Pub. 9 2020 Issue 1

January/February 2020 25 l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s April 1 - Hutchinson April 2 - Toepka This workshop focuses on the major concepts, specific requirements and common problems in the specialized fields of commercial and agricultural loan documentation with particular emphasis on avoiding loan losses due to faulty documentation. Presented by one of KBA’s most popular instructors, Lewis C. Laderer, Jr. 2020 Principles of Commercial/Ag Loan Documentation Educational Resources 785-232-3444 www.ksbankers.com Recommended 6.5 hours CPE credit. CLE credit pending. management services. Ideally, documentation for each of these elements will be included as part of the vendor’s business continuity documentation. If you don’t see it, be sure to ask about it. Are the vendor’s Recovery Time Objectives and Recovery Point Objectives sufficient for the services contracted to your organization? Know when the vendor intends to restore service to you after a disruption (RTO) and how much data they are willing to lose (RPO). Before you begin working with a vendor, know what their recovery expectations are, and be sure they meet your expectations. If you are willing to be without service for 60 minutes, ensure they will have service restored to you in 60 minutes or less. If you are given a BCP summary that doesn’t include RTO and RPO, insist on getting the information. You may also find it as part of the contract, service level agreement, or even in a SOC report in some cases. What does the vendor do for BCP testing? At a minimum, critical services should be tested annually. Be sure the testing includes the services you receive. Just because a vendor does testing, that does not guarantee the service provided to you was considered during that testing. Be sure to see enough details that you know their test scenarios include plausible significant events. A small hiccup is not what you are concerned about, nor the zombie apocalypse. Think plausible, like a hurricane near the coast, and significant, like something that takes out their entire headquarters. If any gaps in the plan were found during testing, then ensure you will have documentation of their remediation plans and the status of those changes. Vendors are an extension of your bank, and especially technology services. It is wise to be diligent in gathering, reviewing, and confirming their plans for business continuity to protect you and your customers. Leticia Saiid is an executive assistant to the president at CoNetrix with eight years of information security experience. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cybersecurity needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and Tandem software, used by over 1400 financial institutions to help manage their information security programs, cybersecurity and more. Visit our website at www.conetrix.com.