The new FFIEC Appendix J to the Business Continuity Planning booklet, issued February 23, 2015 impacts how we contract with vendors by setting specific requirements on what the contracts must include, what level of due diligence is expected prior to executing a contract and establishes new levels of expectation regarding the review of fourth party providers.  Special emphasis is made on recovery associated to large scale cyber events and the vendor’s cyber resilience.

 The FFIEC highlighted four key elements banks should address when contracting with Technology Service Providers (TSPs). 

1. The Vendor Management program should be risk-focused and provide oversight and controls to manage the risk of outsourcing.  The VMO must maintain attention to due diligence, contracts management (see the OTS booklet) and ongoing monitoring of service providers including the TSPs subcontractors (fourth party providers).
2. Capacity addresses the potential impact of a significant disruption of service and the vendor’s ability to restore multiple clients.
3. Testing with our vendors addresses the importance of validating the vendor’s ability to recover.
4. Cyber resilience covers unique disruptions caused by cyber events (e.g. DDOS attacks, zero day attacks, malware, insider threats, etc.)

Note: The Federal Reserve emphasized service providers are “broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.” (See FRB SR13/19) 

Contracts must include:

• Right to Audit
• Service Level Agreements
• Default and Termination
• Subcontracting provisions
• Data Controls (especially for foreign-based service provider)
• BCP Testing
• Data Governance
• TSP updates regarding regulatory changes
• Security and Data Breach

The guidance provided requires the financial institution consider the maturity of the technology and the benefits and risks of its use.  All new technology should be fully reviewed to determine if new risk are being introduced, such as risks associated with shared access to data, authentication weaknesses and new exploits.  The Bank will assess the effectiveness of the TSPs business continuity program with a focus on recovery capabilities and capacity.  Further, the Bank must understand if the vendor subcontracts; and if so, what is the fourth parties BCP program?  Are the vendor and its subcontractor programs in alignment with the Bank’s BCP program?

Testing must be part of the due diligence process and ongoing monitoring of the vendor and its fourth parties.  This ensures the resilience of outsourced technology services.  “The financial institution should perform periodic in-depth assessments of the [vendors] control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third party assessments, and management information systems reports to assess the potential impact on the financial institution’s business resilience.”

The phrase Cyber Resilience is new language from the FFIEC, but the concept overall is not.  There is a very real threat to banks with the growing sophistication and volume of cyber threats.  Individuals, groups and even governments have developed new skills and technics to disrupt operations, corrupt files and steal data.  When testing and reviewing due diligence documentation there needs to be given consideration to the impact a large scale cyber event may have on the operations and the ability to recover.  The ever evolving threats must be properly managed to ensure cyber resilience.   Additionally, the capacity of the vendor to recover across all its customers timely must be considered.

Davis + Henderson announced today (March 30, 2015) that it will acquire Fundtech for US$1.2billion.  An announcement that does not surprise.  With Fundtech under an FDIC and OCC consent order, senior management at GTCR went out looking for key players to bring onboard to get FundTech polished up for sale. Canada's D+H is looking to swoop in and get in the payments business, just as GTCR thought they were doing in late 2011.  There is a lot D+H will need to do to get Fundtech resurrected.  However, unlike GTCR, Davis + Henderson actually know a little something about the financial industry; so maybe there is some light at the end of the tunnel. 

http://www.fundtech.com/media/ugc/pdf/DH_Fundtech_Acquisition_-_US_FINAL.pdf

http://www.ffiec.gov/press/pr033015.htm

--

FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware 

FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware 

The Federal Financial Institutions Examination Council (FFIEC) today released two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software, known as malware. In addition, the FFIEC provided information on what institutions can do to prepare for and respond to these threats. 

Cyber attacks have increased in frequency and severity over the past two years. The attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems. Cyber criminals can use stolen credentials to commit fraud or identity theft, modify and disrupt information system, and obtain, destroy, or corrupt data. Also, cyber criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.

In accordance with FFIEC guidance, institutions should: •Securely configure systems and services;•Review, update, and test incident response and business continuity plans;•Conduct ongoing information security risk assessments;•Perform security monitoring, prevention, and risk mitigation;•Protect against unauthorized access;•Implement and test controls around critical systems regularly;•Enhance information security awareness and training programs; and•Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.

The FFIEC also highlighted the following resources that provide practical information for strengthening user awareness regarding safe online practices.

•Federal Trade Commission’s On Guard Online

•National Cyber Security Alliance’s Stay Safe Online

•US-Cert Security Tip (STI-003) “Handling Destructive Malware”

•Joint Security Awareness Report (JSAR-12-241-01B) “Shamoon/DstTrack Malware”

•National Institute of Standards and Technology “Cybersecurity Framework”

•US-CERT “Cyber Resilience Review”

•NSA/CSS Information Assurance Directorate (MIT-001R-2015) “Defensive Best Practices for Destructive Malware”

The FFIEC a press release March 17, 2015 announcing its Cybersecurity Priorities for 2015.

This combined with the new Appendix J should have all our teams focused on security issues and technology service providers for this year and the years to come. J

Happy St. Patrick’s Day!  

 http://www.ffiec.gov/press/pr031715.htm

FFIEC Focuses on Cybersecurity, Will Debut Self-Assessment Tool

The Federal Financial Institutions Examination Council (FFIEC) today provided an overview of its cybersecurity priorities for the remainder of 2015.

The priorities include seven workstreams that stem from last year’s pilot assessment of cybersecurity readiness at more than 500 financial institutions. The planned work includes the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. The FFIEC also will enhance their incident analysis, crisis management, training, and policy development and expand their focus on technology service providers’ cybersecurity preparedness. Additionally, the FFIEC will continue to improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators.

Work is underway in the following workstreams:

•Cybersecurity Self-Assessment Tool—The FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.

•Incident Analysis—FFIEC members will enhance their processes for gathering, analyzing, and sharing information with each other during cyber incidents.

•Crisis Management—The FFIEC will align, update, and test emergency protocols to respond to system-wide cyber incidents in coordination with public-private partnerships.

•Training—The FFIEC will develop training programs for the staff of its members on evolving cyber threats and vulnerabilities.

•Policy Development—The FFIEC will update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.

•Technology Service Provider Strategy—The FFIEC’s members will expand their focus on technology service providers’ ability to respond to growing cyber threats and vulnerabilities.

•Collaboration with Law Enforcement and Intelligence Agencies—The FFIEC will build upon existing relationships with law enforcement and intelligence agencies to share information on the growing cybersecurity threats and response techniques.

The FFIEC has published several resources to help financial institutions improve their cybersecurity, including additional information regarding the cybersecurity assessment conducted in 2014. They are available on the FFIEC website at http://www.ffiec.gov/cybersecurity.htm.