White Paper on Financial Institution Vendor Management

Size: px
Start display at page:

Download "White Paper on Financial Institution Vendor Management"

Transcription

1 White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety of ways, including by providing products and services that require them to have access to sensitive information maintained by the organizations they serve. Financial institutions are no exception, with banks increasingly outsourcing certain functions wholesale (such as tax, legal, audit, or information technology operations). Certain vendors may become so deeply involved in a financial institution s inner workings that the vendor s role is as essential to the bank s operations as any other internal constituency. These vendors remain outside parties, however, and as such they present a constant potential source of privacy, security, reputational, and compliance risk. The task of managing these risks in the context of ever-evolving security threats can be daunting. Regulators expect financial institutions to practice effective risk management with respect to all of their operations, including activities carried out by vendors and other third parties on the financial institution s behalf. Specifically, the Safeguards Rule issued pursuant to the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to oversee vendors by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) contractually requiring service providers to implement and maintain such safeguards. 1 What constitutes reasonableness with respect to these steps will vary depending on the size of the financial institution, as well as the type and volume of information it maintains, its general risk profile, and how it uses vendors in the processing of customer information. As part of its overall information security and governance program, every financial institution must develop and implement a tailored plan for the effective management of privacy and security risks associated with third-party vendors. In October 2013, the Office of the Comptroller of the Currency ( OCC ) issued a bulletin offering guidance to help financial institutions develop assessment and risk management processes that are commensurate with the level and complexity of their third-party relationships. 2 More comprehensive and rigorous oversight must be applied to vendors that are involved in critical activities, such as payments, clearing, settlements, custody, information technology, or any other services that could create a significant impact on the financial institution s operations or its customers. The OCC s guidance details a risk management life cycle with respect to vendor management, as illustrated below. Effective vendor management is a continuous process that involves five key elements: (1) pre-planning; (2) due diligence in the vendor selection process; (3) negotiating for contractual protections; (4) monitoring vendors for compliance; and (5) managing termination of the vendor relationship. This paper summarizes each phase of the vendor risk management life cycle and provides guidance on how financial institutions should approach privacy and data security considerations in the context of vendor relationships C.F.R (d). 2 See Third-Party Relationships: Risk Management Guidance, OFFICE OF THE COMPTROLLER OF THE CURRENCY, Oct. 30, 2013, available at

2 I. Planning Financial institutions must consider privacy and data security issues even before they begin the process of soliciting vendors to conduct activities on their behalf. Business units within financial institutions should not assume that it will be appropriate or advisable to use a third party for an activity without first considering the ramifications of outsourcing the proposed functions. The planning phase of the life cycle contemplates a careful consideration of the potential risks involved with a proposed activity and identifying possible areas of concern prior to examining specific vendor candidates. The financial institution should develop a plan to manage the relationship that is commensurate with the level of risk associated with the proposed activity, as well as the complexity of the proposed vendor relationship. Proper planning should include steps such as: Creating an inventory of all potential privacy and security risks inherent in the activity the vendor will carry out; Evaluating potential information security implications, including those associated with allowing a vendor access to the financial institution s systems and confidential information; Conducting a cost/benefit analysis to weigh the costs associated with controlling the identified risks against the anticipated benefits to the organization; Assessing the complexity of the arrangement from the outset by considering factors such as whether the outsourced activity will require cross-border data transfers, the potential role of subcontractors in conducting the activity, and whether technology modifications or upgrades may be required; Considering the nature of customer interaction with the vendor, including whether customer information will be used for marketing purposes;

