Vendor Risk Management and FFIEC Appendix J

Podcast Transcript

Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Lisa-Mae Hill, an Information Security Specialist here at Venminder.

Today’s topic is a quick dive into FFIEC’s Appendix J and how it relates to your vendor risk management program.

First, let's understand what Appendix J is. Appendix J was released by the FFIEC in 2015 as a revision to the Business Continuity Planning Booklet which is part of the FFIEC Information Technology Examination Handbook. The overall purpose of Appendix J is to strengthen the resilience of outsourced technology services.

So how does this all relate to your vendor risk management program? Well, the Appendix J guidance states:

“as part of its due diligence, a financial institution should assess the effectiveness of a third party service provider’s business continuity program, with particular emphasis on recovery capabilities and capacity. Furthermore, the financial institution should review the third party service provider’s BCP program and its alignment with the financial institution’s own program, including an evaluation of the third party service provider’s BPC testing strategy and results to ensure they meet the financial institution’s requirements and promote resilience.”

So, in other words, it's your job to make sure your vendors have a strong resiliency plan that works for you and your vendors.

Appendix J provides insight around four key elements of business continuity planning that you should address when contracting with a third party service provider. This is to ensure the relationship is strengthening the resilience of technology services. These include:

1. Subcontractors: Your responsibility to control the business continuity risks associated with the third party and any subcontractors (aka your fourth parties).
2. Disruptions: Address potential significant disruptions and the impact on a third party’s ability to restore services to multiple clients.
3. Testing: Testing with the third party addresses the importance of validating business continuity plans with them and considerations for a robust third-party testing program.
4. Cyber resilience: That it covers aspects disruptions caused by cyber events.

Here are our recommendations to best incorporate Appendix J into your vendor management program:

• Review and understand your vendor’s business continuity and disaster recovery plans. Ensure it aligns with your needs.
• Add breach and disaster notification language to your vendor contracts.
• Understand your vendor’s resiliency position and verify it has been tested.

I hope you found this podcast helpful. Again, I’m Lisa-Mae Hill at Venminder. If you haven’t already done so, please subscribe to our Third Party Thursday series.