FDIC finds that some financial institutions technology contracts lack business continuity detail
The US Federal Deposit Insurance Corporation (FDIC) has written to all FDIC supervised financial institutions about gaps in their contracts with technology service providers that may require them to take additional steps to manage their own business continuity and incident response.
The letter notes that 'effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response. Recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties' respective rights and responsibilities for business continuity and incident response.
When contracts do not adequately address such risks, financial institutions remain responsible for assessing those risks and implementing appropriate mitigating controls. Financial institutions have a responsibility under Section 7 of the Bank Service Company Act to notify their FDIC regional office of contracts or relationships with technology service providers that provide certain services to the institution.'
More details of the letter can be viewed here.