3 Detailing all potential information security implications of the vendor relationship, including the extent to which the vendor will have access to the financial institution s systems and confidential information; Mapping out how the financial institution will select, assess, and oversee the vendor, including procedures for monitoring the vendor s compliance with the contract. II. Due Diligence and Vendor Selection Once the financial institution has developed a plan to proceed with a vendor engagement, but prior to entering into the contract negotiation phase, each potential vendor should be subject to extensive review and a thorough due diligence process to assess the vendor s posture with respect to privacy and data security issues. Again, the amount and depth of diligence should be commensurate with the level of risk and complexity associated with the vendor relationship, with more extensive due diligence applicable to vendors that will be performing critical bank functions. Below we list some of the key considerations that should factor into the due diligence process: Legal and Regulatory Compliance: To the extent the vendor is subject to specific legal or regulatory requirements, verify that the vendor is not under investigation and has not been targeted for enforcement actions by its regulator(s), and that it is not otherwise out of compliance with its obligations. Verify that the vendor is capable of complying with all applicable domestic and international laws and regulations relevant to the proposed activity. Operational Qualifications: Verify that the vendor has the necessary licenses to operate and the expertise, processes, and controls required to service financial institutions such that the vendor can comply with all industry-specific domestic and international laws and regulations. Information Security Posture: Assess the vendor s information security program, including by reviewing its information security policies and procedures. Request copies of recent third-party assessments of the vendor s security profile and compliance posture. Evaluate the vendor s infrastructure and network security, and interview key security personnel who will be responsible for implementing security measures applicable to the financial institution s data. Management of Information Systems: Evaluate the vendor s business processes and discuss the technology that will be used to support the proposed activity. Consider all potential gaps in service-level expectations and technology, paying special mind to possible interoperability issues. Assess the vendor s processes for inventorying its information assets and how the vendor manages its relationships with its subcontractors. Resilience: Assess the vendor s policies and processes in place to respond to service disruptions or other interruptions resulting from natural disasters, human error, or malicious attacks (including cyber attacks). Review the vendor s disaster recovery and business

4 continuity plans and consider whether the vendor s time frames for resuming activities and recovering data are acceptable to the financial institution. III. Incident Management and Reporting: Review the vendor s incident reporting and management programs to ensure the vendor has established clearly-documented processes for identifying, reporting, investigating, and escalating actual and suspected security incidents that may affect the financial institution s data. Physical Security: Examine the physical and environmental controls the vendor has in place to protect the infrastructure that will house the financial institution s data, including how the vendor ensures the safety and security of its facilities, technology systems, and employees. Reliance on Subcontractors: Ask that the vendor describe the ways in which it may outsource certain functions that may affect the financial institution s data. Specifically, verify whether the data may be processed by subcontractors in jurisdictions outside the United States, and determine the data transfer mechanisms by which the vendor moves data across borders. Consider the vendor s ability to assess, monitor, and mitigate risks associated with its subcontractors activities, and ensure that the vendor imposes contractual requirements on its subcontractors to safeguard sensitive data. Note that in some cases it may be necessary to conduct separate diligence with respect to certain subcontractors, if those parties will have significant access to, or responsibility for, the financial institution s data. Insurance Coverage: Determine how the vendor protects against losses associated with data security breaches and cybersecurity incidents. In addition to the financial protection offered by such coverage, the fact that a vendor maintains insurance coverage often signifies a proactive corporate culture and a risk-averse approach to data security issues. The level of coverage should be commensurate with the level of risk associated with the vendor s operations. Contract Negotiation As discussed above, financial institutions subject to the GLBA are required to impose contractual obligations on their vendors to implement and maintain appropriate safeguards for customer information. The GLBA s requirements are not prescriptive and do not specify what would constitute appropriate safeguards for any given vendor. As always, financial institutions should consider the size and nature of their operations, how the vendor in question will access the institution s data, and the specific risks associated with the proposed vendor activity. The OCC s vendor management guidance offers suggestions for negotiating contracts with third party vendors. Below we outline some of the key privacy- and security-oriented provisions financial institutions should consider when outsourcing activities that will involve access to customer information. Disclosure/Access Restrictions: The contract should stipulate that the vendor will hold all information it receives from the financial institution in strict confidence and limit access to such information to personnel who have a need to access the information to perform their

