Contracts with tech service providers fail to adequately address hacking and system recovery risks.
The FDIC’s Office of Inspector General released a report earlier this year that found major gaps in how financial institutions (FI) are addressing business continuity issues, including cybersecurity, in their contracts with technology service providers (TSPs).
Most FIs, the report concluded, did not fully assess the potential impact and risk that gaps in TSP contracts may have on their ability to manage business continuity planning and incident response.
The report, which looked at a sample of 48 contracts from 19 financial institutions, found that only 50% had the required business continuity provisions. Those that did address business continuity often failed to elaborate on the TSPs responsibilities for maintaining a continuous risk management process including ongoing risk scenarios and restoring services.
Potential liability for banks
The poor contract management practices could expose banks to potential liability if they suffer confidential information breaches due to cybersecurity attacks. In 2008, the FDIC issued a Financial Institution Letter titled Guidance for Managing Third Party Risk which emphasized that the FIs board of directors and senior management ultimately are responsible for managing activities and controlling risks for their TSP and any third party relationships related to confidential information on customers.
The report provides guidance on how to remedy this situation and cites improvements in processes, provisions and contract management. The agency encourages the FIs to ensure that proper expectations and obligations for both the FI and TSP are outlined in a written contract prior to entering into an agreement. The FDIC has provided some key contract provisions to help with compliance and cites the value in having a contract management system to ensure the required language is included before execution.
The FDIC’s Risk Management Supervision division is expected to continue to raise the issue with banks and further study and assess how banks are addressing these issues through October 2018.
Next steps
Companies in the financial industry, as well as other market segments, are becoming increasingly aware of the risk exposure within their contracts – on both the buy side, as in the examples above, but also on the sell-side. Icertis has developed an interactive assessment tool that will help you discover sources of potential contract risk across your enterprise and provide an immediate score of your risk profile in three key categories. Get your personalized contract risk assessment here.
