A recent Federal Deposit Insurance Corporation (FDIC) Office of Inspector General report, Technology Service Provider Contracts with FDIC-Supervised Institutions, found that banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers. According to the inspector, financial institutions (FI) failed to include important cybersecurity provisions in their contracts with third-party firms. Contracts with technology service providers (TSP) also didn’t clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve rights. The inspector also noted that FI contracts with TSPs are dated and don’t reflect FDIC and Federal Financial Institutions Examination Council (FFIEC) efforts to strengthen cybersecurity.
The inspector’s underlying concern is that TSPs won’t recover and resume operations in the event of a disruption or contain, control and appropriately report incidents in the absence of contractual assurance, including a specific requirement to have a business continuity plan (BCP). A majority of FIs reviewed lacked either a risk assessment or review of their contracts to determine what risks might be associated with the TSP. Importantly, the FDIC concurred with the inspector’s recommendations and proposed actions with a target completion date of October 2018. Thus, the FDIC’s concurrence may directly affect FDIC-supervised FIs.
Cybersecurity may not highly correlate with contract language, but it could be improved by subjecting potential and actual TSP vendors to the full third-party risk management (TPRM) process and using the FFIEC’s Cybersecurity Assessment Tool. A thorough risk management program that includes the phases of assessing, measuring, monitoring and controlling will improve the selection and accountability of a TSP. Any vendor classified as critical or potentially critical merits a close contract review and a negotiated allocation of risks.
The administration of contracts is a key risk management function, which logically falls within the purview of the TPRM process. The TPRM manager, alternatively known as the vendor manager (VM), will be less effective if the VM doesn’t have access to all of the organization’s contracts. Smaller institutions often lack an in-house counsel or a formal contract administration function. Thus, the VM is in a unique position to assist the institution in enforcing important contract terms such as BCP, privacy, data protection, breach notification and right to audit provisions. The VM should be responsible for warehousing all the original contracts or copies and accountable for tracking contract expiration dates.
Many FIs lose track of contracts and automatic renewal clauses, which typically require months of notice to vendors to avoid renewal—typically for another year. It’s generally a good idea not to have these clauses, but if they can’t be negotiated away, the VM can easily track expirations with relatively inexpensive software that generates email notifications to business owners at various programmed intervals before automatic renewal. TPRM software can facilitate risk assessments and also may serve as a repository for program documents.
This is one example of how the TPRM function can increase organizational efficiency and fill knowledge and staffing gaps in lean organizations. TPRM affects most business processes. Therefore, the VM is in a unique position to improve communication, leverage the enterprise risk management and business continuity programs and even enhance internal controls by enforcing discipline in the creation of new vendor payees.
TPRM is a mix of routine administrative abilities mixed with skills related to specialized risk assessment, financial analysis, audit/exam and information technology (IT). It’s rare that one individual has all the knowledge and sufficient time to devote to the function. It’s also a common fallacy that TPRM is solely an IT function. Often, a person with a broader risk management role should hold the VM title and leverage software, administrative personnel, financial analysts and IT security staff to effectively manage the program at the enterprise level.
A prepaid debit card provider and its TSP recently appeared in the enforcement headlines for a spectacular failure. The Consumer Financial Protection Bureau (CFPB) fined the card provider and its TSP $13 million for extended disruptions resulting from a troubled conversion to an alternate payment processing platform that left cardholders unable to use their cards, in some cases for weeks. The CFPB’s consent decree specifically addressed necessary enhancements to the TPRM and—coincidently or not—a sale of the company was announced shortly after the consent decree became public. Speculation ensued that the untimely sale was related to the troubled conversion, the CFPB sanction and the extensive negative publicity.
The prudential regulators and FFIEC have been clear that FIs and their boards are ultimately responsible for risks associated with outsourcing. Effective TPRM programs and contract administration are indispensable in managing risk and are worthy of significant executive management support and board oversight. A highly functioning TPRM function will add unexpected value and might keep your FI out of enforcement headlines.
Contact your BKD advisor if you have questions.