satisfactory and a less than satisfactory assessment. This means institutions must be adequately prepared for a more thorough and time consuming examination. One area the new IT examination procedures heavily reference is business continuity planning (BCP).

Business continuity planning has become a very important aspect of a bank and credit union’s successful IT exam and compliance rating. Business Continuity Planning is the process of creating systems and processes that provide resilience to, and recovery from, potential non-specific threats to a financial institution. Such events that could negatively impact normal operations include all man-made and natural disasters, such as failure of equipment, loss of or damage to critical infrastructure, and malicious cyber activity. Auditors and examiners are scrutinizing BCP processes more closely, specifically looking to verify that the institution’s methodology and plan structure closely adhere to the regulatory guidance.




Free White Paper



Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.



Free White Paper



In addition to the new FDIC procedures, the FFIEC has also made some significant guidance changes, specifically updating the Business Continuity Planning Handbook. The FFIEC has increased its focus on cybersecurity resilience and recovery as well as important interdependencies such as third-party providers.

There is also significant overlap between the elements in the InTREx program and the FFIEC’s Cybersecurity Assessment Tool (CAT), which means that actions taken to strengthen cybersecurity control maturity will also strengthen overall IT controls. The CAT dedicates an entire section to cyber resilience, a concept which encompasses elements from both BCP and incident response. These new examination requirements prove that business continuity planning has become a crucial element of a financial institution’s cyber resilience strategy and overall information security program.

Events of the past 10 years have significantly increased the need for attention to emergency preparedness within financial institutions. In the last decade, we have seen an increased dependence on technology and third party vendors, business disasters such as power outages and connectivity issues, as well as severe natural disasters like hurricanes, tornadoes, and floods. Community banks must have a comprehensive business continuity plan in place to successfully face these unique and unexpected challenges and ensure the institution can recover business operations quickly and efficiently.

At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes. 


For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.

10 Aug 2016
NetInsight Blog Featured Blog Image
Banks, Compliance Darren Bridges 0 comment

Reduce the Stress of Your Bank’s IT Exams

NetInsight Blog Featured Blog Image

Financial institutions are governed by stringent regulations, including strict guidelines for the institution’s information security program. Institutions must undergo regular audits, both internal and external, to help ensure their control environment is sound and compliant. These audits ultimately help the institution prepare for when the examiners come knocking. Regulatory agencies conduct these IT exams to determine if the institution’s policies and procedures are sound, and if daily practices are in line with those standards. Rarely are these experiences fun or care-free.

The IT audit and examination processes can both be very time consuming and stressful for security officers, IT Administrators, and the institution’s executives. IT audits, while invaluable, may result in a laundry list of suggested improvements, most of which come with a price tag. Senior management must decide which suggestions are worth the investment and which constitute acceptable risk. Then, they must be able to defend that position to examiners.
Recent developments, including the FDIC’s introduction of the Information Technology Risk Examination (InTREx) Program, emphasize that it is not enough to have a solid Information Security Policy and procedures. Today’s examiners are requiring ever-increasing amounts of documentation as evidence that your institution is indeed doing what your policies and procedures promise. Financial institution IT professionals, already tasked with the full-time job of keeping systems up and running, are also asked to help the Information Security Officer gather volumes of documentation that make up this paper trail.

Without help, this regulatory burden can be a major challenge for smaller community banks and credit unions that lack the resources and experience to adequately meet ever-growing regulatory demands. However, there are some steps these smaller institutions can take to ease the stresses associated with this near-constant scrutiny.

Be Proactive – Conduct IT Self-assessments

To help ensure better results on bank IT audits and examinations, all financial institutions should complete periodic (quarterly) control self-assessments that enable management to gauge the state of IT performance, system status, and emerging risks. These proactive IT self-assessments are essential for ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. These regular reviews are not just beneficial, they are also mandatory. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”

At Safe Systems our strategic advisors work with each client to perform quarterly technology self-assessments. While this assessment helps the institution ensure all things related to IT network technology controls are working and up to date, it also serves as time for the strategic advisor to educate bank personnel on new or changing government regulations. This helps the bank to remain in compliance and sets the institution up for success in audits and exams.

Auditor feedback from our clients indicates that financial institutions that work with experienced IT outsourcing vendors and have an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process and have a smoother IT audit. Simply put, this results in fewer, and less severe, audit findings. These institutions tend to identify, correct and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent IT audit, this often results in fewer examination findings as well.




7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks.


7 Reasons Why Small Community Banks Should Outsource IT Network Management

Automate Reporting for IT Examinations

Documentation and reporting make up the paper trail that examiners are looking for to help validate your information security program. Being able to provide comprehensive reports that are easy-to-understand and provide clear and concise summary information is vital to any IT audit or exam. You may be asked for documentation on who is involved in technology reviews, frequency of meetings, minutes from each meeting, IT issues the bank is addressing, technology inventory management, patch management reports, testing policies and procedures, and disaster recovery plans, to name a few. These reports can be a time-consuming hassle to generate. However, with a financial institution specific reporting solution in place that automates the process and provides detailed on-demand reports, financial institutions can easily generate much of the appropriate documentation in a time efficient manner.

