A Primer on the Federal Financial Institutions Examination Council’s IT Examination Handbook Given the recent glut of cybersecurity attacks making headlines, outsourcing technology services can be a risky proposition for credit unions. A data security and risk management expert weighs in with some best practices on how to mitigate such risk. T hroughout 2014, cybersecurity has been at the forefront of national headlines as well as on the radar of the Consumer Financial Protection Bureau (CFPB). Together with the National Credit Union Administration (NCUA) and other regulatory agencies such as the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of Currency (OCC), the CFPB has sought to raise financial institutions’ awareness about the importance of vigilance in cybersecurity. On June 24, 2014, the Federal Financial Institutions Examination Council (FFIEC) launched a website that consolidated a number of existing resources addressing cybersecurity risks. In addition to highlighting cybersecurity risks, the site is intended to create a repository of prior FFIEC cybersecurity documents and guidance issued over the last 10 years on such matters. While guidance for financial institutions has been published by the FFIEC over the course of the last 25 years, for the first time, in the summer of 2014, the FFIEC members piloted a cybersecurity examination work program (Cybersecurity Assessment). Initiated at more than 500 community financial institutions, the purpose of this program is to evaluate such institutions’ preparedness to mitigate cyber risks. When reviewing cybersecurity risks, a major consideration for credit unions is managing outsourcing technology relationships in accordance with the guidance provided by the FFIEC. In short, credit unions are wise to dust off the published guidance and take stock of their risk tolerances in the face of unprecedented cybersecurity risk. Below is a summary of the guidance provided by the FFIEC for outsourcing technology services. An outline of some of the guidance provided by the FFIEC with respect to credit unions’ responsibility for managing third-party service providers is also provided. Introduction As financial service offerings have evolved over the past several years through technological advances, credit unions increasingly have been able to provide consumers with new products and services. With the exponential increase in the availability of outsourced service providers, financial institutions have more frequently elected to outsource operations for these new products. This includes utilizing outsourced vendors to gain operational efficiencies, directing resources to core operations rather than to technology development or support, gaining technical advantages through the utilization of specific technical Credit Union Employees + Million Members = Million Miracles 250,000 100 92 YOUR FUNDRAISING DOLLARS IN ACTION: Since 1996, Credit Unions for Kids has raised more than $100 million for Children’s Miracle Network Hospitals, giving hope and healing to kids in your local community. 1 iMRI machine and surgical suite 1 Fully-equipped Giraffe OmiBed incubator 1 Cardiac X-ray machine 1 Ultrasound machine 1 Bone marrow transplant $10 MILLION $ 2 MILLION $270 THOUSAND $250 THOUSAND $100 THOUSANDCREDIT UNION BUSINESS | FEBRUARY 2015 | CUBUSINESS.COM TAB expertise otherwise not available through traditional means, and increasing the availability of products and services demanded by the marketplace. A careful review of the “Outsourcing Technology Services Information Technology Examination Handbook” and corresponding gap assessment is an important consideration because credit unions are increasingly vulnerable to cyber attacks. Given the direct involvement in the selection of thirdparty service providers, this is one area where credit unions can exercise some direct control of the risk. Governance The FFIEC has been clear that proper oversight of the outsourced relationship is owned by the financial institution’s board of directors and members of senior management. Given IT’s relationship to the overall health of the organization, technology outsourcing has evolved into an enterprise risk rather than just a technology risk. The guidance further provides that institutions should carefully and methodically create a compliance infrastructure that can be effectively utilized to sustain an “end-to-end perspective.” This aim can be achieved by establishing service requirements and procurement strategies, conducting due diligence on the provider and negotiating the agreement, monitoring, changing and termination of the relationship. Determining the Risk The risk of data loss is present whether the credit union chooses to outsource technology services or maintains those data assets internally. Establishing a process to identify, measure, monitor and control risk is a crucial element in establishing a defensible program of risk evaluation. Every outsourced relationship is unique, and there may be varying degrees of complexity associated with not only each vendor relationship but also the specific needs of the credit union. The guidance indicates that the “time and resources devoted to managing the outsourcing relationship should be based upon the risk the relationship presents to the institution.” The FFIEC provides guidance on establishing an effective risk management process by suggesting six key factors: • Establishing senior management and board awareness of the risk associated with outsourcing agreements in order to ensure effective risk management practices; • Ensuring that an outsourcing arrangement is prudent from a risk perspective and consistent with the business objectives of the institution; • Systematically assessing needs while establishing riskbased requirements; • Implementing effective controls to address identified risks; • Performing ongoing monitoring to identify and evaluate changes in risks from the initial assessment; and • Documenting procedures, roles and responsibilities, and reporting mechanisms. The risk assessment process is further broken down into focus on four distinct areas: • Defining the risk assessment and requirements definition and process; 22 DIGITAL SECURITY23 CREDIT UNION BUSINESS | FEBRUARY 2015 | CUBUSINESS.COM TAB • Conducting due diligence in the selection of a service provider; • Negotiating the agreement; and • Ongoing monitoring. Risk Assessment Process and Determining the Nature of the Risk Management must first assess the risk of outsourcing and involve the various stakeholders in setting risk tolerances to adopt written policies and controls governing the outsourcing process. Such adoption should serve as the primary guidance for the continued management of the vendor engagement and contracting process. Once the risk is properly assessed, the credit union must determine the quantity of risk. Some of these risks include the sensitivity of data accessed, protected or controlled by the service provider, the volume of transactions and how critical this information is to the credit