The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is part three of a five-part blog series that looks at the report’s findings.
Part 3: Contract Management
If you’re like the most financial institutions, your vendor contracts aren’t protecting your interests or preserving your rights.
That’s not just my observation. It’s the finding of the FDIC’s Office of Inspector General (OIG) in its recent analysis of third-party service provider contracts. The agency watchdog reviewed 48 contracts between 19 financial institutions (FIs) and their vendors, focusing on provisions related to business continuity planning (BCP) and cybersecurity incidents. The contracts the OIG reviewed provided “limited information and assurance” that vendors could quickly recover from a disruption or contain, control and report cyber incidents.
Contracts are more than just a pricing agreement. They represent a huge control for community banks and credit unions. A thoughtfully written contract defines terms, addresses performance standards, provides tools for monitoring and auditing, helps manage risk, and details consequences if a vendor falls short. Unfortunately, few FIs are using contracts as the valuable tools they can be.
How bad is it?
When it comes to business continuity planning:
- 48% of contracts didn’t require a business continuity plan
- 80% had no performance standards
- 44% didn’t require a vendor deliver audits or reports
These institutions have no proof that their vendors are meeting regulatory standards for business continuity planning.
Just one contract got a call-out from the OIG for including a 24-hour disaster recovery objective and a 72-hour recovery time objective after a disaster. These are the types of timeframes that should be in every contract. Meanwhile some contracts actually limited a vendor’s business continuity responsibilities in the event of disaster, protecting the vendor, not the institution.
When it comes to incident reporting, most contracts require the vendor to inform the FI of a breach, but don’t address details of how vendor assesses and responds to potential incidents or reports it to authorities. Few included consequences if a vendor failed to meet incident response and reporting standards.
- 31% of contracts didn’t address performance standards (Only 23% had detailed discussion.).
- 27% didn’t include incidence response in service-level agreements.
- 46% didn’t require audits, and 44% didn’t require reports.
- 14% didn’t address data security and confidentiality.
Key terms found in guidance often don’t make it into contracts, the OIG found. Worse yet, when they do they are rarely defined. As a result, contracts and their terms are often vague and hard to enforce. They expose an FI to increased risk because it makes it harder to successfully manage vendor business continuity planning and incident response.
Consider the term “timely notification of financial institution.” About 20 percent of FIs included the term in contracts but provided no definition, leaving the phrase open to interpretation. Another 43 percent provide a limited definition. Other minimally defined terms include “unauthorized access,” “security incident” and “substantial harm or inconvenience.”
Some terms get entirely left out. This frequently includes “potential breach,” “significant disruption,” “material impact” and “cyber event.”
Why are contracts falling short? They are generic and standardized forms written by the vendor, the OIG says. Since they aren’t customized to an FIs’s business lines, risk approach or needs, they rarely are specific enough to meet the FI’s needs or protect its interests. They don’t adequately detail everyone’s rights and responsibilities. Worse yet, some contracts written by vendors put more thought into protecting the vendor’s systems and confidentiality than the FI’s. The very worst ones limit vendor liability and responsibility for business continuity and cybersecurity.
The OIG says a strong contract should include the following key contract provisions:
[column size=”col-4″]Internal controls[/column]
[column size=”col-4″]Performance standards[/column]
[column size=”col-4″]Regulatory compliance[/column]
[column size=”col-4″]Scope of service[/column]
[column size=”col-4″]Security and confidentiality[/column]
[column size=”col-4″]Service level agreements[/column]
[column size=”col-4″]Subcontracting and assignment[/column]
[column size=”col-4″]Termination and default[/column]
[column size=”col-4″]Business resumption and contingency plans[/column]
The OIG’s review focused on just two areas, but I guarantee you that FIs and credit unions have similar shortcomings in other sections of their contracts. Facing off against vendors with a deep bench of lawyers who regularly negotiate the same contract, FIs are at a disadvantage. They have internal IT and financial expertise but lack the resources to fine tune a long, complicated vendor agreement. And even if they had a pro negotiator on team, it wouldn’t make a difference if the FI hasn’t completed a due diligence review and risk assessment ahead of time to understand its institution’s exact needs.
“A lack of appropriate contract management expertise weakens an FI’s control environment,” the OIG report notes.
Don’t ignore your contracts. If you’re not demanding detailed term definitions, controls and performance standards, you’re doing your FI a disservice. If you’re not sure where you measure up, Ncontracts Manager can help you manage your contracts, providing reviews that eradicate the errors and unknowns that lead to higher risk. Our legal team specializes in contracts and has extensive knowledge of industry standards while our solution automates management with simplified summaries, storage and alerts. You’ll know exactly what’s in your contract and when to take action.