Business Continuity: Lessons LearnedRedoing Business Impact Assessments, Vendor Management Critical
Lessons learned from past events, such as ice storms in Kentucky and Hurricane Katrina in Louisiana. have taught banks that outdated recovery plans can pose great challenges to technology and vendor services during disasters, says Donald Saxinger of the Federal Deposit Insurance Corp.
"Some of the services we didn't previously think were critical turned out to be higher on the criticality list," says Saxinger, team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations.
For example, customers rely heavily on electronic services for their banking, not tellers, an area banks were overlooking. Institutions need to update services to respond to growing demand for online tools.
Vendor management is another area in business continuity that needs to be constantly examined and reviewed. "As we go through business impact assessments, think about all of these new services that we're contracting for, whether it's cloud, social media or mobile," Saxinger says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
To ensure vendors are meeting their ends of the bargain, banks need to emphasis due diligence, make sure service providers can fulfill contractual obligations and continually mange those risks.
Regardless of whether a bank's services are done in-house or outsourced, there is an expectation from regulators, particularly the FDIC, "that we evaluate the activities conducted through all third-party relationships as though those activities were performed by the institution itself," Saxinger says.
During this second part of a two-part interview with Information Security Media Group [transcript below], Saxinger discusses:
- Lessons the industry learned about cloud downfalls from the Amazon.com outage;
- How disaster recovery during severe storms can be foiled if service level agreements are not clearly spelled out;
- Why testing before an outage occurs is so critical.
Saxinger is the team leader and subject expert for the FDIC's Division of Supervision and Consumer Protection in the area of regulatory IT examinations. He serves as the lead developer of the FDIC's IT examination standards and procedures, IT examiner education, and IT examination oversight. He has authored or contributed to various regulatory policies such as third-party risk and outsourcing, business continuity, payment systems, authentication, identity theft, spyware, and other emerging technologies. He is also a member of the FFIEC IT Examination Handbook working group which publishes the interagency guidance and examination procedures for various IT, payment, and operational risk areas.
Business ContinuityTRACY KITTEN: I'd like to shift gears for a moment here and talk a little bit about business continuity. What are some of the specific vendor management issues that financial institutions should consider when it comes to business continuity planning and what guidance institutions look to for examples?
DONALD SAXINGER: We issued guidance back in 2008 through the FFIEC called the Business Continuity Planning Handbook. It's another one of those handbooks that's part of our IT examination handbook, and it covers a lot of new areas in a lot of traditional areas. One of the new areas related here is reliance on interdependencies. For example, we have core service providers that do business continuity testing and disaster testing. Banks do disaster testing. It's all in the contract and if we do these in a vacuum and not work together to do this testing, some weaknesses might show themselves. As we saw a couple of years ago, we had some ice storms in Kentucky and the communication lines went down between the banks and their service providers. Even though we had business continuity plans at both ends that worked, we had difficulty implementing certain aspects of it, particularly in updating the daily balances to the service provider. And that caused a few issues with some of the banks trying to manage their liquidity.
Another area that I saw recently on business continuity was with cloud providers. I mentioned earlier Amazon, and even though a lot of us think of a cloud as being highly resilient we don't always know what the extent of that resilience is. Is it just a regional backup? Do they back up nationally? Is there a physical backup? If you're planning to go into the cloud to make your job easier, by having to outsource that infrastructure there is a lot more planning you have to do in understanding the contract with those service providers as far as which elements are actually covered by the cloud's disaster recovery process. That's a good lesson that we go out of the Amazon outage. Some institutions or companies that planned for failure were able to survive through that outage while other companies that relied purely on the cloud found out that they were without services.
Business Impact AssessmentsKITTEN: That's a good point you raised on learning lessons the hard way. I'm wondering about institutions' reliance on external providers for business continuity, whether we talk about the cloud or we talk about the cloud in addition to some of the other entities that they're working with, tethered to that relationship. In the wake of some of the severe storms that we've seen affecting the Southeast and the Midwest, what lessons can be learned? You've noted the storms in Kentucky, the ice storms that we saw a couple of years ago. But what lessons are we learning now?
SAXINGER: When we rewrote our business continuity book, we took a lot of lessons from the Katrina storms. One of the lessons we got out of that is some of the services that we didn't previously think were critical turned out to be higher on the criticality list. For example, with customers' access to cash or electronic banking we typically had thought that perhaps the teller line was more critical for people coming in. But now more and more people rely on electronic services for their banking. Or many of the banks had to shift, learn and redo their business impact assessments. That's certainly a key area. As we go through due business impact assessments, think about all of these new services that we're contracting for, whether it's cloud, social media or mobile. Where do those fit in on your business impact assessment?
Vendor ManagementKITTEN: Before we close, what final thoughts would you like to share with our audience, whether those thoughts relate to business continuity or vendor management overall?
SAXINGER: Regardless of whether a bank performs these services internally or whether they outsource it, there's an expectation by the regulators, particularly the FDIC, that we evaluate the activities conducted through all third-party relationships as though those activities were performed by the institution itself. That's why we place a lot of emphasis on due diligence on the bank making sure that the service provider can fulfill its contractual obligations and making sure that the bank is managing those risks. There was a report that the FDIC published recently in its supervisory journal, the Supervisory Insights Journal, in May on the whole mortgage processing and foreclosure issue. We had done some evaluations and found that some of these service providers engaged in unsafe and unsound practices that exposed some financial institutions to unacceptable levels of operational compliance legal risks. I'll wrap it up by reminding the financial institutions that just outsourcing it doesn't alleviate them from the responsibility of managing those risks.