WASHINGTON — Banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers, according to a report issued Wednesday by the Federal Deposit Insurance Corp.’s independent watchdog.
The FDIC's Office of Inspector General found that financial institutions failed to include important cybersecurity provisions in their contracts with the third-party firms.
“Typically," financial institution contracts with technology service providers "did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights,” the report said.
“As a result,” the report said, the contracts “provided FIs with limited information and assurance that” the providers would either recover and resume operations in the event of a disruption; or contain, control and report incidents appropriately.
The watchdog’s findings were based on a review of 48 contracts between financial institutions and their providers. They involved a total 19 financial institutions chosen through a nonstatistical sampling process, including 15 with assets of $250 million or more. However, the watchdog said, it did not contact financial institutions or the technology providers.
The watchdog found that only eight of the 19 institutions reviewed had completed both a risk assessment and a review of their contract to determine what risks their association with the technology provider might involve.
Nearly half of the contracts, meanwhile, did not require the technology service provider to have a “business continuity plan,” or be prepared to quickly resume critical operations if an incident halts them.
But the financial institutions fared passably in other respects. For instance, 79% of them completed a risk assessment matrix, a type of analysis that helps the bank assess the provider’s risk based on its access to sensitive data. Also, 53% of the financial institutions performed a due diligence review of the provider’s risk management systems and performance, either before signing the contract or annually.
The watchdog recommended that the FDIC communicate better with financial institutions the need to calculate risks involved with their associations with third-party technology providers. The agency should also make sure that the contracts address certain risks, and define contract terms that could help clarify what financial institutions can and should expect from their providers.
In addition, the inspector general said the FDIC should conduct studies to determine whether financial institutions are following agency guidance.
“When an FI relies upon third parties to provide operational services, it also relies on those service providers to have sufficient recovery capabilities for the services they perform on behalf of the FI,” the report said. “FIs with information security program limitations or unclear contract language face increased risk that business disruptions or security incidents will negatively impact business operations or compromise customer information.”