Pub. 9 2014-2015 Issue 6

www.nebankers.org 18 Extraordinary Service for Extraordinary Members. O N F E B . 6 , T H E F E D E R A L Financial Institutions Ex- amination Council (FFIEC) released an appendix to the Business Continuity Planning Hand- book called “Appendix J: Strengthening the Resilience of Outsourced Technol- ogy Resources.” The appendix addresses four primary areas: • Third-Party Management • Third-Party Capacity • Testing with Third-Party Trusted Ser- vice Providers (TSPs) • Cyber Resilience I don’t know about you, but when I first saw the abstract, I did a double- take to make sure I was in the correct handbook. Was the FFIEC talking about business continuity planning or about third-party oversight? The an- swer is both. If you have a vendor that “performs or supports critical opera- tions,” then your metaphorical wagon is hitched to theirs. If they go over a cliff, you do, too—and your customers may go down with you. In light of recent cyberattacks, this causes great concern among the agencies. Thus, Appendix J was born. The appendix contains some pretty big bombshells. Here are three that es- sentially sum up the entire appendix: “As part of its due diligence, a finan- cial institution should [1] assess the effectiveness of a TSP’s business conti- nuity program, with particular emphasis on recovery capabilities and capacity. In addition, an institution should [2] understand the due diligence process the TSP uses for its subcontractors and service providers. Furthermore, the financial institution should [3] review the TSP’s BCP program and its align- ment with the financial institution’s own program, including an evaluation of the TSP’s BCP testing strategy and results to ensure they meet the financial institution’s requirements and promote resilience.” 1. Assess the effectiveness of a TSP’s business continuity program (BCP). The key word here is “effectiveness.” What good is a business continuity plan if it isn’t going to do something useful? Under the umbrella of vendor over- sight, the guidance states three things you must do to help validate the effec- tiveness of your third-party’s BCP: • “Discuss scenarios of significant dis- ruptions.” • “Assess their immediate . . . capacity to absorb, assume, or transfer failed operations.” TECH TALK • “Identify the most plausible range of recovery options and develop business continuity plans.” These three points effectively echo your existing information security program: Risk Assessment, Incident Response, and Disaster Recovery. The new expectation is that you will talk with your vendors about it. Find out what their risk assessment says about malware, data corruption, and cyberat- tacks. Ask if their incident response plan lays out where they would go and what systems they would use in the event of a disaster. Most importantly, make sure you knowwhat they’ll do to get your ser- vices back up and going after a disaster. 2. Understand the due diligence process the TSP uses for its subcontractors and service providers. Growing up, my parents always told me, “Be very careful who you marry because when you say ‘I do,’ you marry a family.” I recently got engaged and I am just beginning to understand what they meant by that. In-laws can be the most wonderful thing in the world. They also can be the most dreadful. Either way, their actions possess the ability to have a drastic impact on your significant relationships. When your financial institution “marries” a TSP, you get the in-laws. So, it would be wise to knowwhat you’re getting into before you say “I do.” That is exactly why you need to understand your TSP’s due diligence process. You need to be aware of your third-party’s significant relationships. If your TSP can show that it successfully manages its service providers and isn’t going to be completely dependent upon them in the event of an emergency, then you should be able to move forward in a confident and stable relationship. 3. Review the TSP’s BCP and its alignment with your financial institution’s program. Now that you know your significant TSP has a risk assessment, business Vendor Continuity Planning Alyssa Middleton , CoNetrix