The FDIC issued a letter to all banks today outlining gaps that some examiners had noted in banks’ contracts with technology vendors and reiterating regulatory requirements for these contracts.
“Examiners have noted in recent FDIC reports of examination that some financial institution contracts with technology service providers may not adequately define rights and responsibilities regarding business continuity and incident response, or provide sufficient detail to allow financial institutions to manage those processes and risks,” the agency said. Specifically, it added, some contracts did not require the vendor to have a business continuity plan, establish recovery standards, define remedies if a vendor misses a standard, detail a vendor’s post-incident notification duties or define key terms related to business continuity and incident response.
The letter reminded banks about the interagency guidelines setting information security standards, which were issued under the Gramm-Leach-Bliley Act and the notification requirements under Section 7 of the Bank Service Company Act. The FDIC also said that long-term contacts and those that automatically renew “may be at higher risk” for coverage gaps and that banks should assess and manage risks around contract gaps. For more information, contact ABA’s Krista Shonk.