When Curry Speaks, All Banks Should Listen

The Comptroller of the Currency Thomas Curry gave a speech the other day (paid subscription required), and emphasized a couple of points that vendor management folks at financial institutions with various charters–state and federal, bank and credit union–and the lawyers who represent them, would be wise to heed.

Comptroller of the Currency Thomas Curry said his agency is increasingly concerned about the cybersecurity risks from banks relying too much on certain vendors and using service providers in foreign countries.

Banks can end up becoming dependent on certain vendors because of consolidation in the service provider industry, Curry said in his prepared remarks for the Consumer Electronics Show’s Government Summit in Washington. They can also be exposed to risks when they assign critical functions to outside vendors, including those that use foreign-based subcontractors.

“Banks need to consider the legal and regulatory implications of where their data is stored or transmitted, and make a determination as to whether geographic limitations are needed in their contracts,” Curry said. “Finally — and perhaps most importantly — we are concerned about the access third parties have to large amounts of sensitive bank or customer data.”

Here are a few take-aways:

First, cybersecurity due diligence of your vendor assumes critical importance when that vendor has access to customer data and other sensitive information of the institution. Access to sensitive information ought to make that vendor a “critical” vendor regardless of the dollar “value” of the contract. The institution needs to be able to document that it examined the information security procedures and systems and found that they met industry standards.

Second, the provisions of the agreement between the institution and such vendors on confidentiality and information security need to be “robust.” This is especially critical when one or a couple of vendors of the institution have access to a lion’s share of sensitive data. Read OCC Bulletin 2013-29, FFIEC’s handbooks on the outsourcing of technology services, and other regulatory guidance. Make sure you know what contractual assurances you need and then make sure they’re in the agreement.

Third, the financial institution needs to monitor the compliance of these vendors with information security safeguards throughout the life of the relationship. If a critical vendor’s not providing an annual SASE 16 audit report of an appropriate type (SOC 1 vs. SOC 2), and not addressing problems raised by such annual reviews, you’ve got a problem.

“We expect the board and management to ensure that appropriate risk management practices are in place, that clear accountability for day-to-day management of these relationships is established, and that independent reviews of these relationships will be conducted periodically,” Curry said in his remarks Wednesday.

That’s a red flag, no?

Fourth, you need to read between the lines of what Curry’s saying about “certain vendors.” Pay attention to what’s happening in the marketplace. If an article appears in the press that notes problems with a critical vendor, investigate and assure your self that any problems are being addressed. Review the web sites of the regulators for enforcement actions, and pay attention to what you find if a vendor is the subject. Pay attention to your own due diligence. If you gather necessary information but don’t act upon it appropriately, your regulator will not be pleased.

Fifth, foreign subcontractors have become a “hot button” concern. I would recommend that in your vendor agreements with critical vendors you have adequate restrictions on the use of subcontractors. Among those restrictions ought to be that the use of a non-US based subcontractor requires your prior written consent. I represent banks that would never consent, but that’s a story for another day.

If the vendor pushes back, that vendor ought to be a cause for grave concern. They’re not doing you a favor by selling you their technology, although a few of the larger ones act that way, especially if you’re a smaller institution. These concerns are regulatory concerns, matters of safety and soundness. If the vendor is large and representing a number of financial institutions, none of these issues should come as surprise to them. If you have concerns about a vendor, give your federal regulator a call and tell him or her about those concerns. As Curry makes clear, your regulator will be interested. Very interested.

    

After deciding to forgo its own request for rehearing of the Ninth Circuit’s decision prohibiting a party from striking a juror based on sexual orientation, Abbott Labs. files brief supporting Ninth Circuit’s sua sponte consideration of en banc review

After deciding to forgo its own request for rehearing of the Ninth Circuit’s decision prohibiting a party from striking a juror based on sexual orientation, Abbott Labs. files brief supporting Ninth Circuit’s sua sponte consideration of en banc review: You can access the brief that Abbott Laboratories filed today in the U.S. Court of Appeals for the Ninth Circuit at this link.

Also today, SmithKline Beecham Corporation, which prevailed before the three-judge panel, filed this brief opposing en banc review.

My earlier coverage of the three-judge panel’s ruling in this case can be accessed here.

    

Non-Sequiturs: 04.17.14

* Cheerios is claiming that “Liking” them on Facebook constitutes a waiver of the right to sue. Let’s take this moment to encourage everyone to Like Above the Law on Facebook. [NY Times] * New study determines that the United States is an oligarchy instead of a democracy. You’re telling me a government explicitly founded on the principle that only a handful of wealthy men should have a voice grew into an oligarchy? Quelle surprise! * Oh look, John Edwards is back. [Slate] * In the continuing saga of NYU’s allegedly shady spending, there are now reports that former NYU Law Dean and current NYU President John Sexton used school funds to convert two apartments into a duplex for his son. His son was married to an NYU Law employee and as I’ve said before, a school located in housing-scarce Manhattan should be able to do something to house professors, but as they say, “the optics” aren’t good. [Chronicle of Higher Education] * Musings on what it’s like to clerk in the midst of “flyover country” (presumably like my early childhood home of Des Moines). It makes a valiant effort to redeem itself at the end, but this article is exactly why most parts of the country think New Yorkers are elitist dicks. Which, we kind of are, but you don’t want to broadcast that. [Ramblings on Appeal] * The government is profiting handsomely from law students. Is that really a bad thing? [Law & Economics Prof Blog] * A D.C. law professor is now a movie star. [Washington City Paper] * The judge in the New Orleans Affordable Housing case may know the real identity of one of the anonymous commenters in the case. And if one of the anonymous trolls was a federal prosecutor poisoning the well in the case — like everyone suspects — it could aid the defense. [Times-Picayune] * For those of you across the pond, there’s a one-day event for lawyers on the business case for Corporate Social Responsibility. It’s in England because American companies have already passed on the idea of corporate responsibility. [International Law Society]