An article in Banking Exchange found banks had troubling lapses in their contracts with technology service providers (TSPs).
The article cited the findings of a Federal Deposit Insurance Corporation's Office of the Inspector General (IG) report, which examined a total of 48 contracts between 19 financial institutions and various technology service providers.
The IG report found example after example of lapses in contracts it studied.
For example, contracts with TSPs typically did not address TSPs responsibilities and lacked specific provisions to protect and preserve the rights of financial institutions.
The contracts had limited information and assurance that TSPs (1) could recover and resume critical systems, services, and operations in a timely and effective manner, if disrupted, and (2) appropriate actions would be taken to contain and control incidents and report them in a timely fashion to the appropriate parties.
The IG report noted that 18 of the 19 financial institutions' contracts allowed TSPs to subcontract work. However, 15 financial institutions, which contractually allowed subcontractor use, failed to document subcontractor considerations within their technology service provider risk assessment matrix or due diligence reviews.
These are just a few of the findings of the report.
In response to the IG's findings, the FDIC said it would work with other Federal Financial Institution Examination Council agencies to update guidance on business continuity planning and incident response and that it would continue examinations and off-site monitoring of vendor management.
Credit unions should read this report. It could help them identify and address potential deficiencies in their TSP contracts.
It is likely that these contracts may become a focus of examinations by credit union regulators in the coming year.
Read the Inspector General report.
No comments:
Post a Comment