Navigating the Intersection of Vendor Management and Business Continuity MICHAEL BERMAN, J.D. Table of Contents Why are we here? Business Continuity and Vendor Management Primary Intersection BCP Each component impacts VM VM Each component impacts BCP Why are we Here? Our Fiduciary Responsibility or Duty Highest Standard of Care to Protect... Customers Staff Investors 1
Why are we Here? Our Fiduciary Responsibility or Duty Vendor Management and Business Continuity Planning FFIEC is crystal clear Business Continuity Planning Appendix J: Strengthening the Resilience of Outsourced Technology Services What is the Risk? Vendor Debt Collection OCC Settlement ($6 million) - American Express Bank Failed Disaster Recovery Settlement ($2.5 million) Deutsche Bank Fine for inadequate business continuity and disaster recovery plan Security Breach Community bank s third party core processor had a security breach that resulted in fraudulent debit card charges to deposit account. Bank had to reimburse customers even thought the third party was at fault. Various TSP Enforcement Actions Jack Henry, FIS, Fundtech Corp., Bserv... What is Business Continuity Planning? An ongoing program for your financial institution to: Ensure prudent reduction of risks Resume key business operations following a disaster, and before unacceptable impacts and losses are incurred. 2
What is a Disaster? Any disruption of business functions that result in significant: Financial impact or loss Loss of operational capability BCP Includes Emergency response: Get the employees to safety, and stabilize the situation Crisis management: Manage the organization through the BCP event Business operational continuity: Strategies/ approaches to address interrupted processes, build action plans to accomplish the recovery Technology services continuity: Strategies and action plans to ensure critical technology will be available following a BCP event Mitigating risk: Engineering the organization to minimize the impacts of a service disruption Things Can Go Wrong Tornadoes, Hurricanes Earthquakes Floods Blizzards Wild Fires Volcanic eruptions Fire/ Explosion Hazardous materials Sabotage Terrorist acts Workplace violence Civil disorder Violent criminal acts Major electric power outage Telecomm grid/co outage Water/Sewage system breakdown Major computer processing disruption Cyberattacks 3
Disasters Happen FEMA declared 42 disasters in 2015 Insured losses in the United States in 2015 topped $15.3 billion from natural catastrophes Disasters affect both our financial institutions and their key vendors Regulatory Requirements Vendor Management Background Service providers have been a regulatory issue for 45 years Bank Service Company Act of 1961 Technology outsourcing has been a meaningful part of financial institution audits Part of FFIEC IT Rating (URSIT) Outsourcing now includes services and solutions beyond information technology (FIL-20-2008) Regulations Two Primary Areas for Regulatory Guidance for Banks: 1) Interagency Guidance (FFIEC) 2) FDIC Guidance, OCC Guidance, and Federal Reserve Guidance 4
FFIEC, OCC, FDIC, Fed Overlap for Vendor Management Risk Assessments Contract Issues Due Diligence Monitoring OCC Bulletin 2013-29 Federal Reserve Guidance on Managing Third Party Risk (December 5, 2013) FDIC Compliance Manual VII 5.6 (December 2012) IT Exam Handbook FFIEC Outsourcing Technology Services (June 2004) IT Officer Questionnaire FDIC (December 2007) Guidance for Managing Third Party Risk (FIL 13-2014) Section 501 (b) GLBA (ensure security, protect against intrusions, etc.) Appendix J: Third Party Resiliency Manage Third Party Management Cyber Resiliency Cyber TSP Resiliency Capacity Third Party Capacity Testing Testing with Third Parties Third Party Management Due Diligence Contracts Monitoring Strategy 5
Cyber Resiliency Risks Communications Simultaneous Attack Strategy (Incident Response) Third Party Capacity Key Items: Recovery Time Objective (RTO) Recovery Point Objective (RPO) Redundant Utilities? Alternative Service Providers for Financial Institution? Alternatives Strategy Scenarios Testing with TSP Scenarios breadth and depth Alternative vendors Testing end-to-end Strategy gaps identified documented and remediation plan 6
Overlapping Guidance Vendor Management Business Continuity Overlap in BCP / Vendor Management Overlapping specific items include: 1. Third-party management addresses a financial institution management's responsibility to control the business continuity risks associated with its TSPs and their subcontractors. 2. Is a list of third-party service providers maintained that are required for ongoing operations? 3. Contracts with vendors should address the financial institution's BCP testing requirements for the vendors. Elements to look for: Inconsistent answers Leveraging work that is completed Do the VM policies and procedures help or hinder BCP? BCP and VM Flashpoint #1 Incident Response Potential Incidents: Data breach incident Customer service issue Financial Issue Process for Resolution: 1) Written plan 2) Execution 3) Monitor 7
