FDIC Watchdog Highlights Gaps in Banks’ Vendor Contracts

Few banks’ contracts with technology service providers (TSPs) provide sufficient detail about the providers’ business continuity and incident response capabilities and duties, according to a report issued today by the FDIC’s independent inspector general. The report also found shortfalls in banks’ assessments of how providers could affect the banks’ own ability to plan for business continuity and incident response.

In response, the FDIC said it would work with other Federal Financial Institution Examination Council agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management. Anecdotal reports from banks indicate that examiners are increasingly focusing on technology provider risk management. The report expressed concern that some banks “may not be sufficiently knowledgeable about or engaged in contract management” and would thus “attempt to transfer their inherent responsibility for [bank] continuity and information security to TSPs,” which the IG said will require examiners’ continued focus.

The report, issued after a review of 48 technology vendor contracts, found that nearly half included no discussion of business continuity. Forty-two percent included a “detailed” discussion, and 10 percent included only a “high-level” discussion. “Contract provisions that more specifically detail key business continuity issues could provide [banks] greater assurance that critical systems, services, and operations will be recovered and resumed timely and effectively when operations have been unexpectedly disrupted,” the report found.

In terms of incident response, 65 percent of contracts included a detailed discussion of security and confidentiality, but only 23 percent covered performance standards in detail. The report also found that key terms in contracts lack specific definitions. “[Banks] may not be sufficiently engaged in writing and negotiating contracts to ensure their rights and TSP responsibilities are clearly defined,” the report found. “TSPs appear to be drafting the contracts and ensuring that their rights are protected more than the [banks].”

Regulators continue to focus on vendor risk management, including through an interagency rulemaking on enhanced cyber risk management standards for which comments are due tomorrow. American Bankers Association staff will continue to monitor agency activities and communicate with all agencies as guidance and expectations evolve. For more information, contact ABA’s Krista Shonk or Denyette DePierro.