Blog: BCP

On April 2, 2019, the Federal Deposit Insurance Corporation (FDIC) released a new financial institution letter (FIL-19-2019) called "Technology Service Provider Contracts."

Why was this guidance published?

When FIL-19-2019 was published, it had been five years, almost to the date, since the last vendor management guidance was released by the FDIC (see FIL-13-2014, published on April 7, 2014). Presumably, it was a good time for a reminder about vendor management expectations.

In addition, the guidance stated FDIC examination findings recently noted some financial instruction contracts with Technology Service Providers (TSP) lack of sufficient detail around business continuity and incident response. 

What does it mean when the guidance states "contracts do not adequately" address some risks?

In recent exams, the FDIC was looking for a few key areas to be covered in TSP contracts, but the contracts did not always meet those expectations. Missing items included:

  • A Business Continuity Plan (BCP): Contracts should require TSPs to have BCP and acceptable recovery standards.
  • Remedies: Contracts should include assurance of compensation if a business disruption occurs and the TSP fails to restore services in the established timeframe.
  • Notification Requirements: Contracts should define who the TSP should contact (e.g., the financial institution, regulators, law enforcement, etc.) and in what timeframe, if an incident occurs.
  • Key Terms: Contracts should define what constitutes a "business disruption" or an "incident," since rights and responsibilities could be debatable without clear definitions.

How can you ensure TSP contracts are "adequate?"

It would be beneficial for you to review your TSP contracts again with these items in mind, especially if they are long-term or automatically renewing contracts. If your existing contracts are not sufficient in these areas, it is important to note that the financial institution is still responsible for assessing and applying controls to mitigate the risk.

What controls can you apply to ensure you are covered?

In vendor management, your primary control is performing adequate oversight, which is something you should already be doing. The FDIC seems to recognize this since a significant percentage of the FIL recaps guidance that already exists.

For more specific recommendations though, if your contract with a TSP does not clearly define business continuity and incident response requirements:

  • Request and Review Their BCP: Find out if your TSP actually has one and if they'd be willing to share it with you. You don't necessarily need their whole BCP; you just need to know that they have a plan and it is routinely tested.
  • Update Your BCP: If the TSP does not have a BCP or you find it inadequate, it is the financial institution's responsibility to compensate. Update your BCP to describe how you would continue to offer services to your customers or members if your TSP's services are unavailable.
  • Conduct More Frequent Reviews: Whatever the contract says, it is important to periodically confirm the TSP is holding up their end of the deal. You may want to assess this more often if the contract is weak in the areas of business continuity and incident response.
  • Renegotiate the Contract: Depending on the financial institution's risk tolerance, if the contract is deemed "inadequate," it may benefit the financial institution to consider renegotiation or an alternative TSP.

In Summary

Contracts with TSPs should address business continuity and incident response. The FDIC recommends financial institutions contractually require the TSP to have a BCP, as well as contractually define remedies, notification requirements, and key terms.

If existing TSP contracts do not stipulate these items, you should consider additional oversight options, such as requesting and reviewing their BCP documentation, updating your BCP, reviewing the TSP more frequently, or renegotiating the contract.

Does CoNetrix have anything that can help with this?

Absolutely. The Tandem Vendor Management software includes suggested significance questions, designed to help you determine if you need BCP documentation from your vendors. The module also includes a contract review template, designed with business continuity and incident response in mind. Learn more about Tandem Vendor Management.


 

Today the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC IT Handbook, BCP Booklet.  The update included a new appendix entitled Strengthening the Resilience of Outsourced Technology Services.  The appendix highlights and expands on the BCP Booklet in four specific areas: third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.  To learn more, visit https://www.ffiec.gov/press/pr020615.htm  

 

Recently an information security audit customer of ours lost a backup domain controller and contacted their network vendor to rebuild the machine.  The bank thought everything was in order until three months later when they were audited.  The audit discovered the old backup domain controller had not been rebuilt to be a backup domain controller again as well as no antivirus software was installed.   When the bank contacted their network vendor, the bank was told there were some issues the vendor "meant to get back to".  Regardless of errors assigning roles for the domain controller, the vendor still should have installed antivirus and other applications requested by the bank. 

The reason why steps were missed? [more] No equipment recovery checklists had been created in the bank's Business Continuity Plan (BCP) so the vendor didn’t have a detailed list of steps to take in order to recover.  This can lead to both lost time and missed steps when rebuilding equipment.  Ensure equipment recovery lists exist for critical components of your infrastructure.


 

CoNetrix is pleased to announce the release of Tandem, new security and compliance software. Tandem was developed to help financial institutions complete and maintain an Information Security Program (per GLBA and the Interagency Guidelines Establishing Information Security Standards).  While Tandem was designed as a complete solution from the ground up, it was fashioned into modules which allow for versatility.  The modules include risk assessment, policies, vendor management, and business continuity planning.  Each module was released as it was completed.

To read the full press release, visit http://news.yahoo.com/s/prweb/20100216/bs_prweb/prweb3598024_2


 

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Independent Community Bankers Association (ICBA), along with a variety of payment systems industry partners, are planning a Cyber Attack against Payment Processes (CAPP) exercise.  the three-day exercise is scheduled for February 9-11 and will simulate a different attack scenario each day.  There is no charge to participate in this exercise.  The deadline to register is January 29th.  To read more or register, visit http://www.fsisac.com/capp/.


 

CoNetrix is pleased to announce the CoNetrix Information Security Risk Assessment software and Business Continuity Planning (BCP) software are candidates for the BankNews 2009 Innovative Solutions Award.

The Innovative Solutions Award, sponsored by BankNews, recognizes companies that have introduced or enhanced a product or service designed to help banks better serve their customers.  Entries are divided into four categories:

  1. Architectural/Equipment Solutions
  2. Consulting/Outsourcing/Training Solutions
  3. Management Software Solutions
  4. Online/Remote/Mobile Solutions

The CoNetrix Risk Assessment tool is listed under the category 2 "Consulting/Outsourcing/Training Solution", and the BCP tool is listed under the category 3 "Management Solutions".

To vote now, go to http://www.banknews.com/2009-Entries.704.0.html

To learn more about the Innovative Solutions Award, visit http://www.banknews.com/


 

The FFIEC released the new Business Continuity Planning (BCP) IT Examination Handbook this month.  The prior BCP IT Examination Handbook was released in March, 2003.  A few new key areas include:

  • Pandemic Planning
  • More emphasis on:
    • Business Impact Analysis (BIA)
    • Risk Assessment
    • Testing

The new BCP IT Examination Handbook has been greatly expanded - to give you an idea, the old BCP booklet (March 2003) was only 57 pages, and the new booklet (March 2008) is 132 pages - more than twice the size - this should also give us an indication of the new importance & emphasis placed on Business Continuity.  

To view the new BCP IT Examination Handbook, go to http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx.  You can also check out our BCP Software offering.