Many companies are struggling with the issue of vendor management and outsourcing. While outsourcing technology and account services can be valuable in industries like banking and healthcare, the original service provider has the responsibility to ensure that the data is protected. As the Federal Financial Institutions Examination Council (“FFIEC”) indicated, “responsibility for managing the risks associated with those products or activities cannot be outsourced.”
The FFIEC suggested that organizations conduct periodic risk assessments that consider:
- Strategic goals, objectives, and business needs of the financial institution.
- Ability to evaluate and oversee outsourcing relationships.
- Importance and criticality of the services to the financial institution.
- Defined requirements for the outsourced activity.
- Necessary controls and reporting processes.
- Contractual obligations and requirements for the service provider.
- Contingency plans, including availability of alternative service providers, costs and resources required to switch service providers.
- Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic objectives and service provider performance.
- Regulatory requirements and guidance for the business lines affected and technologies used.
Additionally, organizations should conduct due diligence before deciding on a service provider to determine whether the service provider has sufficient technical and industry expertise, whether the provider has adequate controls, and the financial condition of the service provider. Finally, an organization’s contracts with its service providers should clearly articulate the scope of service, the required standards for performance, the standards for security and confidentiality, the required controls, audit provisions, contingency plans, prohibitions on sub-contracting, costs, timeliness and method of notice in the event of an incident affecting data privacy, and indemnification.