Pub. 14 2019-2020 Issue 1

NEBRASKA BANKERS ASSOCIATION 17 Proudly offering group insurance to NBA members for more than 30 years. To learn about our plans, visit nebankers.org An Independent Licensee of the Blue Cross and Blue Shield Association Introduction In the steady stream of regulatory guidance that flows through banks today, the FDIC’s recently issued Financial In- stitution Letter 19-2019 creates few ripples. The letter focuses on only a couple of vendor management tasks —business con- tinuity and incident response preparedness. 2 The underlying risks are, for many banks, considered somewhat remote. Per- haps it is that remoteness which explains why bank examiners are observing gaps in bank vendor contracts with regard to vendors’ business continuity and incident response obliga- tions. Remote or not, the occurrence of a vendor business continuity event (e.g., a localized disaster) or a vendor infor- mation security breach has the capacity, like a building fire, to cause significant harm. A bank should be able to determine with relative ease whether business continuity or incident response gaps exist in its vendor contracts. Preventing gaps in most new con- tracts should be relatively straightforward. Addressing gaps in existing contracts may require more effort. Unsurpris- ingly, FIL-19-2019 itself provides little specific guidance on the exact terms and steps a bank should use to avoid examiner criticism in this area. This article proposes some practical action steps to avoid or minimize the examiner criticisms called out in FIL-19-2019. Regulatory Requirements and Observed Gaps Managing third party risk should be nothing new to a bank. Vendor management and vendor management contracting considerations have been topics of regulatory attention for several years. As evidenced by FIL-19-2019, however, the FDIC believes banks still have room for im- provement. The two primary areas called out for specific attention are vendor business continuity and incident re- sponse obligations. Business Continuity: The FDIC baseline guidance for business resumption and contingency plans in vendor contracts states: The contract should address the third party’s responsibility for continuation of services provided for in the contractual arrangement in the event of an operational failure, including both man-made and natural disasters. The third party should have appropriate protections for backing up information and also maintain disaster recovery and contingency plans with sufficiently detailed operating procedures. Results of testing of these plans should be provided to the financial institution. FIL-44-2008. The FFIEC’s Business Continuity IT Exami- nation Booklet has a considerably more extensive discussion on business continuity, and Appendix J in particular contains detail on outsourcing and contract issues. Despite this exist- ing guidance, FIL-19-2019 recites that some banks’ “contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define con- tractual remedies if the technology service provider misses a recovery standard.” Incident Response: TheFDICbaseline guidance for confiden- tiality and information security in vendor contracts states: The contract shouldprohibit the thirdparty and its agents fromusing or disclosing the institution’s information, except as necessary to perform the functions designated by the contract. Any nonpublic personal informationon the institu- tion’s customersmust behandled inamanner consistentwith the institution’s own privacy policy and in accordance with applicable privacy laws and regulations. Any breaches in the security and confidentiality of information, including a potential breach resulting froman unauthorized intrusion, should be required to be fully and promptly disclosed to the financial institution. FIL-44-2008. The FFIEC’s Information Security IT Examina- tion Booklet has a more extensive discussion of incident response generally. Despite this existing guidance, FIL 19-2019 observes that some bank “contracts did not sufficiently detail the technol- ogy service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement.” Addressing Contract Gaps on a Going Forward Basis If a bank is currently entering into new vendor contracts that contain business continuity and incident response gaps, the bank should promptly correct its policies and procedures: Counselor’s Corner — continued on page 18