The new FFIEC Appendix J to the Business Continuity Planning booklet, issued February 23, 2015 impacts how we contract with vendors by setting specific requirements on what the contracts must include, what level of due diligence is expected prior to executing a contract and establishes new levels of expectation regarding the review of fourth party providers.  Special emphasis is made on recovery associated to large scale cyber events and the vendor’s cyber resilience.

 The FFIEC highlighted four key elements banks should address when contracting with Technology Service Providers (TSPs). 

1. The Vendor Management program should be risk-focused and provide oversight and controls to manage the risk of outsourcing.  The VMO must maintain attention to due diligence, contracts management (see the OTS booklet) and ongoing monitoring of service providers including the TSPs subcontractors (fourth party providers).
2. Capacity addresses the potential impact of a significant disruption of service and the vendor’s ability to restore multiple clients.
3. Testing with our vendors addresses the importance of validating the vendor’s ability to recover.
4. Cyber resilience covers unique disruptions caused by cyber events (e.g. DDOS attacks, zero day attacks, malware, insider threats, etc.)

Note: The Federal Reserve emphasized service providers are “broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.” (See FRB SR13/19) 

Contracts must include:

• Right to Audit
• Service Level Agreements
• Default and Termination
• Subcontracting provisions
• Data Controls (especially for foreign-based service provider)
• BCP Testing
• Data Governance
• TSP updates regarding regulatory changes
• Security and Data Breach

The guidance provided requires the financial institution consider the maturity of the technology and the benefits and risks of its use.  All new technology should be fully reviewed to determine if new risk are being introduced, such as risks associated with shared access to data, authentication weaknesses and new exploits.  The Bank will assess the effectiveness of the TSPs business continuity program with a focus on recovery capabilities and capacity.  Further, the Bank must understand if the vendor subcontracts; and if so, what is the fourth parties BCP program?  Are the vendor and its subcontractor programs in alignment with the Bank’s BCP program?

Testing must be part of the due diligence process and ongoing monitoring of the vendor and its fourth parties.  This ensures the resilience of outsourced technology services.  “The financial institution should perform periodic in-depth assessments of the [vendors] control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third party assessments, and management information systems reports to assess the potential impact on the financial institution’s business resilience.”

The phrase Cyber Resilience is new language from the FFIEC, but the concept overall is not.  There is a very real threat to banks with the growing sophistication and volume of cyber threats.  Individuals, groups and even governments have developed new skills and technics to disrupt operations, corrupt files and steal data.  When testing and reviewing due diligence documentation there needs to be given consideration to the impact a large scale cyber event may have on the operations and the ability to recover.  The ever evolving threats must be properly managed to ensure cyber resilience.   Additionally, the capacity of the vendor to recover across all its customers timely must be considered.