Earlier this month, the FDIC issued guidance to financial institutions to help them address risks associated technology outsourcing and cyber security.
On April 7th, the FDIC issued FIL-13-2014 entitled “Technology Outsourcing: Informational Tools for Community Bankers.” The letter included links to previously issued guidance regarding the selection and management of technology vendors. The FDIC highlighted the following three sources of information:
- Effective Practices for Selecting a Service Provider
- Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
- Techniques for Managing Multiple Service Providers
In re-issuing these guidance documents, the FDIC noted that their purpose was “informational only” and not for “official guidance” purposes.
Three days later, on April 10th, the FDIC issued a press release entitled “FDIC Urges Financial Institutions to Utilize Available Cyber Resources.” The purpose of the release was to urge financial institutions to “actively utilize available resources to identify and help mitigate potential cyber-related risks.”
In issuing this release, the FDIC noted that it was the responsibility of financial institutions to “be aware of” cyber-threats and available government resources to help identify such threats.
The release was spurred by a meeting of the FDIC Advisory Committee on Community Banking, which committee believed that banks would benefit from having “greater awareness” of resources to identify cyber-related risks. In particular, the FDIC highlighted five resources for banks to review:
- United States Computer Emergency Readiness Team
- US Secret Service Electronic Crimes Task Force
- FBI InfraGard
- Regional Coalitions
- Information Sharing and Analysis Centers
In addition to these resources, the FDIC reminded banks that they should utilize vendor websites for information specific to particular products, and banks should ask vendors for information about “user groups” related to their products.