February saw a new appendix added to the FFIEC's Business Continuity Planning (BCP) HandBook. Appendix J: Strengthening the Resilience of Outsourced Technology Services marries two areas of information security that banks have been working on for years – vendor management and business continuity. As cloud computing and the outsourcing of technology services become more and more common, banks are depending on vendors for extremely critical aspects of business. Creating a BCP with recovery expectations without considering a vendor's (or multiple vendors') restoration abilities would be bad planning on the bank's part and could result in unhappy surprises should a disaster or business interruption occur.
The new appendix consists of four areas regarding outsourced technology services and business continuity:
- Third-Party Management – This section reinforces the importance of managing vendor risks with due diligence and oversight. It also emphasizes contract reviews to make sure the bank is protected and that security and continuity expectations are explicitly defined. A disaster is not the right time for those terms to be negotiated.
- Third-Party Capacity – It is important to have realistic expectations about a vendor's ability to restore service following a disaster or business interruption. If your vendors are also servicing other banks or businesses in the area, restoration goals will more than likely be affected. It's also important for banks to create termination contingency plans for some critical vendors to know what the bank will do when the relationship ends – whether services will be outsourced to another vendor or brought in-house.
- Testing with Third-Party Technology Service Providers – Banks are already required to test their BCP with increasing levels of complexity. If you're doing the same tests each year, it might be time to explore other ways of ensuring your plan is adequate. Scenarios mentioned in the appendix are a vendor's outage, bank outage, cyber events affecting the bank, and a simultaneous attack on the bank and its service provider. I've seen many BCPs that are preparing for a physical disaster with plans to immediately failover to other branches, but are your recovery plans also preparing for a lost connection to critical vendor services or the inability to access network files? Exploring and testing different scenarios helps you see where your plan could be improved. This section also emphasizes the importance of reviewing or being involved in your critical vendors' testing.
- Cyber Resilience - Every good BCP is founded on risk assessment and management. Planning for disasters can be difficult when threats and their likelihood are not known. Many people view business continuity from a purely natural disaster standpoint, and it's time to expand business interruption planning to malicious attacks meant for financial gain or just to cause trouble. Are your incident response procedures also up-to-date, and do they match up against today's threat landscape? Is your Incident Response Team aware and familiar your procedures? Has the bank had conversations about the potential need for third-party forensic and incident management services? These are good questions to ask long before a cyber incident has occurred.
The concepts addressed in the appendix are not new. It's just that they've been living separate lives until now…your vendor manager has probably been collecting BCPs and BCP tests from some of your critical vendors. Your BCP manager has been testing your plan and tweaking restoration expectations. Have these two been collaborating on whether the bank's continuity expectations align with what the vendor can reasonably provide? I wouldn't assume so, even if your vendor manager and BCP manager are the same person, until you've had the conversations this appendix is asking you to have.