On April 2, 12019 the FDIC published FIL-19-2019, which shares observations about gaps in financial institutions’ contracts with technology service providers that may require financial institutions to take additional steps to manage their own business continuity and incident response. The FIL reminded agency-supervised financial institutions that:
- Their boards of directors and senior management are responsible for managing risks related to relationships with technology service providers.
- Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.
- Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties’ respective rights and responsibilities for business continuity and incident response.
- When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls.
- Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.
FDIC examiners have noted that some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard. Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement. Also, some contracts do not clearly define key terms used in contractual provisions relating to business continuity and incident response. Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, and could increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information.
The FIL includes links to several resources that institutions can use to guide them in managing their technology service provider agreements.
A copy of FIL-19-2019 is available here.