Outsourced Third Party (Vendor) Risk Management continues to be a top priority with the regulators. Therefore, ensuring your Program is not only going to be effective but also meet their expectations needs to be a priority. When you outsource, you are placing your confidential customer information in someone else’s hands along with the availability and security of that information, but you still retain the responsibility for ensuring the integrity, confidentiality, availability, and security of the information making this a crucial part of your overall Information and Cyber Security Program.
The FFIEC issued Interagency Guidance on Third Party Relationships: Risk Management, June 6, 2023, which rescinded all previous Guidances issued by the Agencies addressing appropriate third party relationship risk management practices. This new guidance is intended to assist in identifying and managing risks associated with third party relationships and complying with applicable laws and regulations. In addition to the latest guidance, the FFIEC issued a revised Business Continuity Management handbook on November 14, 2019, that addresses Third Party Management, Third Party Capacity, Testing with Third-Party Technology Service Providers, and Cyber Resilience. The FFIEC Cybersecurity Assessment Tool (CAT) also includes declarative statements relating to Outsourced Third Party Risk Management practices. Your Outsourced Third Party Risk Management Program should address both Vendor and Third Party Service Provider relationships and activities including cloud providers, managed service providers, core banking and digital banking providers, and critical infrastructure providers like telecommunications, utility, and Internet service providers. Management of these relationships starts with proper strategic planning, performing due diligence prior to contracting, risk assessing each relationship to identify critical and significant relationships and those that present high risk no matter of their significance, reviewing contracts, and performing annual oversight.
What You’ll Learn
- FFIEC expectations for your Program
- Roles and Responsibilities
- Expectations for Planning, Due Diligence and Selection, Risk Assessing, Contracting, and Oversight
Who Should Attend
Senior Management, Information Security Officers, Compliance Officers, Risk Managers, IT Managers, Operations Managers, and IT auditors should attend.