On July 13, U.S. federal banking regulators released Proposed Interagency Guidance (Proposed Guidance) designed to help banks manage risk associated with third-party relationships, including information security risks. The Proposed Guidance reiterates the importance for banks of managing risk associated with third parties throughout the life cycle of that relationship.
Third-Party Relationships: Benefits and Risks
Third-party relationships, including relationships with vendors, cloud service providers, and financial technology (FinTech) companies, may offer many benefits to banks. In the information security context, many banks depend on third-party support or security tools to assess and manage information security risks. However, those third-party relationships may introduce risks or increase existing risks, particularly regarding information security threats and vulnerabilities.
The Risk Management Life Cycle
Because information security risk is dynamic (emerging technologies, the ever-changing threat landscape, an evolving legal and regulatory landscape), it cannot be “managed” at any single point. The Proposed Guidance emphasizes that management of third-party information risk is an ongoing process or project assessed and adjusted based upon particular circumstances.
The “life cycle” of a third-party relationship includes these milestones:
- Planning- Identify the potential information risks associated with a third party before deciding to enter that relationship
- Due Diligence and Third-Party Selection- Assess a third-party's information security program, operational resilience, and insurance coverage
- Contract Negotiation- Require written contracts with third parties that clearly specify the rights and responsibilities of each party, including appropriate security measures
- Ongoing Monitoring- Evaluate the performance of the third-party periodically and revise requirements
- Termination- consider transition arrangements
For more on the third-party relationship life cycle, click here.
Takeaways for Banks
Understanding the risks of connecting with and entrusting information to third parties, and taking steps to manage those risks is an essential requirement for doing business in the information age. A bank’s use of third parties for an activity does not diminish the responsibility of its board of directors and senior management to perform that activity appropriately and in compliance with all applicable laws. As the saying goes, banks can outsource responsibilities to third parties, but not accountability.
Our Privacy, Cybersecurity and Data Management Team will continue to monitor the latest developments in the areas of information security and third-party risk management.