Vendor Risk Management

Technology Resiliency & Outsourcing (TRO): Familiarize Yourself

Melissa Stevens | October 18, 2016

In a recent Huffington Post article, Shared Assessments senior director Tom Garrubba discussed how third-party risk management has become an important topic to many executives and board members around the world. He recalls a conversation he had with Robin Jones, a member of the U.K.’s Financial Conduct Authority (FCA), during a conference in London. Jones expressed that his “unit [has been] paying renewed focus on technology resiliency and outsourcing.” 

Technology resiliency and outsourcing, or “TRO,” appears in the Federal Financial Institutions Examination Council’s (FFIEC) “Business Continuity Planning” booklet. (The FFIEC is a U.S.-based banking regulatory body.) The booklet—which is a part of the FFIEC’s IT Examination Handbook—“provides guidance to assist examiners in evaluating financial institution and service provider risk management processes to ensure the availability of critical financial services.” Specifically, the idea of both technology resiliency and technology outsourcing are mentioned in the section titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services.”

Looking to streamline your vendor risk management process? Take a look at these tools and techniques.

As you can see, TRO has become widely discussed both in U.S. and international regulatory spaces. And in the last 10 years, many regulators have also begun examining how critical third parties could affect the cybersecurity posture of a financial institution through their network access. Below, we’ll walk through what this appendix discusses in regard to TRO and how you can apply those best practices in your organization.

Strengthening The Resilience Of Outsourced Technology Services: 3 Best Practices

1. Due Diligence Process security

“A financial institution should evaluate and perform thorough due diligence before engaging” with a vendor, according to the previously mentioned appendix of the FFIEC’s booklet. During the pre-contract phase, you’ll want to be sure you understand the extent of the vendor’s access to your network and data as well as the sensitivity of the data they have access to. After the contract is signed, it’s important to have semi-regular meetings with your vendor contact, semi-annual on-site assessments, and an incident response plan in place in the case of a breach that affects your data.

2. Legal & Contractual Requirements

The FFIEC expresses that “the terms of service should be defined in written contracts that have been reviewed by a financial institution's legal counsel and subject matter experts before execution.” In other words, you’ll want to ensure that your expectations of how the vendor should secure your data are built into your contract—and that it’s legally airtight. They should also understand precisely what steps to take in case a breach—particularly one affecting your data or network—occurs.

See Also: Webinar: Legal Requirements For Third Party Cyber Risk Management

3. Ongoing & Continuous Monitoring

The appendix also expresses the need for continuous vendor monitoring, noting that “effective ongoing monitoring assists the financial institution in ensuring the resilience of outsourced technology services.” Tools like BitSight security ratings can help you immediately identify, quantify, and mitigate risk posed by TROs in an ongoing vendor relationship.

In Summary

While “TRO” isn’t as popular of a term as VRM (vendor risk management), the idea of strengthening the resilience of outsourced technology services is not a new one. Regulators are placing increased importance on a variety of issues with respect to cybersecurity in third-party risk management—so financial organizations need to be prepared to meet and exceed those regulatory expectations.

security-managers-guide-to-VRM

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...

READ MORE »

FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...

READ MORE »

Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...

READ MORE »

Subscribe to get security news and updates in your inbox.