Navigating the Intersection of Vendor Management and Business Continuity

Similar documents
Hot Topics in Third Party Management. April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

IT EXAMS TOP 5 CITATIONS. Top 5 citations LOUISIANA BANKERS ASSOCIATION TECHNOLOGY CONFERENCE Policy and Risk Assessment 2.

Ensuring Organizational & Enterprise Resiliency with Third Parties

How to apply the 10 BCP best practices to Treasury

REGULATORY HOT TOPIC Third Party IT Vendor Management

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Business Continuity 101. Fairchild Resiliency Systems

THIRD-PARTY RISK MANAGEMENT

Tier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden

US Business Continuity Safeguarding Your Business from a Disaster

BUSINESS CONTINUITY PLANNING WORKPROGRAM

Vendor Management 101

Risk Assessment - Balancing Risk While Enhancing Controls

Hazard Mitigation Plan (HMP)

Creating a Business Continuity Plan for your Health Center

Vendor Management from an Auditor s Perspective

FOUNDATION OF THE PLAN WAS A RISK ANALYSIS. Basic Flaw focus on threat probability instead of potential impact

GUIDE TO CONTINUITY PLANNING

Building a Standard for Business Continuity Planning

BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING. Marci McCloskey, CISA, ABCP Toan Nguyen, CIA, ABCP

Business Continuity Planning. LGMA Conference October 27, 2011 Presented by Lisa Benini

VENDOR MANAGEMENT 101

IBM Emptoris Services Procurement on Cloud

Business Continuity Framework

Business Continuity Planning: As A Business Owner, What Do I Need to Consider? David Sutton Manager, Environment, Safety and Health.

Preparing for the Unexpected: Business Continuity and Information Security Trends and Tactics

Evaluating Your Business Continuity Plan: Beyond Checklists and Walkthroughs. Troy Harris, Director McGladrey LLP. All Rights Reserved.

OPERATIONAL RISK MANAGEMENT MODULE

Supply Chain Management within Business Continuity

Business Continuity/ Disaster Recovery. Sean Gunasekera

Creating an Actionable Disaster Recovery Plan

Disaster Preparedness Critical Elements of Centurion Business Continuity Planning. Tom Williams Centurion Business Continuity Strategy Manager

Third Party Risk Management ( TPRM ) Transformation

Top 10 pitfalls to avoid when re-inventing your disaster recovery program

Protecting Information Assets - Week 9 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protecting Information Assets

VENDORINSIGHTU P D A T E

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Yale University Business Continuity Planning Quick Start Guide

Business Continuity Policy

Building and Maintaining a Business Continuity Program

Business Continuity Planning. Diane Engstrom Christian Brothers Risk Management Services

Business Continuity Maturity Matrix

Internal Audit s Role in Third Party Risk Management (TPRM)

Protecting Information Assets - Unit #9 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protecting Information Assets

Keep Your Company Moving After A Disaster With A Business Continuity Plan (BCP)

Business Continuity vs. Operational Risk Management vs. Business Resiliency. Karen Dye Oakley, CBCP, MBCI

Broadridge Business Process Outsourcing, LLC Business Continuity Plan Disclosure

Outline. Payroll Continuity Best Practices Guidelines. Payroll Continuity Planning

IBM Emptoris Strategic Supply Management on Cloud

Emerging Threats: The importance of Interagency Coordination WEATHERING THE STORM 6 TH ANNUAL REGIONAL DISASTER CONFERENCE

WHAT DID I SIGN UP FOR? T I P S F O R B O A R D S FA C I N G A C R I S I S

2018 Invenio IT SIMPLE STEPS. 20 tips for. to developing a solid business recovery plan. Created by. Invenio IT 2018

Business Continuity & IT Disaster Recovery

Discovering the TAC 202 Information Security Standard

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Staying Disaster-Ready in Treasury

Tabletop Exercises. for Cybersecurity. Maintaining a healthy incident response. White Paper. By Michael Everett, Security Analyst