Preparing for an IT audit or exam can certainly be a headache! However, working with Safe Systems can provide your bank with peace of mind because by the time the examiner gets there, you are well prepared and can feel confident of the upcoming exam result. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved IT audit and examination ratings. With an experienced IT services provider, bankers can get back to the business of banking while compliance-oriented IT professionals work to ensure network components, servers and workstations are operating properly and securely; all while helping to ensure that your institution is meeting regulatory requirements.

09 Jun 2016
NetInsight Blog Featured Blog Image
Banks, Compliance Niki Neese 0 comment

Preparing for Your Bank’s Quarterly Control Self-Assessment

NetInsight Blog Featured Blog Image

To help ensure better results on bank audits and examinations, all financial institutions should complete periodic (generally quarterly) control self-assessments that allow management to gauge IT performance, system status, and emerging risks. These proactive self-assessments are key in providing ongoing monitoring of security controls and ensuring prompt corrective action of significant deficiencies. FFIEC guidance dictates that financial institutions perform regular self-assessments to “validate the adequacy and effectiveness of the control environment.”

Auditor feedback indicates that financial institutions with an effective internal self-assessment process in place generally demonstrate a much more evolved risk management process. Simply put, this results in fewer, and less severe, audit findings. This makes sense because these institutions tend to identify, correct, and control weaknesses prior to an audit, as opposed to waiting for the auditor to identify them. Since one of the first things the examiner wants to see when they arrive is the most recent audit, this often results in fewer examination findings as well.

Specific areas that should be reviewed in the assessment

  • Network Compliance Reporting

    • Antivirus, Patch Management, Server Health and Warranty Analysis

  • Network Security Reporting

  • Vulnerability Assessment

  • Policy and Procedure Verification

    • Vendor Management, Network/Internet, Information Security

  • Regulatory Trends and Changes

  • Site/Server Recovery and Disaster Recovery Plans

Expect support from your IT network management provider

Actually conducting the self-assessment can be a challenge, and requires a mix of regulatory and technical understanding. One way to improve this process is by working with an experienced IT network service provider who is knowledgeable in financial regulatory requirements. You should expect your account manager to help with every step of the self-assessment by providing structure, feedback, and an impartial outside perspective. This control self-assessment is also a time for the financial institution to share with account managers issues and pain points they have come across. This way the account manager is able to provide informed guidance, and help the bank utilize the right tools and procedures to adequately address any issues.

At Safe Systems our account managers work with each client to perform quarterly technology self-assessments. This assessment is a tool to help the institution ensure all things related to IT network technology controls are working and up to date. However, the self-assessment is more than a simple diagnostic procedure. This is a time for the account manager to educate bank personnel on new or changing government regulations, helping the bank to remain in compliance, and setting the institution up for success in audits and exams.

Regulatory compliance is always on a financial institution’s mind. Quarterly control self-assessments provide the bank with peace of mind, because by the time the examiner gets there, they have already had a trial run and feel well prepared and confident of the upcoming exam result. Working with Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to improved audit and examination ratings!




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



20 Jan 2016
Banks, Compliance Tom Hinkel 0 comment

Banks Can’t Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

Banks Can't Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

You Can’t Outsource Responsibility

The vast majority of financial institutions rely on third-party service providers to offer not only specialized IT services and technology assistance that help improve the overall quality and efficiency of the organization, but also for the software and hardware that actually run their business. However, even when a service is outsourced, the ultimate responsibility for the management of the vendors and the risks associated with that activity lies with the financial institution, specifically the Board of Directors and the senior management team.

The Burden of Vendor Management

All federal regulators have issued guidelines recently to help financial institutions understand and manage the risks associated with outsourcing a bank activity (including supporting a bank activity) to a service provider. To remain compliant with governing organizations, it is important for all financial institutions to find ways to strengthen their vendor management programs.

While it is more important than ever for financial institutions to manage the risk associated with vendors, many struggle with the best way to efficiently and successfully accomplish this. Most community financial institutions do not have a formal internal department dedicated to vendor management. In fact in a recent survey, only one out of 300+ of our financial institution clients has a full-time dedicated vendor relationship manager. Instead, because many outsourced relationships have a technology component, this responsibility often falls to the IT department or the ISO. Furthermore, most still perform this process manually, potentially leaving the institution vulnerable to risk.

Finding the Right Partner

Many financial institutions are looking for ways to more effectively manage their outsourced vendors and protect themselves from the risk, often referred to as inherited risk, acquired by association with outsourced service providers. Financial institutions must be aware and responsible for any cybersecurity risks of their vendors, and the potential for any vendor that stores, processes or transmits data to expose the bank or credit union to additional risks. In addition, the criticality of the vendor must also be assessed. What specific processes performed by the institution require proper operation and/or support from the vendor? Does the contract specify both required actions as well as specific remedies in the event of a cybersecurity incident at the vendor?

