VACB Winter 2019Do you have outsourced technology services? If so, are you getting a copy of their business continuity plans?  More importantly, do you know what you're looking for when you review them? Due diligence document gathering and reviewing is a critical part of outsourcing. While the service is provided by another company, your institution still maintains responsibility, and ultimate accountability, to your customers. That's where due diligence documents come into play.

First, what is an outsourced technology service? This is a service that provides technology solutions for your bank. This doesn't necessarily include all vendors who use technology to deliver their service to you, but instead those providing solutions to your technology needs. Ask this question to help determine if something is a technology service, "Would the bank be significantly affected if the vendor's services were temporarily unavailable?" I take "significantly affected" to mean: irreparable damage to the bottom line or customer confidence due to service disruption from any cause. Only if the answer to this question is yes are you likely looking at an outsourced technology service.

Second, where do we find guidance for due diligence regarding these kinds of vendors? The current answer: FFIEC Business Continuity Management Booklet. The FFIEC released a brand new version of the booklet in November 2019, previously titled the Business Continuity Planning booklet. For some history, in 2015, the FFIEC released an addition to the BCP Booklet known as Appendix J. This appendix offered information about the cross-section between the BCP Booklet (2008) and the Outsourcing Technology Services Booklet (2005). It discussed what BCP things you needed to know about vendors you are using to outsource technology services. Now the contents of this appendix, among the other appendices, are fully integrated into the booklet content. There's your indicator that vendor BCP documentation is important if there ever was one!

Guidance expresses three important things about your vendor's business continuity documentation, which also provides direction on what your focus should be during your vendor review process.

Does the vendor maintain documentation of their business continuity management?

Vendor preparedness is key to your ability to maintain business as expected. Ensure the vendor has some kind of official documentation that both exists and is updated. There are several important elements to look for to confirm they will be able to deter and recover from cyber incidents: data backup, data integrity controls, alternate communication providers, layered anti-malware strategy, disaster recovery plan, incident response plan, and prearranged forensic and incident management services. Ideally, documentation for each of these elements will be included in as part of the vendor's business continuity documentation. If you don't see it, be sure to ask about it.

Are the vendor's Recovery Time Objectives and Recovery Point Objectives sufficient for the services contracted to your organization?

Know when the vendor intends to restore service to you after a disruption (RTO) and how much data they are willing to lose (RPO). Before you begin working with a vendor, know what their recovery expectations are and be sure they meet your expectations. If you are willing to be without service for 60 minutes, ensure they will have service restored to you in 60 minutes or less. If you are giving a BCP summary that doesn't include RTO and RPO, insist on getting the information. You may also find it as part of the contract, service level agreement, or even in a SOC report in some cases.

What does the vendor do for BCP testing?

Critical services should be tested, at least, annually. Be sure the testing includes the services you receive. Just because a vendor does testing, that does not guarantee the service provided to you was considered during that testing. Be sure to see enough details that you know their test scenarios include plausible significant events. A small hiccup is not what you are concerned about, nor the zombie apocalypse. Think plausible, like a hurricane near the coast, and significant, like something that takes out their entire headquarters. If any gaps in the plan were found during testing, then ensure you will have documentation of their remediation plans and the status of those changes.

Vendors are an extension of your bank, and especially technology services. It is wise to be diligent in gathering, reviewing, and confirming their plans for business continuity to protect you and your customers.