You’ve heard it before, and you’re going to hear it again: Financial institutions aren’t doing enough to ensure their contracts with third-party vendors sufficiently address business continuity and incident response.
The most recent warning comes from the FDIC where examiners have observed gaps in financial institutions’ contracts with third-party technology service providers, according to an April 2 Financial Institution Letter.
Let’s take a look at what’s going wrong.
Exam findings show that some FI contracts with technology service providers don’t provide enough detail about vendor and FI rights and responsibilities for business continuity and incident response.
As a result some contracts:
- Don’t provide FIs enough information to manage processes and risks.
- Don’t require that vendors maintain a business continuity plan (BCP) or establish recovery standards.
- Fail to define contractual remedies if the vendor misses a recovery standard.
- Don’t provide enough detail about the vendor’s incident response plan, such as notifying the financial institution, regulators, or law enforcement.
- Don’t clearly define key BCP and incident response terms leading to ambiguity and the potential risk that a business disruption could impact operations or compromise data.
Meanwhile, some FIs have fallen short of the requirement to notify regulators of certain vendor relationships. Section 7 of the Bank Service Company Act requires institutions to notify regulators of relationships with certain types of service providers, including “check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, Internet banking, or mobile banking services.”
The FDIC has created an optional form for providing this written notification, though any form of written notification is okay.
Tips for Addressing These Oversights
Vendor contract problems aren’t exactly news. The FDIC’s Office of the Inspector General (OIG), uncovered similar problems in its report on vendor contracts two years ago. What’s surprising is that despite these warnings, vendor business continuity planning and incident response continue to be overlooked by many FIs.
Part of it may be the difficultly in getting vendors to agree to new terms after a contract is signed. The FDIC notes that “long-term contracts and contracts that automatically renew may be at higher risk for coverage gaps.”
But just because a vendor contract doesn’t properly address BCP or incident response doesn’t mean that an FI is off the hook or that nothing can be done. FIs that have gaps in their contracts need to be proactive in taking extra steps to manage vendor BCP and incident response.
Have a gap in a contract? Manage those risks with additional controls. The FDIC suggests seeking additional BCP documentation from the vendor or addressing those contractual gaps within the institution’s BCP.
When a contract doesn’t adequately cover an FI’s risk management needs, it adds layers of complexity to the vendor management life cycle, making it harder to conduct due diligence and ongoing monitoring. Make sure any new or renegotiated third-party vendor contract addresses BCP and incident response on more than a superficial level. Think about what you need to consider when addressing your own institution’s plans and make sure you have guarantees that you’ll receive enough vendor information to conduct a similar assessment.
And if you’re stuck with the vague contract, take extra steps internally to ensure your vendor isn’t the weak link in your BCP and incident response planning.