What does a historic storm in Texas mean for a credit union 2,000 miles away? According to one Massachusetts credit union, it meant a multi-day outage of its mobile banking, online banking, and bill pay services.
According to an interview in Credit Union Times, $140 million-asset New Bedford Credit Union experienced at least a four-day outage when its core provider, Fiserv, had issues with its Texas-based servers.
“This has impacted us tremendously and has adversely affected our members,” Berta Varao, president/CEO of New Bedford Credit Union, told the newspaper while sharing her frustration. “…Our digital services are crucial – this is a pandemic!”
While Fiserv did not release a specific reason for the outage, Varao says she was told that Fiserv’s servers lost power and then backup generators ran out of fuel. The newspaper cited “media reports that Fiserv was physically moving servers out of Texas and into Georgia.”
For its part, Fiserv noted that online banking went down at an undisclosed number of its credit union clients due to the power outages.
This isn’t the first time a core processor has struggled due to a natural disaster. In 2012 Super Storm Sandy flooded the new item processing center of a major core processor. The flood impacted over 100 of the company’s core banking clients, disrupting item processing.
While no one could have predicted Super Storm Sandy, institutions that were very diligent about business continuity planning might have been able to avoid the problem of using the flooded center. An agreement between regulators and the company after the fact revealed “unsafe and unsound practices relating to the TSP’s disaster recovery and business continuity planning and processes.” Institutions that engaged in thorough third-party due diligence, asked the right questions, and considered the impact to business continuity may have held off on moving to the new facility—and avoided a major service interruption.
Despite best efforts, there may be times when core processors and other critical vendors are unable to perform as expected. The best way to reduce the likelihood of this occurring is with third-party vendor due diligence.
When it comes to due diligence, different guidance use different terminology—risk assessment, due diligence, diligence—but they are all talking about the same thing: a pre-contract risk assessment.
In addition to the typical due diligence necessary for every vendor, financial institutions should also thoroughly examine critical vendors’ business continuity plans to understand how they align with the institution’s own business continuity plan (BCP). It’s not enough to ask if it exists. You need proof of its functionality, especially its recovery capabilities. This must also be addressed by ongoing due diligence and vendor monitoring.
Guidance suggests due diligence include:
Third-party capacity. If a vendor faces disaster, your institution probably won’t be the only one affected. That’s why it’s important to determine if the vendor has the capacity to restore every client within its recovery time objectives and recovery point objectives. In the event it cannot quickly restore services, the vendor should have a workable agreement lined up with an alternate provider—or else the institution must find its own backup vendor as part of its BCP.
Third-party management. Just like financial institutions, many vendors outsource activities to service providers. These subcontractors must also have effective BCPs. The prime vendor should regularly review them and conduct its own due diligence—otherwise, your institution will have to do it. Ultimately, regulators view it as the institution’s responsibility.
Cyber threats. From malware to distributed denial of service attacks (DDoS) to insider threats, vendors must be able to respond to cyberattacks and have an actionable incident response plan. They also must stay on top of emerging threats. This is particularly important for vendors using the cloud.
Testing. Guidance strongly encourages regular testing of vendor’s business continuity plans and examining the results to identify potential problems. Before signing a contract, be sure to ask for the results of the vendor’s last business continuity test, especially for critical vendors.
A Statement on Standards for Attestation Engagements (SSAE) 18 audit, demonstrating a vendor adheres to the latest standards for Service Organization Controls (SOC) 1 Type II and SOC 2 Type II, is one document that can aid in this process. This rigorous accreditation demonstrates a vendor is dedicated to maintaining rigorous security, compliance, and operational controls.
Want to strengthen the connection between vendor management and business continuity planning (BCP)? Watch our on-demand webinar Fending Off Disaster: The Role of Vendor Management in BCP.