Pub. 9 2020 Issue 1

17 s p r i n g | 2020 D o you have outsourced technology services? If so, are you getting a copy of their business continuity plans? More importantly, do you know what you’re looking for when you review them? Due diligence document gathering and reviewing is a critical part of outsourc- ing. While another company provides the service, your institution still maintains responsibility, and ultimate accountability, to your customers. That’s where due diligence documents come into play. First, what is an outsourced technology service? It is a service that provides technology solutions for your bank. It doesn’t necessarily include all vendors who use technology to deliver their service to you, but instead those providing solutions to your technology needs. Ask this ques- tion to help determine if something is a technology service, “Would the bank be significantly affected if the vendor’s services were temporarily unavailable?” I take “significantly affected” to mean: irreparable damage to the bottom line or customer confidence due to service disruption from any cause. Only if the answer to this question is yes are you likely look- ing at an outsourced technology service. Second, where do we find guidance for due diligence re - garding these kinds of vendors? The current answer: FFIEC Business Continuity Management Booklet. The FFIEC released a brand-new version of the booklet in November 2019, previ- ously titled the Business Continuity Planning booklet. For some history, in 2015, the FFIEC released an addition to the BCP Booklet known as Appendix J. This appendix offered information about the cross section between the BCP Book- let (2008) and the Outsourcing Technology Services Booklet (2005). It discussed what BCP things you needed to know about vendors you are using to outsource technology services. Now the contents of this appendix, among the other appendi- ces, are fully integrated into the booklet content. There’s your indicator that vendor BCP documentation is important if there ever was one! Guidance expresses three important things about your ven- dor’s business continuity documentation, which also provides direction on what your focus should be during your vendor review process. Does the vendor maintain documen- tation of their business continuity management? Vendor preparedness is key to your ability to maintain business as expected. Ensure the vendor has some official documentation that both exists and is updated. There are several important elements to look for to confirm they will be able to deter and recover from cyber incidents: data backup, data integrity controls, alternate communication provid- ers, layered anti-malware strategy, disaster recovery plan, incident response plan, and prearranged forensic and incident management services. Ideally, documentation for each of these elements will be included as part of the vendor’s business continuity documentation. If you don’t see it, be sure to ask about it. Are the vendor’s Recovery Time Objec - tives and Recovery Point Objectives suf- ficient for the services contracted to your organization? Know when the vendor intends to restore service to you after a disruption (RTO) and how much data they are willing to lose (RPO). Before you begin working with a vendor, know what their recovery expectations are, and be sure they meet your expectations. If you are willing to be without service for 60 minutes, ensure they will have service restored to you in 60 minutes or less. If you are given a BCP summary that doesn’t include RTO and RPO, insist on getting the information. You may also find it as part of the contract, service level agreement, or even in a SOC report in some cases. What does the vendor do for BCP testing? At a minimum, critical services should be tested annually. Be sure the testing includes the services you receive. Just because a vendor does testing, that does not guarantee the service provided to you was considered during that testing. Be sure to see enough details that you know their test scenarios include plausible significant events. A small hiccup is not what you are concerned about, nor the zombie apocalypse. Think plausible, like a hurricane near the coast, and significant, like something that takes out their entire headquarters. If any gaps in the plan were found during testing, then ensure you will have documentation of their remediation plans and the status of those changes. Vendors are an extension of your bank, and especially technol- ogy services. It is wise to be diligent in gathering, reviewing, and confirming their plans for business continuity to protect you and your customers. Leticia Saiid is an executive assistant to the president at CoNetrix with eight years of information security experience. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cybersecurity needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and Tandem software, used by over 1400 financial institutions to help manage their information security programs, cybersecurity and more. Visit our website at www.conetrix.com . Before you begin working with a vendor, know what their recovery expectations are, and be sure they meet your expectations. F E A T U R E