The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.
The following excerpt summarizes the intent of the update pretty succinctly:
A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).
The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):
- Third-party management
- Due Diligence
- Ongoing Monitoring
- Third-party capacity
- Significant TSP Continuity Scenarios
- TSP Alternatives
- Testing with third-party TSP’s
- Testing Scenarios
- Testing Complexity
- Cyber resilience
Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:
- Vendor management. Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors. The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
- Contracts. Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
- Testing. Expect an expanded testing section, including participation in critical vendor testing.
- Cyber security. Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack. Expect your incident response planning and testing to get increased scrutiny as well.
There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions. In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time. In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house. Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution. Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned. Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.
* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.