Nsight Blog | Ncontracts

5 Business Continuity Red Flags in Vendor Relationships (TPRM)

Written by Steve Fochler | Nov 14, 2024 8:00:00 PM

Third-party vendors continue to be an integral part of today’s financial services industry as they help financial institutions (FIs) of all sizes reach their goals. However, without both parties committed to maintaining business continuity, poor vendor relationships can damage an FI’s operations, compliance posture, reputation, finances, and consumer relationships.  

Third-party risk management (TPRM) is also an increasingly important topic to regulators, including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and the Federal Reserve, as they released new vendor management requirements in June 2023. According to the interagency guidance, “Whether activities are performed internally or via a third party, banking organizations are required to operate safely and soundly and in compliance with applicable laws and regulations.”  

In other words, the vendor’s risk is your institution’s risk. 

So, how can FIs ensure their vendor relationships are compliant and productive? What red flags should your FI consider as you navigate third-party relationships? How can you address red flags before they cause further damage?  

Let’s discuss. 

Related: How to Avoid Common Third-Party Risk Management Mistakes 

Vendor Red Flags: What financial institutions should look for

While every vendor relationship will look a little different based on your institution’s needs, there are some red flags FIs should be aware of as they engage in TPRM. 

Unwillingness to share information 

The most glaring business continuity red flag occurs when a vendor is unwilling to provide information about its business continuity plan and disaster recovery plan for critical systems or processes. This red flag extends to every area of the vendor relationship, from communications to document sharing. For example, suppose a vendor is reluctant to share information about how it backs up critical systems your FI uses. Why is it hesitating? Is it possible it’s hiding a deficiency? Or perhaps the vendor says the information is private or proprietary. A contract typically includes a non-disclosure, so claiming it is proprietary information that can’t be shared is not an excuse. In this case, there’s a high chance that they’re hiding other items or issues that could harm both organizations and their customers.  

Conversely, vendors that readily share information typically stay current in their security practices and have resilient systems that can withstand interruptions to business operations or incidents, such as a data breach or power outage. For instance, if your vendor mentions that it has made significant investments in a failover solution (i.e. a backup system or component that activates when the primary system fails), it wants your financial institution to recognize it is committed to protecting your data and the relationship. This also demonstrates that it is taking its compliance responsibilities seriously. 

Lack of documentation

Besides lacking communication, a vendor may be tentative to share essential documents. Examples of documents your FI may need to request from vendors include: 

  • SOC reports. A System and Organizational Controls (SOC) report is an independent audit conducted by a third party to assess the status and reliability of internal controls. As a vendor management tool, a SOC 2 report offers an overview of a vendor’s security posture.  (Read more about SOC reports here.) 
  • CUECs document. Complementary User Entity Controls (CUECs) are typically included in SOC reports and are used to ensure your institution and employees adhere to security policies and compliance standards required to keep the vendor’s systems safe.   
  • System recovery test results. Vendors should be willing to provide their most current, Business Impact Analysis, disaster recovery test schedule and results to demonstrate how quickly they recover systems and data. If they aren’t, that reveals another red flag: outdated or infrequent testing.  
  • Security policies and procedures. A vendor should detail how it protects sensitive data, including encryption methods, access controls, and data handling procedures. 
  • Business policies. These policies include change management policies, record retention policies, and vendor management policies or programs and are essential if the vendor is using subcontractors (fourth parties) for any part of your FI’s services.  

These are just a few of the items you may need to request. If your vendor is reluctant to hand over these documents, it may signal broader TPRM issues. 

Related: Expert Q&A: How to Assess Vendor’s Data Recovery Capabilities 

Outdated or infrequent testing 

To provide system recovery test results, vendors must conduct regular system recovery testing to understand how efficiently they can recover from potential failures. Some examples of metrics FI should have access to include:  

  • Recovery Point Objectives (RPOs). An RPO defines how much data an organization can afford to lose and determines when data must be recovered from backup storage to resume normal operations. A shorter RPO indicates that the vendor is likely to lose less of your data.  
  • Recovery Time Objectives (RTOs). An RTO is the target timeframe for restoring systems, applications, and business functions after an outage. This value encompasses critical systems such as core operations and remote deposit services and becomes your reality recovery time for the vendor system. Compare this timeframe with the expectations of your critical departments to see if there are legitimate gaps between expectations and reality.  
  • Maximum Tolerable Downtime (MTD). MTD refers to the longest period that a system can remain non-operational without causing unacceptable impacts to the organization. Like RTO, you can compare the vendor’s MTD with your critical department’s expected MTD. 

