Contracts between financial institutions and technology service providers focused on business continuity and incident response deals must clearly spell out the rights and responsibilities of each party, the Federal Deposit Insurance Corporation (FDIC) said in a recent advisory. If something goes away, it's the financial institution that's on the hook, the agency said.
Here’s what the FDIC is talking about (applies to institutions under $1 billion in total assets):
- The FDIC is cautioning financial institutions to write tighter contracts with technology service providers, including managed service providers (MSPs).
- If there are gaps in those deals, the financial institutions may need to make additional arrangements to manage their own business continuity and incident response.
- If contracts between the two don’t clearly spell out each party’s rights and responsibilities, the onus still falls on the financial institution to manage their own business continuity and incident response, as far as the FDIC is concerned. In other words, risk management still belongs to the financial institution, outsourced or not.
“When services are outsourced, a financial institution’s board of directors and senior management are responsible for managing the risks posed by those services as if they were performed within the institution,” the FDIC document reads. “Contracts are a critical tool for documenting agreement between financial institutions and their technology service providers on the levels of service required.”
Here’s what the FDIC found by examining some contracts:
- Some contracts did not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard.
- Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement.
- Some contracts do not clearly define key terms used in contractual provisions relating to business continuity and incident response.
Here are the FDIC’s best practices:
- As part of due diligence and ongoing monitoring, ensure that business continuity and incident response risks are adequately addressed in service provider contracts. Long-term contracts and contracts that automatically renew may be at higher risk for coverage gaps.
- When contracts leave gaps in business continuity and incident response, assess any risks and add controls to mitigate them. For example, a financial institution may modify its own business continuity plan to address contractual uncertainties.
Here are some recommended resources:
- The Federal Financial Institutions Examination Council’s IT Examination Handbook provides guidance for business continuity management, information and cyber security, and outsourcing technology services.
- The FDIC’s Guidance for Managing Third-Party Risk provides additional information for managing outsourcing risk including information on contract structure, contract reviews, and service provider oversight.