From the FDIC's Office of Inspector General comes an interesting little tale that may have slipped by your attention while you and the family were reveling in the latest bloviations from the walking, talking hairdo that is THE GREATEST SHOW ON EARTH, I PROMISE YOU!!!
The entire incident was triggered by a false alarm about a possible security breach of a third party service provider (TSP) that turned out to be some pesky adware. However, the FDIC IG, operating on the premise that no (non)crisis should ever go to waste, used its investigation of the incident to uncover sloppy security breach incident response policies and procedures by all concerned, including not only the bank and TSP, but by the FDIC's own Risk Management Supervision field office (RMS) as well.
The entire "Case Study" by the IG is less than two pages long, so I won't reiterate it in detail. However, I will use it to bleat about a couple of additional points of my own. The first concerns the application of the FFIEC Interagency Guidelines Establishing Information Security Standards to TSPs.
The Case Study observes:
The InteragencyGuidelines require FIs to develop and implement a risk-based response program to address incidents of unauthorized access to customer information. The Interagency Guidelines also provide that FIs’contractual arrangements shall require that TSPs implement appropriate measures to meet the Interagency Guidelines objectives.
I recently had a TSP respond to a financial institution's request that its agreement for technology services with the TSP (which services would give the TSP access to nonpublic personal information (NPI) of the bank's customers) contain a provision pursuant to which the TSP agreed to protect the security of the NPI with the brilliant argument that the TSP was not a financial institution and, therefore, was not required to comply with the Interagency Gudelines. I not-so-patiently relied that the Guidelines "recommended" that my client make them apply to the TSP via a contractual provision and, since my client took such "recommendation" seriously and incorporated such a requirement into its vendor management policy, if the TSP wanted to do business with the financial institution, its could either agree to the provision or not do business with the institution. The TSP's business people conceded the point and it added a provision to the agreement designed to meet this requirement.
This seems like a fairly common requirement, yet the TSP was a technology service provider that does a lot of work with banks. In the course of the discussion on this point, it was evident that if the vendor's representatives were telling the truth (I accepted their assertions at face value, since it did not alter my client's position whether or not they were truthful), we were the only bank to ever ask for this provision. If that is correct, then the regulators need to be a lot more diligent in their vendor management reviews, because there are a lot of agreements with this TSP that don't comply with the "recommendations" of the Interagency Guidelines. On the other hand, it was the TSP's lawyer putting forth this position, so maybe it was a bald-faced lie.
The IG's Case Study also noted that "[t]he Interagency Guidelines The federal banking agencies, including the FDIC, conduct periodic information technology (IT) examinations at FIs and their TSPs." Other regulatory guidance, such OCC Bulletin 2013-29, "recommends" that financial institutions place in their agreements with TSPs an acknowledgment by the TSP that such examinations are permitted and that the TSP will cooperate in the conduct of the same. I have always considered this a "belt-and-suspenders" approach, designed to ward off unnecessary delay, since the Bank Service Company Act gives the federal bank regulators this power to examine third party service providers. On the other hand, I have had a contract negotiator for one of the country's largest technology service providers tell me that their attorneys have taken the position that the law does not require the TSP to allow the bank's regulator to conduct such an examination. The TSP only permitted them out of the goodness of its heart, I suppose. Regardless, the agreement with the TSP should always have a provision that requires that the TSP to permit, and to provide reasonable cooperation in connection with, such examinations.
A final few nuggets I gleaned from the Case Study: (1) a contract with a TSP needs to require full cooperation with the financial institution in the event of security breach and other provisions that are designed to permit the financial institution to be able to meet its obligations the recommendations under another set of guidelines, the Interagency Guidance on Response Programs for Security Breaches; (2) as part of their initial and ongoing due diligence and monitoring of technology services providers, institutions would be well-advised not to neglect the TSP's security breach incident response programs, and make sure that the TSP complies with "cybersecurity best practices;" and (3) just as the bank has a regulator looking over its shoulder and second-guessing it, so does the regulator. I'm not claiming that this is necessarily a bad thing, but you wonder how much of the effort in this area is directed toward placating Monday Morning Quarterbacks.