FDIC-supervised financial institutions were put on notice that their contractual practices with technology service providers will receive increased scrutiny by examiners through the next examination cycle.
The move comes in the wake of a recent evaluation by FDIC’s Office of the Inspector General. The review indicated that a sampling of examined banks failed to follow the regulator’s guidance regarding third-party technology service providers.
“We did not see evidence, in the form of risk assessments or contract due diligence, that most of the FDIC-supervised [financial institutions] we reviewed fully considered and assessed the potential impact and risk that [technology service providers] may have on the [financial institution’s] ability to manage its own business continuity planning and incident response and reporting operations,” the report concludes.
The OIG reviewed a total of 48 contracts between 19 financial institutions and various technology service providers. It relied on information collected by examiners on its behalf during the exam process. It did not contact either the financial institutions or providers involved while it performed this evaluation.
In response to the report, Doreen Eberley, director of FDIC’s Division of Risk Management Supervision said her office “appreciated the thoroughness of the evaluation and the recommendations for mitigating the risks that may arise from a financial institution’s use of a third party.”
The inspector general’s report resulted in two broad recommendations. FDIC’s Division of Risk Management Supervision concurred in both. These are:
1. Continue to communicate to financial institutions the importance of:
• Fully considering and assessing the risks that technology service providers could have on a financial institution’s ability to manage its own business continuity and incident response planning.
• Ensuring that contracts with tech service providers include specific provisions that address risks identified by the financial institution; protect financial institution interests; and provide details necessary to all financial institutions to manage their own business continuity planning and incident response and reporting efforts through tech service provider operations.
• Clearly defining key contract terms that would be important in understanding financial institution and technology service provider rights and responsibilities in the event of a business disruption or computer security incident. This would apply particularly for those contracts that financial institutions identify as critical or that involve access to sensitive or personally identifiable information.
2. Following an appropriate amount of time for financial institutions to implement guidance, conduct a follow-on study, such as a horizontal review of financial institutions, to assess to what extent the issues included in the first recommendation are being effectively addressed.
Timelines set for field force
In response, the Division of Risk Management Supervision established these timelines:
• Regarding the first recommendation, the division will continue to communicate the importance of effective contracts between financial institutions and technology service providers through its supervision program. This includes guidance, examination procedures, examinations, and off-site monitoring. Through June 30, 2018.
• Regarding the second recommendation, the division will prepare a full horizontal review to assess to what extent the issues included in the first recommendation are being effectively addressed. The division will plan any additional actions based on that review. To be completed by Oct. 1, 2018.
Eberley’s response specifically cites FDIC’s Information Technology Risk Examination (InTREx) program as the vehicle through which FDIC will continue to communicate the importance of strong contracts between financial institutions and technology service providers. One of this program’s evaluation factors is: “The adequacy of contracts and management’s ability to monitor relationships with third-party servicers.”
Details of insufficiencies in contracts
The inspector general’s report cites example after example of deficiencies in contracts it studied from the 19 financial institutions. Observations include:
• 15 financial institutions completed a risk assessment matrix, which considered the technology service provider’s criticality and access to sensitive or personally identifiable information in determining an internal risk rating.
• 10 performed a pre-contract and/or an annual due diligence review that covered the technology service provider’s risk management systems and performance.
• Eight completed both of the above, as is recommended.
• Seven only completed a risk assessment matrix.
• Two only performed a pre-contract and/or annual due diligence review.
• Two provided nothing.
• Contracts associated with 18 of the 19 financial institutions allowed service providers to subcontract assigned work. However, only four of these documented consideration of subcontractor use within their technology service provider due diligence and risk assessment matrices. Three of those financial institutions contractually allowed and one disallowed subcontractor use. The remaining 15 financial institutions that contractually allowed subcontractor use did not document subcontractor considerations within their technology service provider risk assessment matrix or due diligence reviews.
• Most contracts explicitly stated the need for technology service providers to adhere to regulatory requirements in the Gramm-Leach-Bliley Act; however, the contracts did not provide details necessary to allow financial institutions to manage their own business continuity planning and incident response and reporting efforts through technology service provider operations. Most contracts also had limited discussions of these concepts within other parts of the contract such as contract provisions related to performance standards, service level agreements, and reports. Typically, contracts for larger financial institutions and core service providers contained more detailed contract provisions.
• More than half of the contracts required the maintenance of security standards that ensured data reliability, protection, and availability; often affirming compliance with Gramm-Leach-Bliley, but only at a general level and not specifically tied to the technology service provider’s business continuity plans.
• More than half of the contracts also required some technology service provider reporting. However, it was typically limited to providing financial statement audit reports and independent third-party reviews. In many cases, the technology service provider’s reporting responsibilities did not include management information system monitoring reports, performance reports, internal control reviews, security and business resumption testing, and regulatory examination reports.
• Most contracts required the technology service provider to notify financial institutions of unauthorized intrusions. However, contracts did not discuss the technology service provider’s responsibilities for assessing and responding to a potential incident, determining the potential effect on the financial institution and its customers, or the reporting and notification processes to regulatory and law enforcement authorities.
• While service level agreements often discussed cybersecurity incident response and reporting plans, very few contracts detailed incident response and recovery metrics or specified the use of independent forensic expertise.
• More than half of the contracts defined performance standards related to providing the financial institution notice of an unauthorized intrusion or security breach, but few contracts established criteria to assess the nature and scope of potential incidents, or to contain and control such incidents, which could preserve evidence.
• Contracts typically did not provide remedies for the failure to meet incident response and reporting standards.
Not all put on the institutions
The Inspector General’s report found issues in guidance provided by regulators, particularly in the definition of certain key terms related to business continuity and incident response and reporting.
“We noted these terms are not explicitly defined in the guidance,” the report says. “Subjective terms such as potential breach, unauthorized access, containment, material impact, and timely notification may be subject to differing interpretations, and require further clarification within the contract.”
Source of contracts raised
The report includes an appendix that lists such key contract terms and their corresponding regulatory or supervisory context.
Related to this, however, the report notes that most of the contracts it reviewed appeared to have been drafted by the technology service providers, and not the financial institutions, leading to a potential lapse.
“Many of the contracts appeared to be based on standardized forms with generic financial institution customer descriptions, and high-level provisions that lacked specificity needed to protect the financial institution’s information and resource needs,” the report states.