The Federal Financial Institutions Examination Council (FFIEC) has released a new appendix to the “Business Continuity Planning” booklet of the FFIEC Information Technology Examination Handbook containing guidance that is intended to align financial institutions’ oversight of the business continuity planning (BCP) activities of their third-party technology service providers (TSPs) with guidance regarding third-party service providers from the financial institutions’ regulators, such as OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance.”
The appendix focuses on four specific areas designed to ensure that financial institutions are able to quickly recover critical outsourced services and functions:
1) Third Party Management
Financial institution management’s responsibility to control risks associated with outsourced activities focused on:
- Due diligence of the TSP’s BCP program, with a focus on recovery capability and capacity. The financial institution should investigate how the TSP conducts due diligence of its own service providers and review the TSP’s BCP program for alignment with the financial institution’s own BCP program.
- Including key terms in contracts with TSPs that allow the financial institution to monitor and control risks related to a TSP’s resilience, including the following:
- Audit rights related to TSP’s recovery capabilities and BCP testing.
- Service level agreements for the services provided as well as clear recovery time objectives for BCP.
- Clearly defining BCP related default and termination rights.
- Responsibility for TSP’s own subcontractors and service providers.
- Ensure foreign TSPs adhere to US regulatory standards.
- Ability of financial institution to participate in BCP testing, required frequency of testing, and right to review test results.
- Address data rights during and after term of agreement.
- Ability to request information regarding TSP’s response to new regulatory guidance and developments.
- Responsibilities for incident response in connection with security breach.
- Ongoing monitoring and assessments of TSP’s security and BCP activities.
2) Third Party Capacity
As certain TSPs provide services for a large number of entities (including other financial institutions), each financial institution must ensure that the TSP has sufficient capacity to meet the BCP needs and objectives of the financial institution. This is particularly important with respect to critical outsourced activities that cannot be quickly transitioned to another TSP or internalized. Financial institutions should have contingency plans focused on alternate TSPs or in-house arrangements in the event that an existing TSP cannot continue providing services. Financial institutions should ensure that they have assessed all threats that have a high likelihood of occurring or which would have a high impact, identified a comprehensive set of alternate resources for these scenarios, and discussed these scenarios with their TSPs.
Financial institutions should ensure that they are an active participant in their TSPs’ BCP testing programs. Due to certain TSPs providing services for a large number of entities, financial institutions should take steps to ensure their participation as frequently as possible. If the TSP is providing critical services, BCP testing should be conducted with reasonable frequency (annual or more frequent testing is required for critical services) and the scope of such testing should be commensurate with the services being performed. Testing should focus on:
- Responses to plausible and realistic scenarios of threats that the BCP is intended to address. Testing should demonstrate the ability to failover to a secondary site as well as the ability to restore normal operations in a timely manner. Scenarios should address outages and disruptions occurring at the TSP-level, at the financial institution-level, and those affecting both parties.
- The ability to respond to complex threats affecting more than one system or application or one or more parties. Testing should be comprehensive from the start of the disruption or outage until resumption of normal operations.
4) Cyber Resilience
Financial institutions and their TSPs should ensure that their BCP activities address the following risks:
- Malware – controlled through layered anti-malware strategy and controlled access to computers and mobile devices.
- Insider threats – can be mitigated by employee screening, dual controls, and segregation of duties.
- Data or systems destruction or corruption – mitigated through backup data, separation of computers, systems, and networks, and cloud-based disaster recovery services.
- Communications infrastructure disruption – risks should be controlled by planning for alternate communications infrastructure in the event of disruption to single communications provider or widespread communications disruption.
- Simultaneous attack on financial institutions and TSPs – should be addressed in planning and testing of BCP.