As part of an effective third-party risk management program, financial institutions should perform ongoing monitoring of the third-party relationship, including review of audited financial statements and risk assessments, performance of audits of IT controls, and monitoring of the third-party provider’s performance and compliance with service levels.
The COVID-19 pandemic has created unique risk pressures on financial institutions related to their third-party vendor relationships.
During this time, there are certain risk assessments that financial institutions should consider. Financial institutions should review all critical third-party contracts and service level agreements to re-assess the risk potential with the following in mind:
- Financial institutions should reassess data security risks, with particular attention to the added risk of many third-party providers’ employees working remotely. Institutions should understand the risk and make sure the third-party protects data against the additional risks of an overly stressed security platform. Reassessment of appropriate cyber security insurance coverage is also recommended.
- Financial institutions should evaluate the control environment and financial conditions of its third-party contractors, particularly those that provide the institutions with critical IT and other core services.
- In light of the worldwide effect of the COVID-19 pandemic, financial institutions should also consider additional oversight or controls over third-party providers that operate in foreign locations and continue to have litigation strategies related to these entities.
- All business continuity/business plans should be reviewed to ensure that the third-party provider can provide continued performance or support during the pandemic. Also, while force majeure clauses are in the spotlight and many institutions would like to include a pandemic in their force majeure definitions, financial institutions should be mindful that a pandemic should not be allowed to be considered a force majeure opportunity for a third-party core service provider to delay or terminate performance.