Is Automation Right for You?

So, what is the best way to manage this risk in an efficient manner while not overwhelming the vendor manager? Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your vendor managers (and any other stakeholders) are notified of all of the critical activities and actions required to effectively monitor a third party relationship, such as ensuring all risk assessments, controls reviews and documentation, is up to date.

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Automating vendor management functions not only saves your financial institution time today by helping you focus your resources, but also helps protect you from future regulations and guidelines. It also reduces costs through closer oversight of contract renewals; provides reporting to all stakeholders; and generally increases security (including cybersecurity) throughout the organization.

Ultimately, it is the financial institution’s responsibility to protect the financial institution and its sensitive data no matter where that data is stored, processed or transmitted, and an automated vendor management solution is an important step in this process.

05 Jan 2016
Cybersecurity Blog Post
Banks, Compliance Tom Hinkel 0 comment

4 Key Elements of a Compliant and Effective Cybersecurity Program for Community Banks

Compliant Cybersecurity Program

Because of the prevalence of outsourcing, for most financial institutions cybersecurity readiness means effectively managing your vendors and having a proven plan in place to detect and recover if a cyberattack occurs. However, according to the FDIC, a cybersecurity risk management program should contain a bit more.

An Effective Cybersecurity Program Should Contain these Four Elements:

  1. Governance: risk management and oversight
  2. Threat intelligence and collaboration: Internal & External Resources
  3. Third-party service provider and vendor risk management
  4. Incident response and resilience

Let’s look into each area with a little more detail and discuss how you can best comply with each requirement:

Governance

Virtually all FFIEC examination handbooks list proper governance as the first and most important item necessary for compliance. According to the FFIEC, governance is achieved through the management structure, assignment of responsibilities and authority, establishment of policies, standards and procedures, allocation of resources, and monitoring and accountability.

In order to comply with the governance regulations, you should regularly update and test your policies, procedures and practices. It’s important to verify that cyber threats are specifically included in your information security, incident response and business continuity policies. To assess your cybersecurity risk, focus on your controls in three categories: preventive, detective, and responsive/corrective and make sure all results are documented. Adjust your policies, procedures and practices as needed based on the risk assessment results.

Threat Intelligence and Collaboration

This element reflects both the complexity and the pervasiveness of the cybersecurity problem, and can be a particular challenge to smaller institutions who often lack dedicated cybersecurity resources.

Regulators expect all financial institutions to identify and monitor cyber threats to their organization, and to the financial sector as a whole, and to use that information to inform their own risk environment as well as their specific controls.

Third-party Service Provider and Vendor Risk Management

For the vast majority of outsourced financial institutions, managing cybersecurity really comes down to managing the risk originating at third-party providers, also known as “inherited risk”. Smaller institutions might be even more at risk because they tend to rely more on third parties and tend to lag behind larger institutions when it comes to vendor management.

Regardless of size, all institutions should employ basic vendor management best practices to understand and control third-party risk. Pay particular attention to the existing contracts and agreements to understand what elements are in place for protecting the institution against cyber threats, and how you’ll be notified in the event of a security breach involving you or your customer’s data.

Incident Response and Resilience

Incident response has been mentioned in all regulatory statements about cybersecurity, and for good reason – regardless of whether it originates internally or externally, a security incident is a virtual certainty. Regulators know that, although vendor oversight does provide some measure of assurance, you have very little actual control over specific vendor-based preventive controls. As a result, responsive and corrective controls must compensate for such.

Make sure your incident response program (IRP) has been updated to accommodate a response to a cybersecurity event. All IRP’s should contain the incident response team members, a method for classifying the severity of the incident, a response based on severity, including internal escalation and external notification, and periodic testing and board reporting.

It is important for all community financial institutions to review the requirements for cybersecurity and ensure all components are included in your current policies, procedures, and practices. All measures should be documented and ready to be shared and discussed with regulators.

For more information on what you should be doing to comply with cybersecurity standards, download our complimentary eGuide, Understanding the Cybersecurity Expectations for Financial Institutions.

15 Dec 2015
Banks, Compliance Darren Bridges 0 comment

Community Banks Options for Help with Cybersecurity Regulations

Community Banks Options for Help with Cybersecurity Regulations

Financial institutions today are under pressure to comply with mounting regulatory requirements, especially as they relate to cybersecurity guidelines. In fact, the FFIEC recently issued an update to the FFIEC Information Technology Examination Handbook’s Management Booklet to more explicitly integrate cybersecurity concepts. Additionally, the FFIEC released a new resource called the Cybersecurity Assessment Tool (CAT) to help financial institutions identify risks and determine cybersecurity preparedness. This in-depth “assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” according to the FFIEC.

