On February 6, 2015, the FFIEC released an appendix to the Business Continuity Planning Handbook called "Appendix J: Strengthening the Resilience of Outsourced Technology Resources." The appendix addressed four primary areas:
- Third-Party Management
- Third-Party Capacity
- Testing with Third-Party TSPs
- Cyber Resilience
I don't know about you, but when I first saw the abstract, I did a double-take to make sure I was in the right handbook. Was the FFIEC talking about business continuity planning or about third-party oversight? Well, they were talking about both. If you have a vendor who "performs or supports critical operations," then your metaphorical wagon is hitched to theirs. If they go over a cliff, you do too, and your customers may go down with you. In light of recent cyberattacks, this causes great concern among the Agencies. Thus, Appendix J was born.
The appendix contains some pretty big bombshells. Today, I'm going to talk about three that essentially sum up the entire appendix:
"As part of its due diligence, a financial institution should  assess the effectiveness of a TSP's business continuity program, with particular emphasis on recovery capabilities and capacity. In addition, an institution should  understand the due diligence process the TSP uses for its subcontractors and service providers. Furthermore, the financial institution should  review the TSP's BCP program and its alignment with the financial institution's own program, including an evaluation of the TSP's BCP testing strategy and results to ensure they meet the financial institution's requirements and promote resilience."
1. Assess the Effectiveness of a TSP's Business Continuity Program.
The key word here is "effectiveness." What good is a business continuity plan if it isn't going to do something useful?
Under the umbrella of vendor oversight, the guidance states three things that you must do to help validate the effectiveness of your third-party's BCP:
- "Discuss scenarios of significant disruptions."
- "Assess their immediate […] capacity to absorb, assume, or transfer failed operations."
- "Identify the most plausible range of recovery options and develop business continuity plans."
These three points effectively echo your existing information security program: Risk Assessment, Incident Response, and Disaster Recovery. The new expectation is that you will talk with your vendors about it. Find out what their risk assessment says about malware, data corruption, and cyberattacks. Ask if their incident response plan lays out where they would go and what systems they would use in the event of a disaster. Most importantly, make sure that you know what they'll do to get your services back up and going after a disaster.
2. Understand the Due Diligence Process the TSP Uses For its Subcontractors and Service Providers.
Growing up, my parents always told me, "Be very careful who you marry because when you say 'I do,' you marry a family." I recently got engaged and I am just beginning to understand what they meant by that. In-laws can be the most wonderful thing in the world. They can also be the most dreadful. Either way, their actions possess the ability to have a drastic impact on your significant relationships.
When your financial institution "marries" a TSP, you get the in-laws. So, it would be wise to know what you're getting into before you say "I do."
That is exactly why you need to understand your TSP's due diligence process. You need to be aware of your third-party's significant relationships. If your TSP can show that they successfully manage their service providers and aren't going to be completely dependent upon them in the event of an emergency, then you should be able to move forward in a confident and stable relationship.
3. Review the TSP's BCP Program and its Alignment with the Financial Institution's Own Program.
Now that you know your significant TSP has a risk assessment, business continuity plan, and vendor oversight program, you need to make sure that it works with yours. If you need a system up and going in two hours, will your vendor be able to accomplish that? If your third-party becomes unable to provide services, do either of you have a backup plan?
According to the appendix, "It is critical that the TSP have sufficient capacity to meet RTOs and RPOs needed by the financial institution clients." The only way you can know your vendor's capacity is through testing and making sure that together, you can withstand and recover from a cyberattack or other emergency in a timely fashion.
Bottom Line: When you sign that contract, your third-party becomes a part of you, for better or worse. Therefore, if the Agencies expect something of you, you should expect it from your critical TSPs, because we can't just maintain security anymore. We must promote resilience.