Recently, the Federal Financial Institutions Examination Council (FFIEC) issued appendix J to the Business Continuity Planning (BCP) booklet of the FFIEC Information Technology Examination Handbook.
Appendix J of the BCP Booklet discusses that a financial institution should ensure their technology service providers (TSPs) are providing resilient technology services. According to the booklet, this includes:
- Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.
- Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.
- Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.
- Cyber resilience covers aspects of BCP unique to disruptions caused by cyber events.
More information on Appendix J can be found here: http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning.aspx