Due to the “increasing volume and sophistication of cyber threats,” cybersecurity has quickly become a hot topic with regulatory agencies. Regulators expect banks to show evidence that they are measuring cybersecurity threats and preparedness using the CAT or a comparable framework. This expectation applies to banks of all sizes, from a rural one-branch bank to a national bank with billions in assets. For smaller banks with fewer resources and less compliance expertise, complying with the new regulations and requirements can be a challenge.

While some regulatory agencies have indicated that completion of the Cybersecurity awareness Tool is not mandatory, all have stated they intend to use the tool to assess banks’ cybersecurity readiness. Examiners have already begun to issue verbal and written recommendations to financial institutions that have not filled out the CAT.

After completing the CAT, many community banks are finding they have a higher risk factor than they expected and are frantically searching for ways to efficiently manage the strategies needed to mitigate that risk.
What are your bank’s options for mitigating this increased cybersecurity risk?

Try to manage it yourself

Many banks that try to manage cybersecurity guidelines themselves in-house often run into hurdles immediately. Maintaining the knowledge and expertise of the evolving regulatory environment is a time-consuming endeavor. The CAT assessment alone is about 128 pages. Small banks do not have the bandwidth to manage cybersecurity compliance efficiently and in a manner that meets regulator demands. Many community banks simply can’t afford to have a team dedicated to regulatory management.

Use a local IT service provider

Community bankers have a natural inclination to “shop local,” and that includes looking for service providers who can assist with IT and compliance needs. However, it is also important to understand the risks that generalist IT service providers pose to your institution given today’s oversight environment. Local IT service providers often do not have experience with the regulatory demands bankers face. Auditors and examiners will expect a thorough paper trail to prove that daily practices match defined policies and procedures, and often this must flow through IT resources. Knowledge of your banking applications, cybersecurity and compliance environment is vital!

Engage an experienced bank IT and compliance professional

To help augment limited personnel resources, community banks are increasingly partnering with financially-focused IT and security service providers to better manage their growing compliance and security needs. It is important to partner with an organization with the right skills, knowledge and expertise.

The right IT service provider couples security measures with an understanding of and support for the unique compliance demands of the financial industry.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



08 Dec 2015
Banks, Compliance Tom Hinkel 0 comment

Is Cybersecurity Part of Your Bank’s Compliance Program?

Cybersecurity Cyber Attack Phishing

Cybersecurity has become a topic of interest to every community bank and credit union due to the growing dependence and reliance on technology, including smart phones and other mobile devices. In the financial industry it has also come under increased regulatory focus, and continues to be a hot topic for the foreseeable future, which is evident with the release of the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook.

So, exactly what do regulators expect from your community bank, and how does that differ from what you may be doing already? More importantly, with additional new guidance pending, how should you demonstrate cybersecurity compliance?

The FFIEC developed the CAT to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment tool provides a repeatable and measurable process for financial institutions to measure their current state of cybersecurity preparedness, and track changes over time.

The CAT has 2 sections, the inherent risk profile and the cybersecurity maturity level. Inherent risk is a function of type, size and complexity of your institution’s operations, and does not include any existing mitigating controls. The second section of the CAT is designed to help your institution measure their behaviors, practices and processes related to cybersecurity preparedness, resilience, and recovery.

What Comes after the Cybersecurity Assessment?

Once a financial institution has completed both sections, management can create a “gap analysis,” meaning they can decide what actions may be needed to either reduce inherent risks or increase control maturity to bring the actual state in line with the desired state. This is where the biggest challenge may lie for most financial institutions, because the concept of a “desired state” requires you to establish a “risk appetite,” or an acceptable level of cyber risk. For the vast majority of financial institutions offering some electronic banking products, this level is greater than zero, but may have not been formally approved. Once your risk appetite is established, you are then able to determine whether or not your residual risks are acceptable.

Right now, most financial institutions seem to be on the first step of simply completing the CAT. It’s important to note that even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess your cybersecurity readiness.

So what should your financial institution be doing now in order to comply with new Cybersecurity regulations?

You need to make sure you have kept your information security, business continuity and vendor management policies and procedures up to date. There is no regulatory requirement to have a separate cybersecurity policy as long as cybersecurity is in each of those existing policies. You need to have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Your risk assessments should all be impact-based, not threat-based, but make sure they all contain specific references to the source of the risk.

Make Sure your Vendor Management Program Accounts for Cyber Threats

Vendor risk assessments will need to be adjusted if they don’t specifically account for cyber threats. For example, critical vendors should be assessed for their exposure to, and protection from cyber threats, with your controls adjusted accordingly (i.e. audit reports, penetration tests, etc.). Your business continuity planning risk assessment should account for the impact and probability of cyber-attacks, as well as traditional fraud, theft and blackmail. Regulators will likely be looking for specific references to cyber concerns, so make sure your Vendor Management policies include a reference to it as well.

