How to add predictive analytics into your risk program. Risk reports are often limited to historical insights and issues and do not provide guidance and insights into the future of the organization. Adding predictive analytics can allow your organization to detect emerging risks and create mitigation plans. This can be achieved by combining internal and external key risk indicators (KRIs) and key performance indicators (KPIs) with regulatory intelligence. This ensures that risk reports can detect more issues and highlight areas of concern. Click here to learn more.
FDIC reminder on tech service provider contracts
Yesterday, the FDIC issued FIL-19-2019 to share examiner observations about gaps in financial institutions' contracts with technology service providers that may require financial institutions to take additional steps to manage their own business continuity and incident response. The FIL reminded agency-supervised financial institutions that:
- Their boards of directors and senior management are responsible for managing risks related to relationships with technology service providers.
- Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.
- Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties' respective rights and responsibilities for business continuity and incident response.
- When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls.
- Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.
FDIC examiners have noted that some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard. Other contracts did not sufficiently detail the technology service provider's security incident responsibilities such as notifying the financial institution, regulators, or law enforcement. Also, some contracts do not clearly define key terms used in contractual provisions relating to business continuity and incident response. Undefined and unclear key contract terms could contribute to ambiguity in financial institution rights and service provider responsibilities, and could increase the risk that technology service provider business disruptions or security incidents will impair financial institution operations or compromise customer information.
The FIL included links to several resources that institutions can use to guide them in managing their technology service provider agreements.