The push in the United States from regulatory bodies advising on best practices for outsourcing relationships with third-party vendors may be due to cyber security concerns, according to Richard Raysman, one of America’s leading outsourcing lawyers.
“I think it relates to President Obama’s executive order 13636, which was issued on February 12, 2013,” Raysman told Nearshore Americas. “That executive order called for improvements in critical infrastructure and cyber security.”
Raysman notes that, some months after the order, we began to see the promulgation of guidelines for buyers and service providers. These include: the Consumer Financial Protection Bureau’s (CFPB’s) Bulletin 2012-03, issued April 13, 3012, which notified regulated institutions that third-party vendor and service provider relationships would be monitored; OCC Bulletin 2013-29 from the Office of the Comptroller of the Currency, issued Oct. 30, 2013, which addressed risk management for third-party relationships; and most recently the Federal Reserve Board’s “Guidance on Managing Outsourcing Risk”, which was issued on Dec. 5, 2013.
“In my opinion, what I think happened is that in response to the executive order the National Institute of Standards and Technology (NIST) came up with ideas to improve the cyber security framework, and then other agencies looked at the order and felt a need to respond as well,” Raysman said.
Guidelines Increase Liability Exposure
In the case of the Federal Reserve, the guidelines are extensive. They outline the expectations of a financial institution’s board and senior management, and delineate in some detail the framework and processes required to manage risks associated with service provider relationships.
“Banking CIOs are already in the weeds when it comes to cyber security – the Federal Reserve is not telling them anything they don’t already know,” Raysman said. “However, they now need to show that they are complying with these guidelines, and that’s a big headache.”
A perusal of the government guidelines indicates that the recommendations form a list of best practices that, as Raysman suggested, any financial services organization would already have in place with regard to managing third party outsourcing risk. The guidelines are, however, both broad and detailed, and have jolted the financial service industry into a more rigorous consideration of the risk management requirements for third-party relationships.
“These are not laws, but could nonetheless open you to civil liability,” says Raysman. “When there is a security breach, often class action lawsuits follow. Plaintiff lawyers could pull out these government guidance documents and hunt through them and say, ‘Well, Mr. Bank, you did not follow or document this specific guideline.’”
One result is that financial institutions are now bringing in broader program controls that, formerly, would have only applied to the IT department. It should be noted too that – thanks to the Dodd–Frank Wall Street Reform and Consumer Protection Act – the CFPB can now supervise service providers, even examining operations on site. This goes well beyond traditional oversight of core bank processing and IT services. Some banks are pulling out and reviewing their vendor agreements, putting amendments in place, and getting them signed off to reduce liability – even though in most instances they are already in compliance.
“I had lunch yesterday with the chief technology officer at a major bank,” Raysman said. “Now they have to go through these guidelines, and get a report, perhaps hire someone to show that they are in compliance.”
The Fear of Espionage
In effect, financial institutions using third-party outsourcers have being brought into the government war in cyberspace. Whether they like it or not, they have been drafted into this conflict. Now it is up to them to confirm that they are not allowing for any breaches via third parties.
“Look at the first sentence in section one of the executive order,” says Raysman. “It states clearly that ‘Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cyber security.’ That suggests it is not coincidental that all this guidance is coming out now. People are pretty worried about it – if you are in the legal department of a bank, you have to take the guidance seriously.”
The government can argue that, in the example of the CFPB guidelines, it is more concerned with domestic consumer protection within third-part engagements. However, the recent news that the United States has taken the unprecedented step of indicting five Chinese officials on cyber espionage charges indicates that the federal government is serious about protecting its commercial interests from foreign threats, too.
“This is not just for banks,” says Raysman. “It also applies to financials in other industries. And compliance reporting is expected to flow from senior management to the board, which means that many boards are now re-examining their liability insurance.”
The news to buyers of outsourcing services is clear: by using a third party, senior management and a board of directors do not avoid responsibility. The challenge is that one would assume that risk management practices would adjust to the complexity and level of risk inherent in a third party relationship, yet the expansion of guidelines from so many government organizations – the Fed, OCC, FDIC, and CFPB, with all being subject to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services guidelines – suggests buyers of all sizes need to be fully compliant.
“When you look at these guidelines, it’s pretty comprehensive,” says Raysman. “They haven’t left much out.”