The FDIC Office of Inspector General’s (OIG) deep dive into the state of vendor management has revealed widespread deficiencies including business continuity planning, vendor management, contract management, internal controls and cybersecurity. This is part five of a five-part blog series that looks at the report's findings.
Part 5: Cybersecurity
How well is your institution responding to cybersecurity events?
If your third-party contracts are structured like those at many financial institutions, your response may fall short of expectations due to lack of clarity.
That’s according to the FDIC’s Office of Inspector General’s evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions, which focuses on business continuity planning and cyber incident response. In short, “often FI contracts with TSPs are dated and do not reflect FDIC and FFIEC efforts to strengthen cybersecurity.”
The OIG defines a security incident as “the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.” Such incidents can cause systems to fail or result in the breach of confidential data.
Every financial institution (FI), and by extension their critical vendors, needs an incident response program that addresses the steps to take in the event of a potential incident. According to the OIG’s summary of the Interagency Guidelines, there must be procedures for:
- “Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;
- Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;
- Notifying appropriate law enforcement authorities and filing a timely Suspicious Activity Report in situations involving federal criminal violations; and
- Notifying customers when warranted.”
The Good and the Bad
While FIs have taken steps to address vendor incident response in contracts, these high-level efforts lack the necessary detail to make them truly effective.
For example, 86 percent of contracts directly addressed security, confidentiality and Gramm-Leach-Bliley Act privacy requirements by requiring the vendor to notify the FI of unauthorized intrusions of material impact, the OIG found. The bad news is contracts frequently didn’t address vendor responsibility for:
- Assessing and responding to incidents;
- Determining the potential effect on the institution or its customers; or
- Reporting and notifying authorities.
While about half of FIs had performance standards for notifying the institution of the breach, few contracts went into detail on how a vendor would:
- Assess the nature and scope of potential incidents, including information and systems accessed and the possible harm, inconvenience or misuse of data that could result;
- Contain and control incidents to preserve evidence;
- Provide detailed incident response and recovery metrics; and
- Remedy the situation if it failed to meet response and reporting standards.
When FIs don’t spell out a vendor’s incident response program in the contract, they are exposing themselves to increased cyber and compliance risk. An FI needs to know the exact processes a vendor will use to assess, respond to and report potential incidents. They need to know that the efforts of critical vendors will support the FI’s goals of protecting information systems and data. A good incident response program can reduce the chances of a security incident disrupting operations or compromising customer information.
The consequences can be steep. It’s a tired refrain, but well worth repeating: Many of the biggest breaches in recent history have been the result of third-party vendors. FIs need to address cybersecurity both internally and externally in their vendor relationships to protect against growing threats.
The FFIEC developed a Cybersecurity Assessment Tool to analyze inherent risk and cybersecurity maturity levels. Ncontracts’ Ncyber gives you a shortcut through this 400+ page questionnaire, offering the FFIEC Cybersecurity Assessment Tool in a secure, easy-to-navigate format with embedded workflow tools that enable departments within your organization to easily cross-reference the data needed for a seamless, accurate assessment.
Don’t let cyber risks go unrecognized. Take steps to ensure your FI and its vendors are prepared to deal with cyber events by assessing risks and addressing those risks in written contracts.