Hopefully you’ve already incorporated cyber-based security elements into your overall information security program, and very little adjustment needs to be made. Regardless of what your specific approach to cybersecurity may entail, prepare to discuss what you are doing – and how you are doing it – with the regulators. They will ask about it!

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



10 Nov 2015
Banks, Compliance, Credit Unions Darren Bridges 0 comment

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions
 

Recent cybersecurity incidents affecting financial institutions have largely involved third-party service providers, prompting increased attention by regulators, and increased scrutiny on oversight of third party relationships. To maintain compliance with today’s stringent regulatory environment, community banks and credit unions must ensure their vendor management processes monitor and document every aspect of their vendor relationships, including vendor concerns such as financial viability and information security practices of their vendors.

To address this concern, we at Safe Systems are now offering our new vendor management solution to the marketplace. This web-based software automates the process of contract management, product risk assessment, and controls review to help banks and credit unions effectively manage third-party service providers and maintain regulatory compliance. This proven solution has been in use by a select group of approximately 20 client institutions during the past year.

“By the time I had used Safe Systems’ Vendor Management application for several weeks, I was convinced that this product met State Bank of Cochran’s needs for an automated vendor management solution. Their Vendor Management application met all of the regulatory specifications of a sound vendor management program: risk assessment, due diligence in selecting a third party, contract structure and review, documentation and reporting, as well as independent reviews, and ongoing oversight,” said Leesa Anderson, CTO of State Bank of Cochran.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

As a Software as a Service (SaaS) solution, our vendor management software centralizes vendor profiles and data into a client dashboard to provide real-time alerts, reporting, and recommended controls. This customizable solution enables banks to automate vendor management activities, assess risk, and easily upload and track contracts from multiple vendors. Our vendor management solution also stores information in a SOC1 and SOC2 audited datacenter and integrates vendor information into our client management portal, “the Safe.” In addition, we provide ongoing training and consulting services with each license.

Vendor management is often the most under-manned function within a bank’s IT department. Many community financial institutions keep track of their vendor management activities manually using spreadsheets, but with our web-based software solution, banks and credit unions can easily monitor and manage multiple third-party service providers; understand the level of risk each vendor poses to your institution; and ensure compliance with regulatory guidelines.

27 Oct 2015
How well are you managing your vendors?
Banks, Compliance Tom Hinkel 0 comment

Banks – Reduce Risk, Increase Compliance with Vendor Management Software!

Today community financial institutions are increasingly relying on third party vendors for critical software, products and services. Regulations repeatedly make it clear that the use of third party vendors or service providers does not reduce the responsibility of your financial institution to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. Often this is accomplished through a vendor management function within your bank or credit union.

It is more important than ever for financial institutions to manage their vendors, but many struggle with the best way to efficiently and successfully accomplish this. Until recently, most intuitions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators now expect all vendors to be risk assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation challenging.

Banks and credit unions should strongly consider the benefits of automating their vendor management functions using vendor management software designed specifically for the requirements of financial institutions. Implementing an automated solution for managing vendor relationships saves a tremendous amount of time and virtually eliminates compliance headaches.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize critical vendor management data

Having an automated system in place helps ensure all vendor information such as contracts and audit reports are located in one place. A centralized location provides financial institutions a way to efficiently manage multiple vendors and all the activities involved in managing a vendor relationship; from assessing the risks, to evaluating controls. It also ensures easy access for all those within the institution who are involved with managing the relationship. The ability to assign multiple vendor managers is an important feature for institutions struggling with the burden of addressing a greatly increased workload.

Use technology to manage the vendor management process

An automated online alerting feature ensures all bank and credit union stakeholders are notified of important key dates, including contract renewals (including auto-renewals), upcoming vendor reviews and annual Board reviews. It offers a comprehensive, up to the minute summary of the vendor relationship and ensures your financial institution is alerted to significant dates and all required activities.

Automate reporting and documentation processes

Automated systems also make providing proper documentation and reports to regulators a lot easier. In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. Automated solutions provide reports that include a comprehensive inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and management committees.

Automating vendor management functions not only saves time but also helps with ensuring your financial institution is in compliance with all the increased regulatory expectations and guidelines now in effect around vendor management. Ultimately, it is your financial institution’s responsibility to protect your customers and members and their sensitive data. An automated vendor management solution is a very effective tool for not only properly managing the process, but providing the necessary proof in the form of documentation to all stakeholders – management, auditors, and examiners!

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



20 Oct 2015
CORE Agnostic IT
Banks, Compliance Safe Systems 0 comment

The Importance of a Core-Agnostic IT Services Provider

CORE Agnostic IT

Let’s face it, managing multiple vendor relationships can be a headache! Today many financial institutions are looking to streamline their IT vendor relationships as much as possible and want vendors and core providers that will include all their products and services in a single contract. While that may seem nice and easy from a vendor management perspective, it increases risk with that vendor, which is against the FFIEC guidance regulations.

