Cybersecurity: Third Party Resilience - What the FFIEC Wants You to KnowWith Susan Orr
- 1 Video
- 2 PDFs
- 2.0 hrs
Cybersecurity threats and concerns are real and increasing. Since 2013 the regulators have been increasing their focus in this area and have implemented several initiatives relating specifically to Cybersecurity. Cybersecurity concerns are enterprise-wide and need to be considered within the institution's Information Security Program, Enterprise-wide Information Security Risk Assessment, Incident Response Planning, Outsourced Third Party Risk Management Program, and Business Continuity and Disaster Recovery Planning. Most recently the FFIEC issued an update to the 2008 Business Continuity Planning Handbook... Appendix J: Strengthening the Resilience of Outsourced Technology Services. This Appendix addresses areas relating to the continuity of services and resiliency of Third Party Service Providers performing operational services and internal systems for the institution. Management needs to ensure that those significant and critical TSPs have satisfactory recovery capabilities and effective business continuity plans for recovering IT systems and then returning those critical business functions to normal operations within established reasonable recovery times. While the Appendix is concerned with outsourced TSPs it also addresses resiliency of operations performed internally by the institution due to disruptions caused by cyber events.
Relating to TSP management, the institution should ensure the TSP has a well-defined BCP in place that includes recovery from cyber events and that the Plan is tested at least annually. Prior to engaging in outsourced services, thorough due diligence should be performed and the effectiveness of the TSPs BCP assessed. Contract terms with TSPs should include assurances of the TSPs resilience and the bank's rights for monitoring performance standards, to perform audits, and review security practices. Management is to be reminded that resiliency concerns exists throughout the life of the outsourced relationship.
Join Susan Orr as she provides an overview Appendix J and discusses the areas of concern for your Outsourced Third Party relationships and resiliency as it relates to cybersecurity and regulatory concerns.
- Third -Party Management: due diligence, monitoring, strategic considerations, and contracting;
- Third-Party Capacity: TSPs ability to deliver services under adverse scenarios;
- Testing with Third-Parties; and
- Cyber Resilience.
Who Should Attend:
Senior Management, IT Officers, Information Security Officers, Risk Officers, Audit, and Compliance Officers.
Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.
As an auditor and consultant, Susan is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist de novo institutions in the vendor selection process, preparing policies and procedures, and instituting controls. She also consults for numerous security providers and vendors helping them align products and services to meet institution regulatory mandates. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified Risk Professional (CRP).