On March 28, 2017, the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) issued an evaluation report regarding certain aspects of technology service provider (TSP) contracts with FDIC-supervised institutions. Many banks use TSPs to support critical business needs, such as core processing, loan servicing, accounting support, or data management. The report assesses how clearly FDIC-supervised institutions’ contracts for these services address the TSP’s responsibilities related to business continuity planning; and responding to and reporting on cybersecurity incidents.
The OIG reviewed a sample of 48 TSP contracts from 19 financial institutions (FIs). Based on our review, we did not see documentary evidence that most of the FDIC-supervised FIs fully considered and assessed the potential impact and risk that TSPs may have on the FI’s own business continuity planning, and incident response and reporting. In this regard, documentation supported that only 8 of the 19 institutions completed both a risk assessment and contract review to understand the business and legal risks, as recommended by supervisory guidance. Further, when completed, the quality of these assessments varied.
Most of the contracts we reviewed did not clearly address the TSP’s responsibilities and lacked specific provisions to protect certain key FI interests or preserve FI rights. Nearly half of the contracts did not require the TSP to establish a business continuity plan.
Most contracts also did not sufficiently define key terminology related to business continuity and incident response. Therefore, these TSP contracts provided FIs with limited information and assurance that TSPs (1) could recover and resume critical systems, services, and operations timely and effectively, if disrupted; and (2) would take appropriate steps to contain and control incidents and report them in a timely manner.
The FDIC independently – and the Federal Financial Institutions Examination Council (FFIEC) members collectively – have taken numerous steps to provide institutions comprehensive business continuity, cybersecurity, and vendor management guidance, as well as to enhance related examination programs. Notwithstanding these steps, our evaluation results indicate that more time is needed to allow FDIC and FFIEC efforts to have an impact.
The OIG made two recommendations that the FDIC continue communication efforts with FIs regarding the risks posed by TSP contracts; and after allowing for a reasonable period of time for FIs to incorporate FDIC and FFIEC guidance, that the FDIC conduct a follow-on study to assess the extent to which financial institutions have effectively addressed key issues related to risks posed by TSP contracts. FDIC management concurred with our recommendations.