According to GLBA, I have until July to build Service Level Agreements into my existing third-party vendor contracts. What if my vendor isn’t willing to accept (in contract form) any type of performance measurement? I’m still under contract for 3 years. Will my regulator still find exception that I don’t have an SLA?

What part of GLBA are you referring to?

SLA's have been around for a while in many contracts and GLBA, as it is often though of with Privacy, had some grandfathering with vendor contracts, but they expired.

Sorry if I was not clear. The contract I'm speaking of was signed prior to March, 2001 and lacks the utility to contractually guage performance. 12CFR570 Appendix B, states I have until July 2003 to include the necessary safeguarding guidelines in the contract.

I'm not aware of anywhere in 12CFR364 that you are required to have SLA's. You do need solid contracts however. I doubt seriously that any of the examiners would fault you for not having any SLA in place as long as the contract made clear what the vendor was contractually obligated to do.

To get up on a soap box for a second - I've never been a fan of SLA's. In most cases they have no teeth to them. Who cares if you get 1/30th of one months charges back from some company that failed to provide service for a week. Often (most specifically in the telecommunications business) that's the sort of thing you will see. I would focus less on SLA's and more on the contract. If you do end up with an SLA make sure the contract specifically speaks to it or it may not be worth more than the bits it was written in.

Who cares? Well, I think the intent of a penalty in an SLA is to provide incentive for the vendor to perform well or not to perform poorly. Similarly, the penalty must be significant enough to cause “pain” to the vendor’s pricing model.

Aside from the actual term “SLA”, and back to the original question stated in your terms.

What if my vendor isn’t willing to accept (in contract or addendum form) any type of performance measurement and or standard for information security? I’m still under contract for 3 years. Will my regulator still find exception that the contractual language isn’t there?

I did say I was up on a soap box. I agree with your statements about SLA's entirely.

As to the actual question -

I would think that the examiner would be interested in a formal assessment of the risk of continuing with that vendor under those terms.

What I mean by risk assessment is not just technical. It should include as assessment of what information that vendor has access to and what the possible damage to the institution would be if that vendor were to have an 'issue'.

You might want to create additional cover by formally communicating to the vendor that this is a requirement put on you by law and that you will not be renewing your contract with them if you are unable to incorporate the necessary language.

Ultimately if your assessment shows that the risk of continuing with them without this language in place is to high you may be forced to find another vendor and argue with them over the remainder of the contract.

Best move - write everything down in a comprehensive assessment of risk and be prepared for the discussion.

Sorry I can't give a better answer. Not an envious position to be in either way.

Thanks, btw not trying to kick over the soapbox, I appreciate your candid comments.

The vendor I'm speaking of is a large, national core processor with little or no care for their clients compliance. As you have recommended, we have already formally advised them in writing of our requirement and have submitted a draft of the contract addendums that we would like to implement. Unfortunately, the contract dates back to 1998 has been ignored by management until recently.

Gotcha. You may have another card up your sleeve since they are a large national organization.

You may want to consider contacting your regulatory agency and asking them to help apply appropriate pressure.

Depending on which agency you are under and in which region they can be very helpfull in situations like this. The other benefit of this is that it's hard for them to give you a negative comment when you are asking for their help in dealing with the problem -and- there are likely other institutions in the same situation.

Just a thought.

oh... btw - I'm not a lawyer, I just play one on T.V.

Already in process. (partial rant)I guess my opinion about regulator involvement, before the fact, should start at the core provider level. I feel that if a core provider is subject to the MDPS (Multiregional Data Processing) they should be held a higher standard than the regulated banks themselves.

I'm amazed that the core provider can sufficiently pass the MDPS examination as it applies to information security and IT security. Clearly, the core provider may be employing some infosec/itsec standards within their own organization (evidenced by the SAS70) - but certainly not with their clients as it relates to the clients' own regulatory compliance.

While I’m not saying that the core provider should be 100% responsible for the Bank’s compliance, the core provider’s products, services, designs, etc should be consistent with industry best practices for itsec/infosec.

Even if two different standards are used, 1 for the MDPS and another for the bank, the subject matter and scope of the MDPS examination must directly relate qualitatively to the end product - that which is delivered to the client banks and must pass regulatory muster. Also, the MDPS exam must be stringent/rigorous enough to account for the greater volume of non-public customer information behind the core provider’s walls.

Amen!

Back to the original question . . .

Section 501(b) of the GLBA, and the information security guidelines promulgated pursuant to that section, require that by July 1, 2003, you have written agreements with all service providers who, in the course of providing services to you, will have access to nonpublic personal information of your customers. The written agreement merely needs to provide that the service provider will implement and maintain an information security program designed to achieve the objectives of the Interagency Guidelines for Safeguarding Customer Information. (You'll find a link to the InfoSec Guidelines on the BOL Launch Pad under the Financial Privacy category.

In some instances, you may also need to monitor the service provider's compliance with the information security program requirement.

On our Banker Tools page, you'll find a link to an article I wrote about the contract provisions and monitoring requirements:

InfoSec Tools

plus, you'll find sample contract language drafted by BOL Guru Karen Garrett of the Bryan, Cave law firm.
Sample InfoSec Contract Language

Thanks to all,

While we have digressed a bit, I have enjoyed the different views.

Thanks again,
g