FFIEC Update: Ensuring Resiliency of Outsourced Technology Services

Dollar bill in binary code
Earlier this month the Federal Financial Institutions Examination Council (FFIEC) released a new appendix to its Information Technology Examination Handbook: "Strengthening the Resilience of Outsourced Technology Services."

Outsourcing technology services often makes good business sense for financial services institutions. It allows them to benefit from outside expertise and alleviate internal workloads, increasing their professionalism and efficiency.

The FFIEC acknowledges this fact with one caveat: Your organization's management and board are still responsible for making sure "outsourced activities are conducted in a safe and sound manner." This responsibility entails making sure the third-party provider provides an adequate level of resiliency so as not to disrupt key processes in the financial services organization.

Below are a few key guidelines from the FFIEC document.

Address Risk


Because your firm is ultimately still responsible for outsourcing business practices, be aware of the risk factors you face when working with a third-party technology services provider and establish controls to mitigate those risks. To assess the level of risk, perform due diligence into the provider’s business continuity program (BCP), establish clear guidelines in your contract with the provider and continually monitor the vendor’s services.

Be Aware of the Provider's Scalability


Organizations rely on technology for critical processes more than ever before. Any outage of critical technology can be detrimental to your business. For this reason, you need to be familiar with a service provider’s ability to respond to a few types of scenarios:

  • A widespread physical disaster or cyber threat in which multiple organizations are affected and need continued service.
  • An isolated incident affecting a single service provider location, which in turn affects several firms.
  • Other continuity scenarios, such as financial distress.

In each of these scenarios, assess the service provider’s ability to meet your recovery time objectives (RTOs) and recovery point objectives (RPOs.). Prepare contingency plans to ensure the continuity of key applications.

Make Sure the Service Provider Has a Business Continuity Plan


A service provider needs to have identified single points of failure and created a comprehensive business continuity plan that addresses restoration of key services. Being familiar with the provisions of a service provider’s BCP will allow you to make adequate preparations in your own BCP.

Involve the Provider in Testing


Services provided by third parties should be included in regular business continuity testing, especially if the services provided are critical business functions.

The FFIEC recommends testing in conjunction with the service provider. These tests have a two-fold benefit in that they demonstrate both parties’ ability to recover within the designated time frames and to meet contractual obligations. However, some third parties service hundreds of organizations and as such might not be able to participate in one-on-one tests. In these cases, you should still ensure that you’re familiar with the provider’s testing scope, frequency and remediation activities.

Prepare for Cyber Threats


With the predominance of virtualized infrastructures, you need to adequately prepare for cyber threats. The FFIEC recommends preparing incident response strategies for the following types of threats:

  • Malware
  • Insider threats  
  • Data systems destruction and corruption
  • Communications system disruption
  • Simultaneous attacks on the firm and service provider
  • Cyber attacks

You should review incident response strategies to keep pace with the evolving threat landscape.

To read the full appendix, visit ithandbook.ffiec.gov.

Popular Posts