1 23 Table of Contents 25 28

Pub. 9 2020 Issue 1

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 24 THREE IMPORTANT THINGS TO CONSIDER WHEN REVIEWING VENDORS’ BCPS By Leticia Saiid, Security+ D o you have outsourced technology services? If so, are you getting a copy of their business continuity plans? More importantly, do you know what you’re looking for when you review them? Due diligence document gathering and reviewing is a critical part of outsourcing. While another company provides the service, your institution still maintains responsibility, and ultimate accountability, to your customers. That’s where due diligence documents come into play. First, what is an outsourced technology service? It is a service that provides technology solutions for your bank. It doesn’t necessarily include all vendors who use technology to deliver their service to you, but instead those providing solutions to your technology needs. Ask this question to help determine if something is a technology service: “Would the bank be significantly affected if the vendor’s services were temporarily unavailable?” I take “significantly affected” to mean: irreparable damage to the bottom line or customer confidence due to service disruption from any cause. Only if the answer to this question is yes are you likely looking at an outsourced technology service. Second, where do we find guidance for due diligence regarding these kinds of vendors? The current answer: FFIEC Business Continuity Management Booklet. The FFIEC released a brand-new version of the booklet in November 2019, previously titled the Business Continuity Planning booklet. For some history, in 2015, the FFIEC released an addition to the BCP Booklet known as Appendix J. This appendix offered information about the cross section between the BCP Booklet (2008) and the Outsourcing Technology Services Booklet (2005). It discussed what BCP things you needed to know about vendors you are using to outsource technology services. Now the contents of this appendix, among the other appendices, are fully integrated into the booklet content. There’s your indicator that vendor BCP documentation is important if there ever was one! Guidance expresses three important things about your vendor’s business continuity documentation, which also provides direction on what your focus should be during your vendor review process. Does the vendor maintain documentation of their business continuity management? Vendor preparedness is key to your ability to maintain business as expected. Ensure the vendor has some official documentation that both exists and is updated. There are several important elements to look for to confirm they will be able to deter and recover from cyber incidents: data backup, data integrity controls, alternate communication providers, layered anti-malware strategy, a disaster recovery plan, an incident response plan, and prearranged forensic and incident

RkJQdWJsaXNoZXIy OTM0Njg2