Understanding the Compliance Risks

In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to help financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny.

One-Stop Shops Increase Your Compliance Risks

While having one vendor to manage may seem like a good idea, putting all your eggs in one basket concentrates your risk factors. It is wiser to work with several vendors, which spreads out risk and does not force an institution to rely solely on one service provider. This can be a challenge if you work with a core vendor or processor that bundles all services together.

The intertwined relationship between the financial institution and the core processor that bundles all services makes it difficult for the institution to make IT changes and leaves little room for negotiation with their network monitoring services. The more services your institution has with core processors, the less you are able to negotiate on renewal pricing. In addition, if you switch core processors, you run the risk of being charged a fee for converting from one platform to another. If your financial institution’s internal network servers are intermixed with core banking servers and you decide to switch your core system, your IT network and IT management system will need to change or be modified.

A majority of core providers have acquired their IT network management provider. The acquired companies usually have a large cross section of core clients, but once acquired, these IT service providers are primarily interested in servicing and growing their core provider relationships. Core processors that build their own IT managed services internally often don’t have the experience and understanding of how to make other core systems run optimally with IT networks.

Working with an IT network management provider that is owned by a core banking software provider that is different from your bank’s core system is not a good long term strategic fit for your bank. The core-owned IT management services companies are focused on their company’s core banking systems. Their knowledge of other core systems will diminish over time, and their interest is really being in a one-stop shop for their core clients. There are often issues and finger pointing between a bank and its core provider over network issues and these situations will only be exacerbated by such a relationship.

Assessing Non-Compliance Risk and Minimize It

When determining your institution’s risk assessment when it comes to IT network management, some areas to think about are the timing of your bank’s core renewal, the likelihood your bank may change core processors, and the likelihood your bank may acquire another bank. In addition, track the year-over-year count of banks with your same core processing solution supported by your IT services provider.   If that number is going down, the risks of losing expertise specific to your institution’s configuration also goes down.

In order to avoid these pitfalls, it is important to separate IT network operations providers from your core system. Having separate support providers also strengthens the network from a security standpoint, increases flexibility and addresses the FFIEC vendor diversification issue. This separation provides you with the flexibility needed to make changes easily or independently, make the best decisions on internal network management, and not be tied to one vendor to manage IT network activities and core banking functions.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



13 Oct 2015
Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Vendor Management Best Practices for Community Banks and Credit Unions

Successfully managing your vendors


 
Vendors play an important role in the financial services industry. Financial institutions rely on third-party service providers to offer specialized services and technology assistance that help improve the overall quality and efficiency of their organizations.

To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Financial institutions are responsible for managing the inherited risk, which is the residual risk the institution acquires, or inherits, from each service provider. Financial institutions must be aware of and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank or credit union to additional risks.

Regulators have issued guidance to help in understanding and managing the risks associated with outsourcing a bank activity to a service provider. To remain in compliance with governing organizations, it is important for all financial institutions to strengthen their vendor management programs. These enhancements safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.

To help your community financial institution execute vendor management safeguards, here are some best practices for implementing a successful, secure and compliant vendor management program.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize Vendor Information

To efficiently manage multiple vendors and all the activities involved in managing a vendor relationship, it is important to have all information housed in one centralized location. It also serves as a central repository for regulatory reporting.

Assess Risk

Have a list of all vendors that conduct businesses with the financial institution and rank each vendor according to its level of access to critical data and importance to operational activities. For most institutions, only about 10-15% of vendors are considered high risk, but all outsourced relationships must be risk-assessed. Establish a risk tier and implement different controls for the different risk levels.

Review Controls and Perform Due Diligence

Once risks have been assessed, the financial institution should perform due diligence for all vendors, with the intensity of the effort commensurate with the risk category; low risk vendors may only need a cursory review, while high risk vendors need a deeper dive. Due diligence activities include reviewing and assessing the vendor’s financial health; knowledge and familiarity with the financial services industry and banking regulations; information security controls in place and ability to recover from breaches or disasters. These activities and the vendor relationships need to be documented and procedures put in place; that ensure the vendor information is updated and monitored on an ongoing basis. These same procedures must also insure that service providers are complying with any applicable consumer finance laws and regulations, and have a plan in place to promptly address and identify problems.

Proper Documentation and Reporting

In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. This documentation should include (at a minimum) a current inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and independent review reports. It should also be able to easily identify all high inherent risk vendors and all high residual risk vendors.

Following these steps will help ensure your financial institution is in compliance with the regulations and guidelines around vendor management. Ultimately, it is the financial institution’s responsibility to ensure all sensitive data is protected. Implementing the above processes and procedures will help create a solid vendor management.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



07 Oct 2015
Vendor Management
Banks, Compliance Tom Hinkel 0 comment

Vendor Management — An Undermanned Function in Community Financial Institutions

Successfully managing your vendors

While the issue of vendor management and oversight is not new to the financial services industry, recent enforcement regulations actions by the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC) have given financial institutions a new set of regulations to follow.