If a vendor does not readily provide test results or relies on outdated recovery reports, it may be concealing potential weaknesses or problems in its operations.  

However, it’s common for vendors to encounter challenges during testing. If your vendor shares its test results, including what worked, the issues it faced, and plans for resolution, it indicates that it takes business continuity seriously—this is a positive sign. 

Related: Business Continuity Planning vs. Disaster Recovery: Understanding the Difference 

Failure to share information about fourth-party vendors 

Your FI isn't only responsible for what your vendor does; it's also responsible for the activities of its third-party vendors (aka fourth-party vendors). 

A fourth party is an organization to which your vendor outsources part of your contracted services, whether related to infrastructure, servers, systems, mobile banking, bill payments, legal services, or another area. For example, your vendor might use Amazon Web Services (AWS) or Microsoft Azure for cloud services. In that case, the cloud service is the fourth party.  

But the vendor circle may not stop there. The fourth party may outsource to another vendor, creating a fifth party. This trend continues with sixth, seventh, and eighth parties and beyond, emphasizing the need for ongoing vigilance in managing vendor relationships.  

Regardless of the level, FIs must ensure they understand the additional layers of risk that these relationships pose. It's crucial to proactively evaluate how that risk affects your third-party management strategies. One helpful resource for evaluating fourth-party vendors is the Statement on Standards for Attestation Engagements 18 (SSAE 18), which FIs can use to evaluate the security and reliability of those services.  

Related: First, Second, Third, Fourth and Fifth Parties: How to Measure the Tiers of Risk

Inconsistencies in communication 

Do you have long-term relationships with any vendors? It’s not unusual for FIs to work with the same vendor for 5, 7, 10, or even 20 years. But while a relationship can start on the right track, inconsistencies in communication are one of the first signs of hazards ahead. 

Communication problems are especially common with inexperienced vendors. They may not communicate their processes and policies effectively, potentially creating misunderstandings and leaving its clients (i.e. your institution) unprepared for risks and changes in service.  

When a red flag isn’t a red flag 

There are instances when vendors will reasonably not share information with an FI.  

If the requested information involves proprietary technology and trade secrets that could compromise the vendor’s competitive advantage, it’s reasonable for them to withhold such details. For example, a bank or credit union doesn’t need to know the specific products and proprietary details about systems, technologies, and solutions, such as active-active environments and recovery metrics. The vendor just needs to confirm they have an active-active setup and provide the detailed recovery time (MTD, RTO and RPO) values.  

How to approach issues with a vendor

Whether a vendor relationship is new or existing, there are ways FIs can address current or potential issues:  

Communicate with the vendor 

Resolution starts with an honest conversation. Voice your concerns to the vendor. Be clear about the issues your organization has faced, the consequences for the vendor and your organization, and your commitment to addressing the issues.  

Update contracts as needed  

Once the conversation has been initiated, it’s important to establish contract updates to ensure the red flags are addressed. Some potential contract addendums may require the vendor to share test results and recovery times on a set schedule or to share protocols for addressing ransomware and other threats. 

Consult your peers and leadership team members  

While you can do everything on your end to address red flags and repair a vendor relationship, there’s a possibility that that vendor will fail to communicate or address the issues. In these cases, reach out to peers for insights, especially if they have the same vendor, or consider escalating the issue to higher leadership. 
 
Keep in mind that the saying "out of sight, out of mind" does not apply to third-party risk management. Stay alert while working with vendors. If you notice any red flags, make a note of them, communicate your concerns, and take appropriate action. Even if an issue seems minor, remember that a vendor's risk can also affect you. 

What should you look for in a business continuity solution?  

Find out in our Business Continuity Buyer’s Guide.