Pub. 14 2019-2020 Issue 1

WWW.NEBANKERS.ORG 18 • Identify Gaps: The bank should review existing policies, procedures, checklists and templates for new contracts to verify that appropriate business continu- ity and incident response provisions are included. The bank may also wish to consider whether the level of gaps uncovered in any review of existing contracts (see below) indicates the existence of deficiencies that should be addressed in its policies, procedures and templates on a going forward basis. • Start with Diligence: As with most third party risk management issues, diligence is key to business continuity and information security/incident response issues. The bank should verify that its diligence process covers new vendors’ policies, procedures and related controls with regard to business continuity and incident response. Specific concerns coming out of diligence should be shared with the bank’s contracting team for special treatment in the contract if necessary. In some cases, diligence may indicate that business continuity and/or incident response issues do not pose significant risks. • Consider a Standard Template: Consider prepar- ing standard templates for basic business continuity and incident response provisions. Templates can of course be risky if they are used without contemplation of specific circumstances. On the other hand, tem- plates can also provide a standard starting point and minimize the chance that a contract is entirely silent on an important topic. Some banks will build vendor business continuity and incident response obligations into standard templates that they use for privacy and information security generally. • Don’t Forget Related Provisions: Business conti- nuity and incident response issues can implicate other vendor management contract topics. Depending on the circumstances, these may or may not need to be specifically addressed in other contract provisions. For example: ► Audit Rights — audit rights can be an important tool to verify that relevant business continuity and incident response testing occurs and to verify that business continuity and incident response obligations are passed through to subcontractors; ► specific performance Standards and SLAs — contracts should generally include specific recovery time and recovery point objectives for business continuity and should require prompt reporting of security breaches for incident response purposes; ► events of default and termination—a bank ought to con- sider whether these provisions should specify whether failure tomeet business continuity and incident response obligations will trigger specific breach or termination rights and whether cure periods and remedies specifi- cally appropriate to those types of defaults should exist; ► subcontracting — vendor contracts should address the permissibility of subcontracting and vendors should also be obligated to pass their business continuity and incident response obligations on to their subcontrac- tors; and ► foreign service provider issues — banks should evalu- ate the special impacts of offshore activities on busi- ness continuity and incident response obligations, including the potential impacts of other jurisdictions’ laws and the need for the vendor, even though offshore, to comply with U.S. law. • Conduct OngoingMonitoring: Similar to diligence, ongoing monitoring is a key element of third party risk management. Contract provisions may be worth only the paper they are written on if the vendor does not live up to its commitments. Monitoring is critical to actuallymanaging risks. Business continuity plans may evolve over time and require ongoing testing. Incident response programs are of course critically dependent on incident identification which will rely upon systems that are updated from time to time and subject to periodic testing. Without monitoring, a bank may be in for a nasty surprise about a vendor’s actual preparedness despite having a tidy contract provision to point to. • Consider Backstops: Bankers should evaluate what contingency plans the bank can make and implement, if any, against the possibility that a vendor will fail to fulfill its business continuity and incident response obligations. If such plans require any resources or as- sistance from the vendor, include those requirements in the contract. Addressing Contract Gaps on Existing (Deficient) Contracts If deficiencies exist in the bank’s existing contracts, the bank should take steps to remedy those deficiencies if possible: • Identify Gaps: The bank should review its existing contracts (or at least some prioritized subset of them) and note the absence of appropriate business continuity and incident reporting provisions. • Consider Current Standards: In reviewing exist- ing contracts, evaluate how the contract would have been prepared according to current contracting poli- cies, procedures, checklists and templates (assuming those current standards are adequate). • PrioritizeWhat to Remediate: If many potentially deficient contracts are identified, prioritize remedia- tion based on criticality and length of the remaining contract terms (long term contracts may present higher risk; those coming up for renewal shortly may present Counselor’s Corner — continued from page 17