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

WHITE PAPER KEY PRINCIPLES OF INTEGRATED BUSINESS RESILIENCY

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

VENDOR RISK MANAGEMENT FCC SERVICES

Auditing the Corporate Business Continuity Plan. Seth Davis, CIA, CFSA, CPA, CISA, CISSP, CFA, CPCU

Industrial Safety & Health

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Crowe Consumer Compliance Consulting Services

Management of Critical Infrastructure Disruptions in Industrial Supply Chains

October WFE Response to the BoE-FCA-PRA Discussion Paper: Operational Resilience

Don t Panic! How to develop and implement an emergency response plan for your attraction

Enterprise-wide Business Continuity and Disaster Recovery Planning. Presented by Kelley Okolita

HOW TO PREPARE FOR BUSINESS CONTINUITY AFTER A DISASTER.

Essential Concepts. For Effective. Business Continuity Planning

Strategic Business Continuity Management

Leading Change: Building Organisational Resilience. Jean D. Rowe, MBCI, CDCP May 1, 2017

BCP Methodology Benefits realisation

1/8/2015. Learning Objectives. Why have a plan? Emergency Preparedness, Business Continuity, and Disaster Recovery. Can you anticipate the unexpected?

D ISASTER AND C ONTINUITY P LANNING IS YOUR F ACILITY PREPARED?

THE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE

Global Crises: What We Really Need to Do to Be Prepared. Day One / Session C5

INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT

IBM Emptoris Program Management on Cloud

BUSINESS CONTINUITY MANAGEMENT

BUSINESS CONTINUITY MANAGEMENT

IT Framework Memorandum. For. Supervised Institutions

BC & RISK MANAGEMENT: CONVERGENCE IS REAL David Halford Forsythe Solutions Group Frank Perlmutter Strategic BCP

12.0 Business Continuity Management

Agenda. The BIA and the Risk Assessment. Critical business processes. The Business Impact Analysis as the Foundation of Operational Risk Management

Schneider White Paper OPERATIONAL EXCELLENCE IN THE MIDST OF SUPPLY CHAIN DISRUPTION

IBM Emptoris Contract Management on Cloud

Fourth Quarter 2014 Earnings Conference Call. February 4, 2015

Points of Discussion

Navigating the Storm: Disaster Contingency and Post-Event Strategies Following the Recent California Disasters

OPERATIONAL RISK MANAGEMENT MODULE

ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014

LPL Financial Branch Offices. Oak Tree Financial Services, LLC. Business Continuity Plan (BCP)

OPERATIONAL RISK MANAGEMENT MODULE

Third-Party Risk: The Examiners are Coming!

Continuity of Operations (COOP) Training

Abraham E. Binder MA, ABCP York University Disaster & Emergency Management Program

Business Continuity Planning and Disaster Recovery Planning

Transcription:

Navigating the Intersection of Vendor Management and Business Continuity MICHAEL BERMAN, J.D. Table of Contents Why are we here? Business Continuity and Vendor Management Primary Intersection BCP Each component impacts VM VM Each component impacts BCP Why are we Here? Our Fiduciary Responsibility or Duty Highest Standard of Care to Protect... Customers Staff Investors 1

Why are we Here? Our Fiduciary Responsibility or Duty Vendor Management and Business Continuity Planning FFIEC is crystal clear Business Continuity Planning Appendix J: Strengthening the Resilience of Outsourced Technology Services What is the Risk? Vendor Debt Collection OCC Settlement ($6 million) - American Express Bank Failed Disaster Recovery Settlement ($2.5 million) Deutsche Bank Fine for inadequate business continuity and disaster recovery plan Security Breach Community bank s third party core processor had a security breach that resulted in fraudulent debit card charges to deposit account. Bank had to reimburse customers even thought the third party was at fault. Various TSP Enforcement Actions Jack Henry, FIS, Fundtech Corp., Bserv... What is Business Continuity Planning? An ongoing program for your financial institution to: Ensure prudent reduction of risks Resume key business operations following a disaster, and before unacceptable impacts and losses are incurred. 2