5 job functions. Further, the vendor must immediately notify the financial institution of any subpoena or other legal order seeking access to or disclosure of the financial institution s information that is being maintained by the vendor. Data Security Safeguards: The contract should require that the vendor implement a written information security program that complies with applicable privacy and security laws and includes appropriate administrative, technical, and physical safeguards designed to protect against threats and hazards to the security or integrity of the financial institution s data, including protecting against any unauthorized access to such data. Notification of Security Breach: The contract should require the vendor to provide immediate notification to the financial institution in the event of an actual or suspected security breach affecting the financial institution s data, and should specify to whom such notification should be made and that the vendor is responsible for costs associated with responding to the breach incident. Audit Rights: Given that monitoring vendor compliance is a key part of the vendor risk management life cycle, the contract should include provisions allowing the financial institution to audit and otherwise monitor the vendor s information security procedures and safeguards, to verify that the vendor is adequately protecting the financial institution s data. Compliance with Applicable Laws and Regulations: This provision obligates the vendor to comply with privacy and data security laws and regulations as well as industry standards and best practices, including an illustrative list of the laws and regulations applicable in the financial services sector, including, but not limited to, the GLBA (including the Privacy Rule and the Safeguards Rule), security breach notification laws, Fair Credit Reporting Act requirements, and state financial privacy laws and regulations. Information Use: The contract should clearly state whether (or how) the vendor may use the financial institution s information, including customer information. Generally, the vendor should only access or use such information for purposes of fulfilling its obligations under the contract. A vendor may seek to use the information for other purposes (such as to improve its services or conduct analytics), but such activities may pose risks to the financial institution s information. Further, activities of that nature generally offer a benefit to the vendor that should be reflected in an offset of costs commensurate with the benefit (if the financial institution agrees to permit such uses at all). Business Continuity and Disaster Recovery: The contract should describe the vendor s obligations in the event of natural or mad-made disasters (including cyber attacks) affecting the vendor s ability to fulfill its obligations under the contract. With respect to information governance specifically, the contract should detail how the vendor will back up and otherwise protect customer information that it maintains on the financial institution s behalf. Indemnification: The financial institution may seek to obtain indemnification against claims resulting from violations of the privacy and data security provisions of the contract,

6 in particular with respect to claims stemming from data breach incidents caused by the vendor. IV. Insurance: The vendor may be required to maintain adequate data security breach and cybersecurity insurance, to notify the bank of material changes to coverage, and to provide evidence of coverage where appropriate. Default and Termination: The contract should stipulate that a breach by the vendor of the contractual requirements relevant to privacy and data security will constitute a breach of contract giving the financial institution termination rights. Specifically, a security breach should be deemed a breach of contract for contract termination purposes. Return or Destruction of Data at Termination: The contract should specify that, promptly upon the expiration or earlier termination of the contract, the vendor must either return or securely destroy (as specified by the financial institution) all data it maintains on behalf of the financial institution, and provide proof of such secure destruction in the form of an Officer s Certificate or other similar certification. Subcontracting: The contract should detail the circumstances under which the vendor must notify the financial institution of its intent to use a subcontractor, specify any activities that cannot be subcontracted, and (as appropriate or as required by law) prohibit the transfer of the financial institution s data to certain foreign jurisdictions. Ongoing Monitoring As discussed above, risk management with respect to vendor security practices is an ongoing process and financial institutions must remain vigilant throughout the life of the relationship. Regular monitoring is essential, with heightened attention to vendors that perform critical functions or handle personal information. Given that vendor relationships may evolve over time, financial institutions should periodically assess existing vendor relationships to determine whether a given vendor s access or responsibilities have changed such that the vendor requires additional monitoring or updated contract provisions. Some key components of the ongoing monitoring function include: Allocating personnel who have the appropriate expertise to oversee and monitor vendors; Setting schedules and establishing metrics for monitoring activities to ensure monitoring is conducted regularly and in a systematic fashion; Conducting on-site visits to evaluate the vendor s ability to meet its contractual obligations (such visits may be particularly useful for assessing physical safeguards); Reviewing audit reports produced by the vendor and/or by third parties the vendor engages to audit its security processes (as stipulated in the contract); and

