Remember the FFIEC’s 2015 Appendix J addition to the Examination Handbook? The addition covered business continuity planning for your technology service providers (TSPs). Appendix J presented a new standard for TSP contractual requirements—its purpose to strengthen the resilience of outsourced technology services—which regulators expected financial institutions to adopt and implement moving forward.
Moving ahead to 2017, two years after the introduction of Appendix J, regulators performed an evaluation of TSP contracts as they pertain to the third party vendor management responsibilities for insured and supervised financial institutions. The evaluation, which sought to determine the effectiveness of the prior guidance in altering TSP contract terms, focused on cybersecurity readiness and responsibility, and the use of subcontractors (aka your fourth parties).
In response to the findings of their evaluation, the Office of the Inspector General (IG) of the FDIC issued EVAL-17-004. According to the report, the IG, “did not see evidence, in the form of risk assessments of contract due diligence, that most of the FDIC-supervised FIs we reviewed fully considered and assessed the potential impact and risk that TSPs may have on the FI’s ability to manage its own business continuity planning and incident response and reporting operations.”
The report went on…
“Typically, FI contracts with TSPs did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights. Contracts also did not sufficiently define key terminology related to business continuity and incident response.”
This is not the outcome any of us would have expected.
As a result, the FDIC Inspector General has laid out a few recommendations. First, the Division of Risk Management Supervision (RMS) of the FDIC must communicate to FIs the importance of fully considering and assessing the risks that TSPs present. FIs must ensure that contracts with TSPs include specific and detailed provisions that address FI-identified risks and protect FI interests. And finally, FIs must clearly define key contract terms that would be important in understanding FI and TSP rights and responsibilities.
In the meantime, it may be wise for your organization to revisit and freshen up on the 2015 FFIEC Appendix J addition to the Examination Handbook, and be aware of the possible implications this report may have on future examinations.