What is a Disaster? Any disruption of business functions that result in significant: Financial impact or loss Loss of operational capability BCP Includes Emergency response: Get the employees to safety, and stabilize the situation Crisis management: Manage the organization through the BCP event Business operational continuity: Strategies/ approaches to address interrupted processes, build action plans to accomplish the recovery Technology services continuity: Strategies and action plans to ensure critical technology will be available following a BCP event Mitigating risk: Engineering the organization to minimize the impacts of a service disruption Things Can Go Wrong Tornadoes, Hurricanes Earthquakes Floods Blizzards Wild Fires Volcanic eruptions Fire/ Explosion Hazardous materials Sabotage Terrorist acts Workplace violence Civil disorder Violent criminal acts Major electric power outage Telecomm grid/co outage Water/Sewage system breakdown Major computer processing disruption Cyberattacks 3

Disasters Happen FEMA declared 42 disasters in 2015 Insured losses in the United States in 2015 topped $15.3 billion from natural catastrophes Disasters affect both our financial institutions and their key vendors Regulatory Requirements Vendor Management Background Service providers have been a regulatory issue for 45 years Bank Service Company Act of 1961 Technology outsourcing has been a meaningful part of financial institution audits Part of FFIEC IT Rating (URSIT) Outsourcing now includes services and solutions beyond information technology (FIL-20-2008) Regulations Two Primary Areas for Regulatory Guidance for Banks: 1) Interagency Guidance (FFIEC) 2) FDIC Guidance, OCC Guidance, and Federal Reserve Guidance 4

FFIEC, OCC, FDIC, Fed Overlap for Vendor Management Risk Assessments Contract Issues Due Diligence Monitoring OCC Bulletin 2013-29 Federal Reserve Guidance on Managing Third Party Risk (December 5, 2013) FDIC Compliance Manual VII 5.6 (December 2012) IT Exam Handbook FFIEC Outsourcing Technology Services (June 2004) IT Officer Questionnaire FDIC (December 2007) Guidance for Managing Third Party Risk (FIL 13-2014) Section 501 (b) GLBA (ensure security, protect against intrusions, etc.) Appendix J: Third Party Resiliency Manage Third Party Management Cyber Resiliency Cyber TSP Resiliency Capacity Third Party Capacity Testing Testing with Third Parties Third Party Management Due Diligence Contracts Monitoring Strategy 5

Cyber Resiliency Risks Communications Simultaneous Attack Strategy (Incident Response) Third Party Capacity Key Items: Recovery Time Objective (RTO) Recovery Point Objective (RPO) Redundant Utilities? Alternative Service Providers for Financial Institution? Alternatives Strategy Scenarios Testing with TSP Scenarios breadth and depth Alternative vendors Testing end-to-end Strategy gaps identified documented and remediation plan 6

Overlapping Guidance Vendor Management Business Continuity Overlap in BCP / Vendor Management Overlapping specific items include: 1. Third-party management addresses a financial institution management's responsibility to control the business continuity risks associated with its TSPs and their subcontractors. 2. Is a list of third-party service providers maintained that are required for ongoing operations? 3. Contracts with vendors should address the financial institution's BCP testing requirements for the vendors. Elements to look for: Inconsistent answers Leveraging work that is completed Do the VM policies and procedures help or hinder BCP? BCP and VM Flashpoint #1 Incident Response Potential Incidents: Data breach incident Customer service issue Financial Issue Process for Resolution: 1) Written plan 2) Execution 3) Monitor 7

