Expert Q&A: How to Assess Vendor’s Data Recovery Capabilities
Ask most financial institutions what their greatest asset is, and they’ll tell you it’s their people. But their data is probably a close second.
Steve Fochler, CBCP, spends a lot of time thinking about that data. A business continuity specialist with more than 30 years of experience helping financial institutions develop business continuity plans, Steve has watched as third-party vendors have assumed greater control over financial transactions and data – and how the volume of that data has exploded.
We asked Steve about the role third-party vendor management plays in business continuity planning, what it means for data recovery, the influence of the cloud, and how to know if your vendors’ data recovery capabilities are what they say they are.
Table of Contents
- The financial services industry moves so fast these days. How is that impacting business continuity planning?
- How are these changes impacting how a business continuity plan addresses data?
- How do you know if there are gaps in a third-party vendor’s data recovery capabilities?
- What about the vendors that aren’t that forthcoming with their recovery capabilities?
- In what ways will data recovery challenges continue to evolve?
- What’s the greatest challenge financial institutions face when it comes to business continuity planning?
- What’s the biggest mistake you see financial institutions making?
Q: The financial services industry moves so fast these days. How is that impacting business continuity planning?
A: I’ve been focused on the resilience of third parties and their infrastructure. Increased reliance on these relationships continues to put pressure on financial institutions in terms of making sure the services key vendors provide are quickly restored.
It used to be that the only way to get your money was to walk into a branch. As technology has advanced, the availability of funds and moving your money is so much faster. Now between Venmo, early pay direct deposit, and similar products and services, there’s all this technology behind it and customers expect immediacy. Something that started off as a “nice to have” is now a “must have.”
It’s not just the ability for customers and members to access these services. It’s maintaining the integrity of that data.
Q: How are these changes impacting how a business continuity plan addresses data?
A: It used to be enough to back up our systems once a night because we were manually recording transactions on paper during the day and entering it into the system, potentially later. It was easier because most of the transactions were done in the branch or at an ATM. Now there is no paper backup. If the system loses the data now, there is no way to reconstruct it.
The window for backing up data is much shorter now. There are so many transactions going on at any moment, it’s a matter of minutes, not hours. Again, that puts a lot of pressure on financial institutions to look at their third-party vendors and their core providers and find out how often they are backing up their systems. Are they creating snapshots of the data every few minutes if they do a lot of transactions in minutes? Are there gaps in their data recovery?
Related: Is Your Vendor Prepared for Disaster?
Q: How do you know if there are gaps in a third-party vendor’s data recovery capabilities?
A: It gets challenging with third-party vendors that provide their systems via the cloud. Financial institutions rely on that vendor telling truthfully how often they back the data up. Clients must trust those reports are accurate.
To strengthen trust, some vendors let financial institutions participate in tests, and I highly recommend participating in these tests, especially if they hold your critical data. Get on that test schedule and see for yourself that data recovery is working.
Q: What about the vendors that aren’t that forthcoming with their recovery capabilities?
A: Not all vendors are readily willing to give up their disaster recovery plans and details, and how quickly they recover systems and data. In those cases, financial institutions will need to work hard to get it. Or include the need for full disclosure of disaster recovery plans in their vendor contracts.
If they really are reluctant, then I always recommend leveraging your regulator. When they are examining you just say hey, these five vendors have been great with providing information. These two we are struggling with. Could you help me out?
Related: How to Talk BCP and Risk During Your Next Exam after Disaster
The examiner community is active, especially with larger core information providers. They are keeping an eye on them because they have seen disasters and significant disruptions, so they are requiring more of them.
Q: In what ways will data recovery challenges continue to evolve?
A: Our industry is better at business continuity and disaster recovery, and a lot of it is due to cloud technologies. They are making us more resilient.
The pace of information availability and instantaneous expectations for transactions to happen will continue to grow. Think about how you can be better, faster, and more resilient so you never miss a beat with transactions, loan closings, documentation, and information availability.
Q: What’s the greatest challenge financial institutions face when it comes to business continuity planning?
A: The challenge is that everyone is so busy and most financial institutions have limited time to devote to business continuity and disaster recovery. We understand the importance and that it is not just there to make examiners happy, but we have minimal time to do it.
To put in a plug for Ncontinuity, our clients leverage products like ours and hire us to do the heavy lifting of building their plans out. They know they need to do this and do it well, but they also value their time. They make a choice between investing in us versus investing their own time to build out their plans. We guide them along the way so they can take it and run with it.
Related: Think Your BCP Hasn’t Changed Over the Past Year? Think Again.
Q: What’s the biggest mistake you see financial institutions making?
A: Many people get busy and let a year go by and then updating their plan becomes a big project. It's like anything else in life. If you let it go for too long, it becomes a bigger project.
I encourage everyone to devote a little time to save a lot of time. Even if it’s just 15 minutes once a week, you’ll go a long way to keeping your plan current and have much less to do when it’s time for your annual plan review.
Join Steve and a panel of experts for What Does Resilience Look Like? A webinar on fostering resilience and maintaining stability in an ever-changing risk landscape.