The Times They Are a-Changin’

In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny. Banks are now more than ever, encouraged to conduct due diligence and take their own steps to ensure vendors address security gaps.

The definition of service provider has expanded, which means that most institutions will need to expand their list of managed vendors way beyond simply those that provide banking services. The Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk.” In it, they defined “service providers as all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”

Regulators know the vast majority of financial institutions outsource at some point, in fact recent studies put the number of financial institutions that either transmit, process or store information with third-parties at more than 90 percent. They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers.

CyberSecurity is an additional reason for enhanced vendor management.

Why? Because banks must manage the “inherited risk” of their vendors. Inherited risk is the residual risk the institution acquires, or inherits, from each service provider. Banks must be aware and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank to additional risks. Incident response is also an area financial institutions need to monitor and control, because when preventive controls aren’t effective, responsive controls must compensate.

Vendor Management Tool from Safe Systems

Complimentary White Paper
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Spreadsheets are simply not enough

Most community financial institutions do not have a formal internal department dedicated to vendor management and have historically failed to stay on top of their third-party relationships because of a lack of manpower and resources. In fact, only one out of 300 of our clients, has a dedicated vendor relationship manager. Instead, this position usually falls underneath the IT department, on a part-time basis and many still perform this process manually. About 90 percent of our clients keep track of their vendor management activities manually using Excel. However, for an average community financial institution to properly perform vendor due diligence and vendor management, some form of automation is required because the process of managing ongoing due diligence and contract tracking with multiple vendors is a very time consuming task.

In addition, a certain set of expertise is required to adequately perform this important function. To adequately perform vendor management responsibilities, the person must be able to maintain their expertise on an ongoing basis, have the time to work closely with the business manager who owns the relationship and be able to work with the vendor or other stakeholders within the bank when necessary, as well as have a strong technology background and truly understand banking and financial services.

With regulators now demanding greater control and accountability from financial institutions, how will your financial institution enhance its vendor management program?

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



02 Sep 2015
Banks, Compliance Safe Systems 0 comment

Driving Compliance Through Technology

 
 
Driving Compliance Through Technology

Look around today’s financial institution and you’ll be hard-pressed to find a department that technology doesn’t touch. Most modern institutions are highly interconnected and dependent on their network infrastructure. In fact, technology is the lifeblood of the modern financial institution.

There is another sometimes overlooked area where technology can facilitate the financial institution’s success – compliance.

It is a full time job for community bank IT professionals to make sure the network is running, email is working, applications are up to date and patched, and all users have just enough access to the network resources needed to do their jobs. This doesn’t even include the extra time spent with auditors, examiners, and the Board to ensure procedures are documented and actual practices align with compliance standards.

While outsourcing some of these processes can alleviate most of the day-to-day pressure of administering and maintaining IT for a financial institution, it doesn’t absolve an institution of the oversight and documentation requirements necessary to ensure secure, up-to-date, and compliant operations.

Instead of being a daily chore, network monitoring, patch management, and troubleshooting can provide the foundation for the institution to build a better compliance posture. How? Automation and documentation.

There are three things examiners look for in a financial institution – written policies, written procedures and documented practices. Most institutions have the right policies and procedures in place but often maintain inadequate documentation of the work being performed; thus, they can tell an examiner they are adhering to appropriate compliance measures, but are not able to show thorough proof of that through documentation.

A typical community financial institution may have multiple software products to manage software patches, monitor network resources, and administer security and antivirus tools that keep machines safe from threats. Each of these systems requires different steps be taken to pull reports and provide the documentation needed to ensure adherence to policies and regulations. When making improvements that will significantly improve an institution’s ability to produce the documentation examiners are looking for the IT staff has two choices – manually pull all the necessary documentation from disparate systems, or build an internal process to centralize and automate it. Either way, an institution needs a certain amount of technology to be able to pull this off.

A centralized IT dashboard and reporting system can pull data and documentation from multiple systems and assemble the information. The right solution can automate the reporting process for bank examiners and bring critical documentation to your bank’s management team’s fingertips.

All those various systems your IT staff has to manage become one. A centralized and automated reporting system helps break down the silos that can make working with different reports from different systems so time consuming and difficult. Ultimately, a centralized IT reporting system can not only reduce administrative overhead, but also help improve your bank’s compliance posture.

Partnering with Safe Systems to co-manage your bank’s IT infrastructure ensures your financial institution will have the right technology in place to meet IT compliance requirements. With the right policies, procedures, practices, and the documentation to prove it, your financial institution will have the best opportunity to meet your examiner’s expectations. With automated systems and a centralized dashboard from which to monitor processes and generate reports, IT administrators can proactively ensure their institution maintains a strong compliance posture.