BCP and VM Flashpoint #2 Measuring Impact of Vendors BCP Potential Issues: Third Party process key for BCP Customer service if vendor can t deliver Measuring effectiveness of Vendor s BCP Process for Resolution: 1) Tests that include Vendors 2) Back up vendors 3) Alternative internal process BCP and VM Flashpoint #3 Cybersecurity Potential Issues: Third party outage caused by cyber breach Delays caused by cyber breach Ability to review cyber security efforts Process for Resolution: 1) Obtain plans from vendors 2) Scenarios take into account more outages 3) Make contract require access to data BCP Major Elements Creating a Plan Based on infrastructure, applications, key processes Analysis Gaps, RTO, RPOs, improvement plans Scenarios Documenting threats like fires, floods, acts of terror Communication Methods for contacting employees, independent contractors and other identified parties 8

The Plan What vendors are vital to the operation: Functions Ex: mobile banking Infrastructure Ex: internet access Process Ex: item processing; mortgage processing, etc. Scenarios How are vendors affected by threats: Weather Ex. Location of vendor Attacks Ex. Are there any single points of failure with the vendor Pandemic Ex: Absence of key personnel destroy vendor s ability to provide service Communication Key Questions: Does a vendor communicate to employees about the event? Does a vendor communicate to client about the event? Are fourth party vendors involved in communicating for a vendor about an event? 9

Analysis Measuring Results: How does vendor communicate results of the BCP? Does the vendor s results meet the expectations of your plan? How will improvement of vendor be measured? Major Elements of Vendor Management Monitoring Has my vendor been acquired, sued, or worse? Risk Assessment Analyzing the data gathered from vendors Gathering Data on Selected Vendors Process? Inherent Risk Classification Is this the coffee vendor or the core processor? Contract Defines the relationship between institution and vendor Leveraging the Contract to Manage the Intersection Three Items to Keep in Mind 1) Subcontracting 2) BCP testing 3) Security issues (FFIEC Appendix J) 10

Subcontracting - Assignment Meaning: Can the vendor transfer their rights and responsibilities to a third party? Issues to Look for: If Agreement is silent, then it is assignable. If critical vendor, may have additional vendors to review because of outsourcing Mitigation: Should require notice and consent of bank prior to assignment. Intersection: Use of third parties by vendor can vastly expand the need for additional business continuity planning and vendor management BCP Testing Meaning: The disaster recovery plan and test of the plan for the vendor. Issues to Look for: How often are they required by contract to test their plan? How fast can they be back up and running? Mitigation: Details should coincide with how critical the vendor is to the bank. Intersection: What does vendor provide? How is effectiveness of BCP measured? What should be required in the agreement? Security Issues Meaning: How are security incidents handled? Issues to Look for: How quickly will the financial institution be notified and by what means? What data will be available to financial institution? Mitigation: Need to be notified as soon as possible or practicable. Best practice to require a root cause analysis and ability to terminate. Intersection: Does the security issue create stop the service? Is this a disaster? RTO? RPO? 11

Classifying Vendors Inherent Risk vs. Residual Risk What does risk assess my vendor mean? Which vendors for business continuity planning? The guidance for BCP uses the term TSP (third party service provider) to refer to vendors that need to have resiliency to allow for financial institutions to have adequate BCP initiatives. Key Practice: May need additional class of vendors that need BCP but are not otherwise critical vendors. Gathering Data - BCP No data available now what? Can other vendor s fill the void and provide a backup? Does vendor have to provide results of BCP testing? Are there any single points of failure in vendor s infrastructure? How does vendor handle the customer data workflow? How and when should be built into agreements with vendors. Key issue any way to mitigate these single points of failure Key issue any third parties identified Risk Assessments Scope Defines work Is BCP part of the audit? Exceptions How corrected? Any BCP exceptions? User Controls Products utilized Any BCP user controls 12

Ongoing Monitoring for BCP and VM Annual Review for Risk Assessments of Designated Vendors SSAE 16s Disaster Recovery Plans / Tests Incident Response Plans / Tests Financials Summary of Findings and Evaluation Monitoring is more than Annual Assessment Litigation Vendor Sold / Acquired Data Breach Regulatory Issues Financial Performance Flashpoints Incidents, Measurements, Cyber Contact Information (888) 370-5552 ext. 7379 ext. 7379 michael.berman@ncontracts.com www.ncontracts.com 13

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback