In response, the FDIC said it would work with other FFIEC agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks “may not be sufficiently knowledgeable about or engaged in contract management” and would thus “attempt to transfer their inherent responsibility for [bank] continuity and information security to TSPs,” which the IG said will require examiners’ continued focus.
The report, issued after a review of 48 technology vendor contracts, found that nearly half included no discussion of business continuity. Forty-two percent included a “detailed” discussion, and 10% included only a “high-level” discussion. The report found
Contract provisions that more specifically detail key business continuity issues could provide [banks] greater assurance that critical systems, services, and operations will be recovered and resumed timely and effectively when operations have been unexpectedly disrupted.
In terms of incident response, 65% of contracts included a detailed discussion of security and confidentiality, but only 23% covered performance standards in detail. The report also found that key terms in contracts lack specific definitions. The report found
[Banks] may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are clearly defined. TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the [banks].
Regulators continue to focus on vendor risk management, including through an interagency rulemaking on enhanced cyber risk management standards for which comments are due today. ABA staff will continue to monitor agency activities and communicate with all agencies as guidance and expectations evolve.
Read the report.