At Safe Systems we understand the ever-growing complexity of community financial institution IT operations and the enhanced regulatory requirements these institutions must meet. By making the decision to partner with Safe Systems, your organization will benefit from time saving automation and an in-depth view of your IT network environment. We want to provide you with assurance that your institution’s IT network is functioning efficiently, optimally, securely, and, most importantly, is compliant with FFIEC regulations.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



26 Feb 2015
Banks, Compliance Tom Hinkel 0 comment

FFIEC Issues, New BCP Guidance

 
 
FFIEC Issues, New BCP Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both the financial institution and the service provider across the entire business relationship.

Resiliency

It begins by stressing that although outsourced relationships with technology service providers (TSP’s) are an effective way for institutions to perform or support critical operations, the responsibility for overseeing these relationships resides with the Board and senior management. It focuses on these 4 key elements of resiliency:

  1. Managing the continuity risks of critical third-party relationships.
  2. Understanding the “concentration” risk when a third-party provides multiple services to you, or to multiple clients.
  3. Validating BCP’s (theirs and yours) through testing.
  4. Assuring that your BCP can accommodate a disruption caused by a cyber-event.

The third party management life-cycle begins prior to engaging the service provider, in the due diligence phase. At this point in the pre-contract stage, institutions should evaluate and thoroughly understand both the effectiveness of the vendor’s BCP, as well as the process the vendor uses to manage its subcontractors. Institutions should also make sure the vendors recovery time objectives (RTO’s) are in alignment with their own RTO’s for processes dependent upon vendor services. For example, if the institution has a 24 hour RTO for its teller processes, it must assure that any outsourced services required for those processes meet or exceed that RTO.

Important Contract Provisions

Once the decision is made to engage the service provider, a contract is the best way to define the obligations on both sides. Some important contract provisions are:

  • The right-to-audit clause. This gives the institution the right to either audit the provider directly, or have access to any audit reports addressing the provider’s recovery capabilities. For most institutions, the ideal audit report to establish confidence in the resiliency of the provider is the SOC 2 report.
  • Contractually defined service level agreements (SLA’s) relating to business continuity, such as clear recovery time and recovery point objectives.
  • In the event that the service provider defaults or otherwise does not meet their contractual obligations, what are your potential remedies?
  • If the vendor subcontracts, all contractual provisions (including SLA’s) must also apply to the subcontractor.
  • Because foreign countries may have different data and information security standards, the contract must specify that any contractor based in a foreign country must agree to adhere to U.S. regulatory standards.
  • The contract should specify BCP testing requirements for service providers, including test frequency, and the ability of the financial institution to periodically participate.
  • Data governance, including data ownership, backup and handling during and after the relationship.
  • Service providers must respond and adhere to all relevant regulatory guidance, and contracts should allow the institution to request those responses.
  • Contracts must clearly specify how the provider addresses a security incident, including when and how the institution is notified.

Business continuity requirements and capabilities on both sides of the relationship will change over time, making on-going monitoring the critical last phase in the management life-cycle. Periodic summary reports should be presented to the appropriate management committee(s) and to the Board, and any material changes should be reflected in the institutions BCP and (if necessary) in the vendor contract.

Replacing Vendors

The guidance also requires institutions to consider the realization that a critical provider may not be able to fulfill its obligations, and may need to be replaced. This could occur over time, such as with a gradually deteriorating financial condition, or suddenly, because of a severe cyber-event or wide-spread disaster. Regardless of the circumstances, the institution must be prepared to minimize the impact and meet their internal recovery time objectives without the failed service provider. This means having a plan in place to either convert to a new service provider, or (as a last resort) to move the out-sourced operations in-house.

Testing with the third-party is given increased importance, and regulators will expect that institutions either participate in, or at the very least review the results of, service provider testing. Testing scenarios should include service provider outages, disruptions at the financial institution, cyber-events affecting either party, and cyber-attacks affecting both parties simultaneously. Test results should be presented to management committees and the Board for review, with a gap analysis and action plans for strengthening resiliency if necessary.

Cybersecurity

Finally, the guidance addresses the importance of preventing, mitigating, detecting, and responding to a cyber-event. Since the cybersecurity landscape is constantly changing, preparedness is the key to resiliency. This includes periodically updating and testing the institution’s incident response plan, and including the third-party in testing whenever possible. It also includes identifying potential third-party forensic and incident management service providers if necessary.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



The implications of this guidance will be felt throughout the industry. Financial institutions will be expected to gain a much deeper understanding of provider recovery capabilities, which will require service providers to be much more transparent about all aspects of their business resiliency. Existing business continuity plans will require expansion to include more detailed information about recovery capabilities of critical service providers, including their RTO’s and RPO’s. Service provider contracts may need to be modified to include new expectations, and perhaps most significantly, institutions should understand much more about any vendor subcontracted relationships. Simply put, both the vendor and the financial institution must work more closely together across the entire spectrum of the relationship to ensure the optimal resiliency of the institution.

© 2024 Safe Systems, Inc. All Rights Reserved. Privacy Policy