BCP and VM Flashpoint #2 Measuring Impact of Vendors BCP Potential Issues: Third Party process key for BCP Customer service if vendor can t deliver Measuring effectiveness of Vendor s BCP Process for Resolution: 1) Tests that include Vendors 2) Back up vendors 3) Alternative internal process BCP and VM Flashpoint #3 Cybersecurity Potential Issues: Third party outage caused by cyber breach Delays caused by cyber breach Ability to review cyber security efforts Process for Resolution: 1) Obtain plans from vendors 2) Scenarios take into account more outages 3) Make contract require access to data BCP Major Elements Creating a Plan Based on infrastructure, applications, key processes Analysis Gaps, RTO, RPOs, improvement plans Scenarios Documenting threats like fires, floods, acts of terror Communication Methods for contacting employees, independent contractors and other identified parties 8
The Plan What vendors are vital to the operation: Functions Ex: mobile banking Infrastructure Ex: internet access Process Ex: item processing; mortgage processing, etc. Scenarios How are vendors affected by threats: Weather Ex. Location of vendor Attacks Ex. Are there any single points of failure with the vendor Pandemic Ex: Absence of key personnel destroy vendor s ability to provide service Communication Key Questions: Does a vendor communicate to employees about the event? Does a vendor communicate to client about the event? Are fourth party vendors involved in communicating for a vendor about an event? 9
Analysis Measuring Results: How does vendor communicate results of the BCP? Does the vendor s results meet the expectations of your plan? How will improvement of vendor be measured? Major Elements of Vendor Management Monitoring Has my vendor been acquired, sued, or worse? Risk Assessment Analyzing the data gathered from vendors Gathering Data on Selected Vendors Process? Inherent Risk Classification Is this the coffee vendor or the core processor? Contract Defines the relationship between institution and vendor Leveraging the Contract to Manage the Intersection Three Items to Keep in Mind 1) Subcontracting 2) BCP testing 3) Security issues (FFIEC Appendix J) 10
Subcontracting - Assignment Meaning: Can the vendor transfer their rights and responsibilities to a third party? Issues to Look for: If Agreement is silent, then it is assignable. If critical vendor, may have additional vendors to review because of outsourcing Mitigation: Should require notice and consent of bank prior to assignment. Intersection: Use of third parties by vendor can vastly expand the need for additional business continuity planning and vendor management BCP Testing Meaning: The disaster recovery plan and test of the plan for the vendor. Issues to Look for: How often are they required by contract to test their plan? How fast can they be back up and running? Mitigation: Details should coincide with how critical the vendor is to the bank. Intersection: What does vendor provide? How is effectiveness of BCP measured? What should be required in the agreement? Security Issues Meaning: How are security incidents handled? Issues to Look for: How quickly will the financial institution be notified and by what means? What data will be available to financial institution? Mitigation: Need to be notified as soon as possible or practicable. Best practice to require a root cause analysis and ability to terminate. Intersection: Does the security issue create stop the service? Is this a disaster? RTO? RPO? 11
Classifying Vendors Inherent Risk vs. Residual Risk What does risk assess my vendor mean? Which vendors for business continuity planning? The guidance for BCP uses the term TSP (third party service provider) to refer to vendors that need to have resiliency to allow for financial institutions to have adequate BCP initiatives. Key Practice: May need additional class of vendors that need BCP but are not otherwise critical vendors. Gathering Data - BCP No data available now what? Can other vendor s fill the void and provide a backup? Does vendor have to provide results of BCP testing? Are there any single points of failure in vendor s infrastructure? How does vendor handle the customer data workflow? How and when should be built into agreements with vendors. Key issue any way to mitigate these single points of failure Key issue any third parties identified Risk Assessments Scope Defines work Is BCP part of the audit? Exceptions How corrected? Any BCP exceptions? User Controls Products utilized Any BCP user controls 12
Ongoing Monitoring for BCP and VM Annual Review for Risk Assessments of Designated Vendors SSAE 16s Disaster Recovery Plans / Tests Incident Response Plans / Tests Financials Summary of Findings and Evaluation Monitoring is more than Annual Assessment Litigation Vendor Sold / Acquired Data Breach Regulatory Issues Financial Performance Flashpoints Incidents, Measurements, Cyber Contact Information (888) 370-5552 ext. 7379 ext. 7379 michael.berman@ncontracts.com www.ncontracts.com 13