Cybersecurity threats and concerns are real and increasing. Since 2013 the regulators have been increasing their focus in this area and have implemented several initiatives relating specifically to Cybersecurity. Cybersecurity concerns are enterprise-wide and need to be considered within the institution's Information Security Program, Enterprise-wide Information Security Risk Assessment, Incident Response Planning, Outsourced Third Party Risk Management Program, and Business Continuity and Disaster Recovery Planning. Most recently the FFIEC issued an update to the 2008 Business Continuity Planning Handbook... Appendix J: Strengthening the Resilience of Outsourced Technology Services. This Appendix addresses areas relating to the continuity of services and resiliency of Third Party Service Providers performing operational services and internal systems for the institution. Management needs to ensure that those significant and critical TSPs have satisfactory recovery capabilities and effective business continuity plans for recovering IT systems and then returning those critical business functions to normal operations within established reasonable recovery times. While the Appendix is concerned with outsourced TSPs it also addresses resiliency of operations performed internally by the institution due to disruptions caused by cyber events.
Relating to TSP management, the institution should ensure the TSP has a well-defined BCP in place that includes recovery from cyber events and that the Plan is tested at least annually. Prior to engaging in outsourced services, thorough due diligence should be performed and the effectiveness of the TSPs BCP assessed. Contract terms with TSPs should include assurances of the TSPs resilience and the bank's rights for monitoring performance standards, to perform audits, and review security practices. Management is to be reminded that resiliency concerns exists throughout the life of the outsourced relationship.
Join Susan Orr as she provides an overview Appendix J and discusses the areas of concern for your Outsourced Third Party relationships and resiliency as it relates to cybersecurity and regulatory concerns.
- Third -Party Management: due diligence, monitoring, strategic considerations, and contracting;
- Third-Party Capacity: TSPs ability to deliver services under adverse scenarios;
- Testing with Third-Parties; and
- Cyber Resilience.
Who Should Attend:
Senior Management, IT Officers, Information Security Officers, Risk Officers, Audit, and Compliance Officers.
Cybersecurity: Third Party Resilience
Questions and Answers