On February 6, 2015, the FFIEC issued a new appendix titled "Strengthening the Resilience of Outsourced Technology Services" to the "Business Continuity Planning" booklet of the FFIEC Information Technology Examination Handbook. This new appendix discusses the following four key elements financial institutions should address related to Technology Service Providers (TSPs).
"Establishing a well-defined relationship with TSPs is essential to business resilience. A financial institution's third-party management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangement."
The guidance focuses on the following third-party management components:
- Due Diligence: Institutions should thoroughly evaluate TSPs before engaging with them.
- Contracts: Agreements with TSPs should be defined and reviewed prior to execution.
- Ongoing Monitoring: Institutions should ensure effective, continuous monitoring.
"An increasing concentration risk corresponds to financial institutions' increased use of third-party service providers. That, in conjunction with industry consolidation, has resulted in fewer, more specialized TSPs providing services to larger numbers of financial institutions. This trend increases the potential impact of a scenario in which a TSP is required to support recovery services to large numbers of financial institutions due to a widespread disaster. In addition, a business disruption at a single TSP may affect critical services provided to a large number of institutions dependent on those services."
The guidance suggests several steps institutions can take with their TSPs to plan for possible failure of critical services:
- Discuss scenarios of significant disruptions that may necessitate transitioning critical services.
- Assess immediate needs for space, systems, and personnel capacity to absorb, assume, or transfer failed operations.
- Identify recovery options and develop plans to address restoration of key services.
Testing with Third-Party TSPs
"Testing is a critical step in the cyclical BCP process and should be sufficient in scope and rigor to demonstrate the ability to meet recovery objectives, regardless of whether a service is performed in-house or is outsourced."
The guidance notes it may be difficult in some cases, particularly with larger TSPs, to test all of their clients annually. However, financial institutions should work to participate in appropriate testing, understand the TSP's testing process, and ensure testing is adequate to meet their continuity expectations. In addition, institutions should develop plausible and realistic test scenarios and tests should continue to increase in scope and effectiveness over time.
"The increasing sophistication and volume of cyber threats and their ability to disrupt operations or corrupt data can affect the business resilience of financial institutions and TSPs. Financial institutions, and their TSPs, need to incorporate the potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place."
The guidance discussed the following cyber landscape risks that should be managed to achieve resilience:
- Malware: Malware represents a continuous and growing threat in our cyber world. The guidance suggests financial institutions and TSPs should use a layered anti-malware strategy to protect against malicious software. This layered approach may include things like; traditional signature-based anti-malware systems, integrity checks, anomaly detection, system behavior monitoring, hardening standards, security awareness training, and strong controls on things like passwords, mobile devices, and social networks.
- Insider Threats: Cyber threats can be initiated from within the institution or TSP. Some controls to consider may include; employee screening, dual controls, and segregation of duties.
- Data or Systems Destruction and Corruption: Some cyber attacks may simultaneously target production and backup data for destruction or corruption. Controls to consider may include; segregation of replicated backup data files, read-only backup, or "air-gap".
- Communication Infrastructure Disruption: Attacks such as DDoS can be used to disrupt communications. The guidance states the FFIEC recognizes that is may be difficult for an institution to achieve complete data communication resilience, but institutions should explore alternatives.
- Simultaneous Attack on Financial Institutions and TSPs: Traditional continuity planning has assumed separation by geography to be a strong control as a disaster in one geographic area will not likely affect a different geographic area. The guidance suggests cyber attacks are not limited by geographic area and institutions should take this into consideration within their BCP.
The guidance continuously maintains that regardless of whether a system, service, or process is managed by the financial instruction or a TSP, the financial institution's management and board are responsible for the oversight and assurance of continuing operations in a timely manner.
To access "Appendix J: Strengthening the Resilience of Outsourced Technology Services," visit http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspx