FFIEC IT Examination Handbook Appendix J: Strengthening the Resilience of Outsourced Technology Services

This section of the Federal Financial Institutions Examinations Council’s (FFIEC) IT Examination Handbook focuses specifically on the business continuity risks created by the use of third parties. In particular, the document says that financial services firms must be responsible for the business continuity risks posed by their third-parties. The document also addressed cyber-resilience issues.

“Many financial institutions depend on third-party service providers to perform or support critical operations. These financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. The responsibility for properly overseeing outsourced relationships lies with the financial institution’s board of directors and senior management. An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.”