Financial institutions around the country recently received cybersecurity guidance in the form of a new appendix to the Federal Financial Institutions Examination Council’s (“FFIEC’s”) Business Continuity Planning Booklet, which is part of its Information Technology Examination Handbook. In the guidance, the FFIEC places the onus on financial institutions, their boards of directors, and senior management to manage the cybersecurity risks, recovery services, testing programs, and “cyber resilience” associated with outsourced or third-party technology services. The guidance came just a week before another important event for financial and other institutions: the White House Summit on Cybersecurity and Consumer Protection that was held at Stanford University on Friday, February 13, 2015, and that featured, as attendees and speakers, government and industry leaders, including those from financial institutions.
The FFIEC is the federal interagency body tasked with setting forth uniform principles, standards, and forms for examining and supervising financial institutions. In that capacity, the FFIEC provides guidance on “business continuity planning” or how financial institutions will recover and resume their businesses after an unexpected disruption, which, in today’s world, necessarily includes cyber breaches and attacks.
Here is our take on the FFIEC’s recent round of updates:
- Third-Party Management: The FFIEC guidance advises financial institutions, before they contract for technology services, to conduct their due diligence and sufficiently vet each provider based on the provider’s recovery capabilities and capacity, business continuity plan, technologies, and compatibility with the financial institution’s own strategies and processes. The FFIEC also advises that all terms of service be memorialized in written contracts reviewed by the financial institution’s legal counsel and experts in the area. The guidance sets forth certain contractual provisions that could aid a financial institution’s management of its providers, including provisions on audit rights, monitoring, default and termination, subcontracting, foreign-based service providers, business continuity plan testing, data governance, provider updates, and security issues.
Our take: Financial institutions should consider developing a formalized vendor management program that addresses cyber risk and seeks to reduce exposure throughout the lifecycle of the vendor relationship. Data security and privacy contract requirements can be proffered at the “RFP” phase of that lifecycle to create competitive pressure on vendors to agree to favorable terms. An established due diligence process, usually involving a security and privacy assessment questionnaire and communications with the vendor, is typical. In addition, a standardized data security and privacy schedule with supporting documents such as an annotated version of the schedule, FAQs, and a chart identifying common negotiation friction points and fallback positions may be part of the program. In short, the result will be a consistent approach to vendor management that helps address compliance issues and mitigates legal and business risk.
- Regular Monitoring and Testing with Third-Party Providers: The FFIEC recommends that financial institutions not only conduct periodic assessments of their provider’s control environment but should also implement a regular testing program and participate in the testing of their and their provider’s business continuity plans with realistic threat and disruption scenarios.
Our take: It is not unusual for follow-on security assessments of vendors after the initial due diligence process to be overlooked or not performed. Financial institutions work hard to contractually obligate vendors to allow periodic security assessments and audits, but may not exercise those rights. We anticipate that regulators, especially with respect to longer term vendor relationships, will increasingly expect financial institutions to validate that on-going assessments have been performed throughout the term of the contract. Moreover, we anticipate that the failure to assess a vendor that has suffered a security breach could be used against financial institutions in litigation and regulatory actions. For financial institutions with significant numbers of vendors, the ongoing security assessment process may need to be automated. Finally, beyond assessments, in line with the FFIEC’s report, we believe that scenario-based incident response testing will become more common between financial institutions and their vendors. The trend over the past two years has been to focus on internal incident response planning and to address vendors in that context. Considering the industry’s heavy reliance on third-party service providers, as well as high profile incidents involving vendors reported in the press, we anticipate more coordinated and detailed incident response planning and testing with vendors in the coming months and years.
- Third-Party Capacity and Contingency Plans: Based on its concern about the small number of providers that service large numbers of financial institutions, the FFIEC raises two potentially problematic scenarios:
- Where the cyber, physical, or even financial disruption of a single provider affects critical services and paralyzes multiple institutions; and
- Where a widespread disruption of many institutions requires recovery services that exceed the capacity of the few providers.
Given these potential provider failures, the FFIEC advises financial institutions to put contingency plans in place, including performing the services in-house, contracting with an alternate provider, converting to an alternate provider’s application, or moving the infrastructure to the alternate provider’s site for it to take over. Provider capacity and contingency plans should also be part of any testing program, as discussed above.
Our take: For most institutions, it is likely more realistic and effective (both cost and quality) to incorporate the services of an alternate provider, rather than taking on the job on their own. As one way to prearrange an alternative provider, such provisions could be negotiated in the parties’ original services agreement. Financial institutions need to also consider putting in place monitoring or reporting mechanisms that will effectively identify provider failures in the early stages, and they need to establish under what circumstances a contingency plan will be triggered. An effective alternative will not do a financial institution any good if it is not used at the proper time.
- Cyber Resilience: The FFIEC guidance concludes by identifying cyber threats faced by financial institutions and their third-party providers (e.g., malware threats and data corruption) and by providing mitigation strategies that could be used to combat those threats. The focus here is not prevention, but resiliency in the face of actual incidents.
Our take: The strategies recommended by the FFIEC contain common themes that further stress the importance of obtaining the right help and services to address cyber incidents. The FFIEC believes that financial institutions need to anticipate all types of threats, whether they have occurred or have not yet occurred; this requires staying up-to-date and being creative. Financial institutions also need to implement several layers and forms of security; a single defense will no longer suffice. Differing strategies and programs exist, so companies will need to scrutinize and carefully decide which work best for them based on their particular risk profile and resource limitations.
While more conclusive guidance may be on its way—perhaps in the form of federal legislation or from the newly announced federal agency, the Cyber Threat Intelligence Integration Center—the FFIEC’s recent guidance reflects a step toward much-needed federally uniform standards for financial institutions, a sector that is and will continue to be affected by cyber threats and attacks.