union’s business. Additionally, management must consider the risks pertaining to the service provider, such as the strength of its financial condition, the likely turnover of management, the ability to maintain business continuity, the ability to provide accurate and relevant data, experience in outsourcing and location if cross-border data transfers are contemplated. The risk pertaining to technology also must be considered as should whether the technology used is reliable, is secure and can be adequately scaled as the credit union grows in size. Defining the Risk The FFIEC recommends that a detailed document be created to outline the credit union’s expectations relative to the outsourced service. The guidance provides a high-level description of the nature of the components for a basic requirements document, including: • Describing the scope and nature of the outsourced service required; • Describing the desired services; • Describing the desired technology; • Establishing the nature of customer support provided to the credit union for the service provided; • Establishing the standards and service-level expectations; • Determining the ability to perform the service; • Establishing the minimum acceptable service provider characteristics, such as industry experience, management experience, technology and system architecture, process controls, and financial condition and reputation, including references; • Setting a process for monitoring and reporting; • Setting transition requirements for data migration; • Establishing contract duration, termination and assessment; and • Establishing contractual protections against liability. Selection of the Service Provider The credit union must conduct due diligence on the service provider by evaluating the corporate history, qualifications and background of the company principles. This should include background checks and evaluation of references. Additionally, the credit union should consider conducting an assessment of the service provider’s financial status. This should include a review of the audited financials, an understanding of the internal control environment, security history and audit coverage, an inquiry into whether there have been any legal or regulatory compliance complaints, and an understanding of the scope and nature of insurance coverage. Again, the depth and formality of the due diligence may vary according to the risk of the outsourced relationship, the institution’s familiarity with the respective service provider and the state of the provider selection process. DIGITAL SECURITYCREDIT UNION BUSINESS | FEBRUARY 2015 | CUBUSINESS.COM TAB Negotiating the Service Provider Agreement and Outlining Potential Contractual Issues In advance of signing the contract, management should ensure the contract does the following things: • Clearly defines the rights and responsibilities of the parties; • Contains adequate and measurable service; • Ensures that contracts with affiliates contain appropriate provisions for arm’s-length relationships and that cost and services are at least as favorable to the credit union as those available from a non-affiliated provider; • Ensures the contract does not contain provisions or inducements that may have an adverse effect on the institution; • Engages legal counsel to review the agreement; and • Determines if foreign-based, third-party service providers require specific compliance provisions. Some of the key contract provisions that need to be negotiated include: • Performance standards under the agreement; • Security and confidentiality of the credit union’s resources; • Controls that address compliance, records management and access to the credit union’s data; • Notification requirements for material changes to services, systems, controls, key personnel and service locations; • Provisions outlining audit rights, specifying frequency and responsibility for expenses related to such audits; • Outlining the frequency and type of reporting the credit union will receive with respect to performance, control audits, security and financial statements; • Business continuity and disaster recovery requirements; • Ensuring accountability for third-party subcontractors and establishing primary responsibility for the services as outlined in the agreement with the primary service provider; • Consideration of provisions specifically addressing the duration of the agreement and renewals; • Dispute resolution; • Indemnification; • Limitation on liability; • Termination; • Assignment; • Provisions to address unique risks presented by use of foreign-based service providers; and • Provisions to ensure regulatory compliance and language that requires the service provider to provide accurate and timely information to the appropriate regulatory agencies based upon the type and nature of the services being provided to the credit union. Ongoing Monitoring of the Relationship Finally, the credit union must ensure regular monitoring of performance by the service provider and also monitor potential changes in institutional requirements through the life of the agreement. The FFIEC suggests that monitoring be accomplished in the following ways: • Negotiating key service level agreements (SLAs) along with maintaining a formal policy that establishes the SLA requirements; • Considering the establishment of recourse for nonperformance by the service provider; • Establishing an escalation process and a dispute resolution process; • Conducting regular reviews of the financial condition of the service provider; and • Determining whether regular reporting of audit results and other internal control reviews is practical and available. Conclusion Outsourcing technology services requires careful planning from a risk management perspective, thoughtful due diligence and consistent monitoring of the service provider. The FFIEC has provided guidance to financial institutions regarding these DIGITAL SECURITY 24CREDIT UNION BUSINESS | FEBRUARY 2015 | CUBUSINESS.COM TAB Advertiser Ad 250.5 x 175 25 CREDIT UNION BUSINESS | FEBRUARY 2015 | CUBUSINESS.COM matters for many years, but given the recent cybersecurity threats to credit unions, managing outsourced service providers should be the subject of serious attention by boards of directors and senior management. Fortunately, the FFIEC has provided detailed guidance in these areas, and credit unions only need to review this guidance to manage the risk that is potentially created by outsourcing technology services. If credit unions can create an infrastructure that incorporates these recommended best practices, they may exercise some measure of assurance and control of cybersecurity risk. David Katz is a partner with Nelson Mullins Riley & Scarborough LLP (Atlanta, Ga.). His practice focuses on regulatory compliance, consumer privacy and data security compliance, information governance, ethics, corporate governance and enterprise risk management. He may be reached at (404) 322-6122 or by email at david.katz@ nelsonmullins.com.You may also follow him on Twitter @ KatzFDavid.