An offer, acceptance and consideration based on specific terms.
Appendix J: Strengthening the Resilience of Technology Sources was published in February 2015. This appendix to the FFIEC's Business Continuity Planning Booklet examines four key elements of BCP that a financial institution should address to ensure they are contracting with technology service providers (TSPs) that are strengthening the resilience of technology services. The four key elements are: 1) third-party management; 2) third-party capacity; 3) testing with TSPs; and 4) cyber resilience.
The clause of an agreement that states what obligations or duties may be transferred in whole or in part to another party and under what circumstances. If a contract is “silent” or assignment is not addressed, a vendor can freely assign or transfer rights to another vendor.
Bank Secrecy Act (BSA): The BSA requires FIs to maintain appropriate records and file reports involving currency transactions and an FI’s customer relationships. The purpose is to assist government agencies with detecting and preventing money laundering.
Business Continuity Test: A test of a BCP or disaster recovery plan.
Cloud: Multiple data centers on another infrastructure to store and/or process data which can be accessed via the internet. When several clients use these computers, this is called a shared cloud. When computers are exclusively used by one institution this is called a private cloud.
Compliance Risk: The risk that a third-party vendor will either knowingly or accidentally violate a law, regulation, rule or an institution’s own internal policies. Institutions should see that vendors: 1) Are aware of new and existing regs and have policies and procedures in place for implementation; 2) Have audit and control features that demonstrate their compliance; and 3) Maintain logs and practices for monitoring transactions for suspicious activity and compliance with others laws and regs.
Concentration Risk: The overreliance on a single vendor to conduct business when that vendor provides many products and services, particularly if this vendor is classified as critical. An institution may not be able to conduct business if a catastrophic event strikes and hinders a vendor providing many services. Another concern is the geographic concentration of a vendor. If an institution and its third-party vendors or subs are in the same region, the same event could affect everybody’s operations since they all rely on the same infrastructure. Management of concentration risk includes diversifying vendors or having a solid back up plan in place.
Assuming information will be kept secret with access limited to appropriate people with a need to know.
Consumer Information: Any non-public personal information (NPI) about a consumer that is maintained on behalf of a FI. The record can be in any form, including paper and electronic.
Contract Manager: Person responsible for developing and implementing procedures for contract management and administration in compliance with company policy. Contract managers may also negotiate contracts and track contract(s) through their life cycle.
Credit Risk: The strength and ability of a company to manage debt and stay in business to ensure continued operations in the vendor management process. Areas to consider are 1) financial conditions; 2) financial performance; 3) litigations; and 4) acquisitions. These areas should be evaluated annually.
Cyber Resilience: A system’s ability to withstand cyber attacks or failures and then quickly reestablish itself.
An officially chartered institution that receives deposits, makes loans, and provides checking and savings account services. These services are for-profit. A bank’s source of capital is from depositors which are insured by the FDIC, per depositor, per institution.
A business continuity plan (BCP) is a comprehensive, written plan to maintain or resume business in the event of a disruption. The plan includes disaster recovery and business unit(s) recovery capability.
Additional Resources:
The process by which an organization’s third and fourth-party vendor contracts, expectations and business dealings are organized within a single system, making it easy to find, report on and edit vendor agreements.
Additional Vendor Management Resources
Disaster Recovery: The process of recovering from major processing interruptions.
Enterprise Risk Management (ERM): Ongoing process to assess, monitor and control all risk. ERM involves all areas within an organization and entails organizational decision-making and a standard approach.
Federal Reserve System (FRB): The central bank of the U.S., created on Dec. 23, 1913. The four general responsibilities of the FRB are 1) Conducting the U.S.’s monetary policy; 2) Supervising and regulating financial institutions to ensure safety and soundness and protect the credit rights of consumers; 3) Maintaining the stability of the financial system and containing systemic risk that may arise in financial markets; and 4) Providing certain financial services to the U.S. government, U.S. FIs, and foreign official institutions, overseeing the nation’s payments systems.
A tool that helps institutions identify their risks and determine their cybersecurity preparedness. The FFIEC states the use of the Tool is voluntary, however each regulator has different expectations of an institution’s use of the tool.
Here’s what the agencies have to say:
OCC – In a letter to the Government Accountability Office, Comptroller Curry stated, “[w]e expect to begin using this Cybersecurity Assessment Tool in selected examinations that commence during the fourth quarter of 2015.” On June 30, 2015, the OCC stated that it intends for OCC Examiners to “gradually incorporate the Assessment [CAT] into examinations of national banks, federal savings association, and federal branch and agencies (collectively, banks) of all sizes.”
