Regulator Concerns Over Vendor Business Continuity
/This week, the FDIC issued a Financial Institution Letter (FIL-19-2019) highlighting examiner observations that some technology outsourced vendor contracts do not provide for acceptable business continuity and/or incident response plans. This poses both vendor contract issues and disaster avoidance risks for banks. Loss of outsourced critical vendor services without the means of mitigating the down time is certain to bring about reputation risks and possibly financial and regulatory risks as a vendor unprepared for business interruption could cause disruption in bank services.
With decades of hands-on and consulting experience, Sentinel Project Management is perfectly positioned to assist banks in vendor contract negotiations. We are also skilled in developing, testing and strengthening business continuity and incident response plans for both banks and technology vendors. Here are some of our recommendations.
Perform an enhanced risk assessment for Type 1 and Type 2 critical vendors:
Determine the risks to the bank and its customers if loss of service occurs and the vendor cannot restore service within an acceptable time frame.
Determine who is responsible for acceptable risk mitigation activities or backup systems.
If the bank accepts the risks, include the internal mitigation costs in the budget.
Accepting the risks should also be part of the bank’s long term strategic plan.
Nail down vendor business continuity and incident response requirements in the vendor contract:
Require adequate business continuity planning (BCP) and annual testing.
Require the vendor to conduct a detailed desktop test of their BCP with members of the bank’s management participating; test results should be a condition of contract acceptance.
Include a statement in the contract that regulators will be allowed to audit the vendor BCP and incident response.
Require annual reviews of the vendor BCP and incident response programs to be conducted by qualified third parties or bank regulators with contractual ability to terminate the contract if the programs do not adequately protect the bank from unnecessary risks.
Align the bank’s BCP to work in concert with the vendor BCP:
Determine how quickly the vendor will be able to restore its operations and plan to continue delivering services without vendor support.
Join the vendor’s user group (or form one) comprised of other customer banks and the vendor’s management to plan for business disruption response and determine the resources available.