New BCP Guidance from the FFIEC
In addition to the already existing 2008 Handbook on Business Continuity Planning (BCP), the FFIEC has just issued a 16 page addendum offering up new BCP Guidance. The addendum is aptly titled “Strengthening the Resilience of Outsourced Technology Services”.
It starts by emphasizing that outsourced relationships with third-party service providers (TSP's) are an efficient way for banks and other financial institutions to perform important procedures, such as ensuring the Board continues to watch over those relationships.
The addendum then focuses on 4 points of resiliency:
- Managing the continuity risks of critical third-party relationships
- Understanding the concentration risk when a third-party provides you with multiple services
- Validating BCP’s with testing
- Confirming that your BCP can deal with a disruption caused by a cyber-event
The relationship with third-party management begins in the due-diligence phase and long before engaging with the provider. At this point, financial institutions should do a comprehensive review of the effectiveness of a vendor’s BCP, and the oversight process the vendor has in place for managing its subcontractors.
Once a decision has been made to engage with the service provider, naturally, a contract is the best way to determine the accountabilities on each side. Business continuity requirements should change over time, which means consistent monitoring of this critical aspect of the management life-cycle.
The BCP guidance also requires institutions to think about the need to replace an important provider that may not be able to fulfill its obligations. This could happen over a period of time, but the institution must be ready to minimize any negative impact the declining service may have on being able to meet their internal recovery time objectives independently from the failed service provider. It's best to have a plan in place for switching to a new service provider, or move all of the operations in-house, quickly and efficiently.
Lastly, the guidance also addresses the importance of responding to a cyber-event. Since the cyber landscape continues to evolve, updating incident response plans in an essential key to maintaining resiliency and, in some cases, regulatory compliance.