Applying Appendix J

Understanding the new guidance for financial institutions around technology service providers and business-continuity risks.

The Federal Financial Institutions Examination Council (FFIEC) has issued guidance to help financial institutions (Fis) ensure their technology service providers (TSPs) have business-continuity procedures in place so that outsourced operations are secure and recoverable. The guidance, known as "Appendix J: Strengthening the Resilience of Outsourced Technology Services;· highlights the following four elements: 

  • Adequate third-party risk management (TPRM) over the business continuity risks associated with any of the TSPs' subcontractors (i.e., fourth parties) 
  • Business continuity planning (BCP) that addresses the scenario of a significant disruption of a TSP (impacting services to multiple clients), including impact assessment and plans 
  • Validating business continuity plans through testing with the TSP to ensure strongTPRM
  • BCP addressing cyber-events scenarios, including impact assessment and plans.

Because there has been an increased concentration of use of TSPs by multiple Fis or by multiple businesses within an Fl, Fis should evaluate how a TSP's plans, from an infrastructure and resource perspective, account for a widespread disruption or outage.