The Interagency Guidelines Establishing Information Security Standards, promulgated pursuant to the Gramm-Leach-Bliley Act, establish standards for safeguarding customer information.1 Those guidelines set expectations for managing technology service provider relationships through contractual terms and ongoing monitoring. Financial institutions must account for these requirements in contracts with technology service providers.
Earlier this year, the FDIC issued new letter guidance on requirements for agreements between financial institutions and technology service providers. The guidance, in titled Financial Institution Letter 19-2019 (FIL-19-2019), was prompted by significant gaps in contract terms that FDIC examiners were encountering, on a regular basis, related to business continuity and data breach.
Even though it is addressed to financial institutions, the letter actually contains valuable advice for any business contracting with a technology vendor, and it alerts vendors to what their financial institution customers will be asking of them. This guidance will be even more significant when the California Consumer Privacy Act comes into effect in January 2020.
Key takeaways include the following:
- Financial institution boards of directors and senior management are responsible for managing risks related to relationships with technology service providers.
- Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.
- When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls.
- Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.
- Contracts with technology vendors should:
- Adequately define rights and responsibilities regarding business continuity and incident response and
- Provide sufficient detail to allow financial institutions to manage those processes and risks.
- Contracts should require the vendor to:
- Maintain a business continuity plan
- Establish recovery standards and
- Define contractual remedies if the technology service provider misses a recovery standard.
- Contracts should also:
- Detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement and
- Clearly define key terms used in contractual provisions relating to business continuity and incident response.
Careful attention to these issues during the contract negotiation process can help assure that the vendor is able to adequately respond to business disruptions, security incidents and data breaches. In addition, consider making it clear in the contract that provisions excusing performance based on force majeure don’t apply to the obligation to meet contract obligations relating to business continuity or incident response – the point of which is to respond to, among other things, force majeure events.
There are a number of resources that financial intuitions may refer to, including the FFIEC IT Examination Handbook, Business Continuity Booklet, or the FDIC's Guidance for Managing Third-Party Risk for additional information. These materials describe practices that can be used to mitigate risk in third-party relationships.
Find out more about these requirements by contacting any of us.