FDIC tells financial institutions that their technology contracts are lacking when it comes to business continuity

Published: Friday, 05 April 2019 08:59

The US Federal Deposit Insurance Corporation (FDIC) has written to financial institutions to highlight deficiencies that have been discovered in some technology contracts when it comes to business continuity.

In a letter sent on 2nd April 2019 FDIC points out that effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response. However, recent FDIC examination findings noted that some financial institution contracts with technology service providers lack sufficient detail regarding the contract parties' respective rights and responsibilities for business continuity and incident response.

Additionally, some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard.

Other contracts “did not sufficiently detail the technology service provider's security incident responsibilities such as notifying the financial institution, regulators, or law enforcement”.

Read the FDIC letter here.