I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we try to make sure things like IRTs in their documents match ours. Is there anything additional that you guys are suggesting we should do?
Based on the FIL, to successfully ensure that contracts with significant third-party providers* properly address business continuity and incident response, Financial Institutions should act to eliminate gaps with their key providers.
Here are the contractual specifics that examiners have identified as potential gaps in recent examinations:
- Some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery time objective.
- Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities. For example, details such as notifying the financial institution, regulators, or law enforcement when there was an event of a security or cybersecurity incident were not specified.
- Additionally, some contracts did not clearly define key contract terms used in contractual documentation relating to business continuity and incident response. An example of their use of undefined/unclear key contract terms is deciding what constitutes as a “security event” or a “service interruption”.
The FIL goes on to state that:
The FIL concludes by reminding FI’s that under Section 3 of the Bank Service Company Act (BSCA), FI’s have a responsibility to report all contracts and relationships with certain service providers. The FI is responsible for notifying regulatory agencies of a relationship with a new vendor within 30 days after the service contract is created or the performance of the service, whichever occurs first. The actual reporting form is here. I provide more information on this (and have even quoted Don Saxinger, who is still with the FDIC and listed as the agency contact on the FIL!) in a previous blog post.
In summary, I think examiners expect you to more closely scrutinize your critical vendor contracts, looking for gaps that might indicate unmitigated risks. One way we address this for our customers is through testing. When we conduct testing, whether it’s a traditional disaster or a cyber incident scenario, we incorporate discussion of the actual vendor contract specifics. I.e., what does the contract say about the vendor meeting their recovery time objectives, and are their RTO’s within ours? What does the contract say about incident notification if the vendor has a cyber incident involving our data? How do they define a “recovery incident” or a “security incident”, and how does that compare to our definition? These details matter because your recovery procedures depend on what your provider is, and is not, legally obligated to do…and all that should be spelled out in the contract!
*According to regulators: “A third-party relationship should be considered significant if the institution’s relationship with the third party is a new relationship or involves implementing new bank activities; the relationship has a material effect on the institution’s revenues or expenses; the third party performs critical functions; the third party stores, accesses, transmits, or performs transactions on sensitive customer information; the third party markets bank products or services; the third party provides a product or performs a service involving subprime lending or card payment transactions; or the third party poses risks that could significantly affect earnings or capital.”