Skip to main content


Technology Service Provider Contracts (FIL-19-2019)

Technology Service Provider Contracts (FIL-19-2019)

Mitigating the Gap 

You might think you have vendor management and business continuity figured out, but don’t be so sure. The FDIC’s Financial Institution Letter (FIL-19-2019) highlights observations from recent examinations revealing that financial institutions may be unaware of the gaps that often exist between a technology service provider's contract and your institution’s expectations. In an effort to understand the institution’s risks, contracts should be reviewed for business continuity and incident response language. Long-term and automatically-renewing contracts are at higher risk for these coverage gaps.  


Service Provider Contracts 

To maintain an effective Vendor Management Program, the financial institution should assess, measure, monitor, and control the risks associated with the vendor relationship. While vendor relationships help financial institutions achieve their strategic goals, these arrangements reduce management’s direct control over risk mitigation. With this reduced control, the need for vendor oversight is paramount.  

Technology service provider contracts should contain specific rights and define responsibilities related to business continuity and incident response. Defining rights and responsibilities in the contract allow the financial institution to adequately manage the processes and risks. Examiners have become increasingly aware that contracts are not satisfactorily addressing these rights and responsibilities. Unfortunately, it’s much easier to ask financial institutions to solve this problem upstream than it is to get vendors to adjust their contracts to look out for their customers. 

Recent FDIC exam findings discovered repeated contract discrepancies, including the vendor’s responsibilities to:  

  • maintain a Business Continuity Plan 
  • establish recovery standards 
  • define contractual remedies if the technology service provider misses a recovery standard  
  • notify the financial institution, regulators, or law enforcement in the event of an incident  


Underlying Problem? 

Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, as well as increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information.  


What Needs to Be Completed? 

Financial institutions are encouraged to ensure that business continuity and incident response risks are adequately addressed in service provider contracts. This review should be included in the initial due diligence and ongoing monitoring. 

  1. Initial Due Diligence: Disaster Recovery and Contingency Plans – Contract reviews should be completed during the initial due diligence of the technology service provider. The contract should address the service provider’s responsibility for the continuation of services provided in the contractual agreement in the event of an operational failure, including both man-made and natural disasters. The provider should have appropriate protections for backing up information and maintain Business Continuity and Disaster Recovery Plans with sufficiently detailed operating procedures. Results of plan testing should be provided to the financial institution. 

  1. Initial Due Diligence: Confidentiality and Security – When reviewing the contract, the financial institution should determine if it adequately addresses a vendor breach. The contract should prohibit the provider or its agents from using or disclosing the institution’s information, except as necessary to perform the functions designated by the contract. Any nonpublic personal information regarding the institution’s customers must be handled in a manner consistent with the institution’s own privacy policy and in accordance with privacy laws and regulations. Any breaches in the security and confidentiality of information, including a potential breach resulting from unauthorized intrusion, should be required to be fully and promptly disclosed to the financial institution. 

  1. Ongoing Monitoring – Performance monitoring should include a review of the service provider’s Business Continuity Plan and the results of BCP testing.  

  1. Mitigating Gaps – The institution should review its key vendors for these gaps. If gaps are noted by the financial institution, it is prudent to assess any resulting risks and implement compensating controls to mitigate them. For example, a financial institution may obtain supplementary business continuity documentation from the service provider or modify the financial institution’s own business continuity plan to address contractual uncertainties. 


Act Now and Know Your Risk 

Don’t wait until a disaster or incident occurs to find out that your institution does not have any contractual rights or remedies in the situation.  Be sure to go back and review your technology service provider contracts and, if a gap exists, either adjust your risk assessment or work to adjust your service provider contracts. 


Related Topics 

Written by: Laura Zannucci, CISA, CBSM
Senior IT Auditor, SBS CyberSecurity, LLC


SBS Resources:

If you are looking for assistance with Vendor Management, SBS can help in a few different ways.

  • {Solution} TRAC: One of the core modules of our TRAC software is our Vendor Management module, which can help you easily and more efficiently perform vendor risk assessment, vendor selection, and ongoing vendor management. It provides you with a consistent, pre-defined vendor management process, including vendor types, question sets, the ability to categorize different levels of vendor, and customizable, one-click reporting.
  • {Service} Vendor Management: SBS can perform vendor management around your critical vendors, saving you the time and effort to gather information from these vendors, review and analyze the vendor’s documentation, and create reports around your findings. We can streamline your process by doing all that work for you, then providing you the results in an easy-to-understand format.
  • {Hacker Hour} Develop a Better Understanding of SOC 2 Reporting: Join us as we discuss the struggles that organizations have when dealing with SOC 2 reporting. We will review what a SOC 2 report entails, why they are important, tips on going through the review process, and how to read and document responses. Registrants will also receive a SOC 2 questionnaire.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, April 5, 2019
Categories: Blog