Pub. 14 2019-2020 Issue 1

NEBRASKA BANKERS ASSOCIATION 19 For more information, contact Bryan Handlos at Kutak Rock LLP: (402) 346 6000 or Bryan.Handlos@KutakRock. com . Bryan, a member of Kutak Rock LLP’s banking practice group, concentrates on bank regulatory matters. a fair opportunity for an amendment at that time to remediate the deficiency). • Evaluate Opportunities and Leverage for Remediation: For contracts that need remedia- tion, the bank should assess the circumstances of the bank’s current relationship with the vendor and evaluate the prospects for voluntary vendor coopera- tion or the availability of leverage needed to remedy the deficiency. • Approach the Vendor: Use existing contracts rights (if any) and/or a good working relationship with the vendor to seek relevant diligence informa- tion on the vendor’s existing business continuity and incident response policies, procedures, plans and resources. A bank may wish to consider inviting the vendor to proactively assist in resolving any deficiency (e.g., does the vendor have a business continuity or incident response provision it finds acceptable and will offer to the bank?). • Seek an Amendment, If Appropriate: Amend- ing an existing agreement may be an appropriate request, even if the contract is in mid-term. Busi- ness continuity and incident response obligations do not necessarily need to add significant costs to the vendor’s ongoing performance (and thus should not present an excuse to raise prices). Hopefully, an underlying business continuity planning process already exists at the vendor, as does an incident response program. If not, the vendor may be in the wrong business as a service provider to banks. In many cases, vendors may already be subject to state law incident reporting obligations. • Implement Alternative Remediation If Neces- sary: If a gap in an existing contract cannot be filled with an appropriate contractual provision, the FDIC indicates that a bank should take alternative steps such as modifying its own business continuity plan to address contractual uncertainties. This may well be difficult or impractical, depending on the service. Unless the bank is in a long term relationship with exclusivity or minimums, an important vendor with such an unbridged business continuity or incident response gap may need to be replaced. Conclusion Vendors’ business continuity and incident reporting obli- gations are central to a bank’s preparedness when a disaster or information security breach strikes without warning. Such obligations, piled on with other modern vendor management obligations, often feel burdensome to the bankers and vendors who must bear them (and that burden usually feels heavier than an ounce). When a fire strikes though, whether in the form of a vendor business continuity event or a security breach, well-organized business continuity and incident response preparedness will be worth a pound of cure. We can also hope that bankers’ internal vendor management, business continuity and incident response teams will “grow wise in the thing, and know how to command and to execute in the best manner upon every emergency.”  1 https://founders.archives.gov/documents/Franklin/01-02-02-0002. [Original source: The Papers of Benjamin Franklin, vol. 2, January 1, 1735, through December 31, 1744, ed. Leonard W. Labaree. New Haven: Yale University Press, 1961, pp. 12–15.] 2 The letter also: (i) notes that “some contracts do not clearly define key terms used in contractual provisions relating to business continuity and incident response. Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, and could increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information”; and (ii) reminds banks of their notification obligations under the Bank Service Company Act. With over three decades of lending experience – and being directly involved in farming himself – Lynn understands the complex challenges, cycles and opportunities your farmers and agribusinesses face each season. Bell is committed to ag lending – and that means a commitment to you and the farmers or agribusinesses you work with. Ag participations with Bell help you give your ag customers greater stability from season to season or increase cash flow to their operations. Call me at 701.298.7138 Lynn Paulson Based in Fargo, N.D., and serving the region Member FDIC 20172 Together, let ’s make it happen. Ready to Talk Farming and Financing? Gene Uher 605.201.1864 Based in Sioux Falls, S.D., serving South Dakota, Nebraska, Minnesota and Iowa 20172 AD Nebraska Bankers Association 2019_Lynn_Gene_V4.indd 1 12/20/18 3:51 PM