FDIC – The FDIC has indicated, through Financial Institution Letter 28-2015, that “FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”
Federal Reserve – The Federal Reserve Board has explicitly stated its intent to begin using the Assessment, “…in late 2015 or early 2016 … as part of [the] examination process when evaluating financial institutions’ cybersecurity preparedness in information technology and safety and soundness examinations and inspections.” (SR-15-9, July 2, 2015)
Financial Institution (FI): A company engaged in the business of dealing with monetary transactions, such as deposits, loans, investments and currency exchange.
Findings: Any issues found in an internal audit, external audit, government report or management review of a process or procedure that needs corrective action to decrease risk.
Foreign Based Third-Party Service Provider: An entity whose services are located in and subject to the laws of any country other than the U.S. An institution needs to know if the service provider is: 1) Registered to do business in a particular state; 2) In good standing; 3) Storing data; and 4) Allowing data to leave the US. The institution should require a U.S. subsidiary to be insured, and data should not leave the U.S.
Fourth-Party Vendor: When a third-party outsources certain functions to another company, that company is considered a fourth-party vendor to the financial institution. The financial institution is expected to manage the risks associated with that company.
Gramm-Leach-Bliley Act (GLBA): This act requires federal banking agencies to establish information security standards for financial institutions so that financial institutions protect the non-public personal information of consumers. The act has three main parts: 1) The Financial Privacy Rule; 2) The Safeguards Rule; and 3) The Pretexting provisions. GLBA is also known as The Modernization Act of 1999.
Inherent Risk: The risk that an activity would pose if no controls or other mitigating factors were in place.
Internal Audit: The review of key risk management functions, including regulatory capital adequacy and liquidity control functions; regulatory and internal reporting functions; the regulatory compliance function; and the finance function.
Nondisclosure: A failure to reveal information.
Notice of Breach: Actions outlined in a service agreement that are to be taken by either party in the event of a security breach. The institution will want to know how quickly it will be notified and by what means in the event of a breach, including which party is required to notify customers and who is responsible for associated costs. The institution will also want to have termination available as a remedy.
Operational Risk: Risk of financial loss when processes, people or systems fail.
Recovery Point Objective (RPO): The amount of data that can be lost without severely impacting the recovery of operations. Alternatively, the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).
Recovery Time Objective (RTO): The max allowable downtime that can occur without severely impacting the recovery of operations. Alternatively, the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).
Reputation Risk: The mistakes of an institution’s vendor that jeopardize the reputation of the institution. Examples include security breaches resulting in the disclosure of customer information, negative publicity involving the third party, and violations of consumer law.
Residual Risk: The risk that remains after controls are taken into account.
Right to Audit: An FI’s right to review the internal operations of the vendor.
Risk Assessment: A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers and financial markets rather than the nature of the threat.
Strategic Risk: The possibility that a company does not make decisions that support its long-term goals. When assessing strategic risk: 1) Know the age of the company and its market size; 2) Understand who is in charge; 3) Ensure operational controls are monitored and addressed through audits; 4) Vendor management must be in place; 5) Business continuity to mitigate or prevent business interruptions and prompt recovery should also be in place; and 6) Institutions should know where operations, personnel and subs are located (specifically offshoring and outsourcing).
Third-Party Service Provider (TSP): Any third party to whom a financial institution outsources activities that the institution itself is authorized to perform, including a technology service provider.
Transaction Risk: Risk that a third party will fail to provide products and services as expected, adversely impacting the institution or its customers. Transaction risk focuses on contingency planning. Transaction risk management is best accomplished by addressing the following areas with vendors: 1) planning; 2) threat management; 3) recovery; 4) data protection; 5) incident response; and 6) subcontractors.
TSP Updates: An institution’s ability to obtain updates from the vendor about the vendor’s conditions. The institution should look for the availability of the updates, which party has to pay to obtain the updates and the difficulty of obtaining the updates. The institution should have a plan to review updates and the details of how it will receive them at the beginning of the relationship with the vendor.
A person or entity that provides goods/services.
Vendor Risk Management: The ongoing process of monitoring a vendor, beginning with due diligence before a new contract is signed and continual monitoring throughout the duration of the relationship. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval at predefined stages in the life cycle.
The FFIEC is an interagency body that prescribes uniform principles, standards and report forms for the federal examination of financial institutions by the Board of Governors of the FRB, the FDIC, the NCUA, the OCC and the CFPB and to make recommendations to promote uniformity in the supervision of financial institutions. The FFIEC was established March 10, 1979.