7 Escalating identified concerns appropriately so that senior management is apprised of potential risks associated with the vendor relationship and can act to modify or terminate the relationship as necessary and appropriate. V. Termination Vendor relationships may expire naturally as set forth in a service agreement, or they may be terminated prior to expiration by either party for a variety of reasons. Although termination may arise out of contentious circumstances, it also may result from a business decision to bring certain activities in-house, or a desire to switch vendors for a better financial arrangement or broader product offerings. Regardless of the reason for the termination, financial institutions must prepare for the end of the vendor relationship and manage the separation in an efficient and organized fashion. Developing a plan ahead of time to manage the termination process is essential, particularly in cases that involve a breach of contract or other event that necessitates an abrupt end to the relationship. Generally, the termination plan should include: VI. Estimates regarding which personnel and resources will be necessary to manage the termination and transition process; A timeline and/or checklist detailing the process for unwinding the vendor relationship (and establishing a new vendor relationship) in a manner that complies with applicable laws and regulations and minimizes any impact on customer service; An overview of the risks associated with data retention and destruction issues that arise when severing ties with a vendor that has had access to and/or maintained the financial institution s data, and a list of steps the financial institution may take to mitigate such risks; A plan for moving the services in-house until a new vendor can be properly vetted and a contract negotiated (or, if no new vendor can be identified, a permanent move in-house); Proposals for managing potential reputational harm that may result if the termination is contentious or is caused by a data security breach or similarly high-profile failure by the vendor that may be attributed to the financial institution. Conclusion Virtually all financial institutions engage some, if not many, third-party vendors to assist with a variety of internal functions. As these vendors become more intertwined and essential to key processes within financial institutions, the potential risks posed by their access to personal data and internal systems grow apace. Financial institutions can help mitigate some of these risks by carefully reviewing guidance issued by regulatory authorities such as the OCC, and taking a measured, conscientious approach to the evaluation, selection, retention, and ongoing surveillance of their vendors.

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Outsourcing Technology Services A Management Decision

Outsourcing Technology Services A Management Decision Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

To: Our Clients and Friends March 25, 2014

To: Our Clients and Friends March 25, 2014 Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

VENDORINSIGHTU P D A T E

VENDORINSIGHTU P D A T E VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask

More information

Statement of Guidance: Outsourcing All Regulated Entities

Statement of Guidance: Outsourcing All Regulated Entities Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES CAYMAN ISLANDS Supplement No. 5 published with Gazette No. 19 dated 14 September, 2015. STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Outsourcing has become a critical component of financial institutions management

Outsourcing has become a critical component of financial institutions management Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden

More information

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) 30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions

More information

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Agreement ( Agreement ) is made and entered into this day of [Month], [Year] by and between [Business Name] ( Covered Entity ), [Type of Entity], whose business address

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

Any business relationship between a bank and another entity, by contract or otherwise

Any business relationship between a bank and another entity, by contract or otherwise An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise

More information

SECTION-BY-SECTION ANALYSIS

SECTION-BY-SECTION ANALYSIS INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter Agreement ) is between COVERED ENTITY NAME (hereinafter Covered Entity ) and BUSINESS ASSOCIATE NAME (hereinafter Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

Navigating Vendor Management Issues in Today s Regulatory Environment

Navigating Vendor Management Issues in Today s Regulatory Environment Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate; BUSINESS ASSOCIATE AGREEMENT (Agreement #) THIS DOCUMENT CONSTITUTES AN AGREEMENT BETWEEN: AND (Contractor name and address), hereinafter referred to as Business Associate; The Department of Behavioral

More information

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

Louisiana State University System

Louisiana State University System PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is effective September 1, 2013 and made between Community Health Solutions of America, Inc., a Florida corporation ( CHS ) and ( Company ).

More information

HIPAA Business Associate Contract. Definitions

HIPAA Business Associate Contract. Definitions HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:

More information

Accountable Privacy Management in BC s Public Sector

Accountable Privacy Management in BC s Public Sector Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY

More information

HIPAA Privacy and Business Associate Agreement

HIPAA Privacy and Business Associate Agreement HR 2011-07 ATTACHMENT D HIPAA Privacy and Business Associate Agreement This Agreement is entered into this day of,, between [Employer] ( Employer ), acting on behalf of [Name of covered entity/plan(s)

More information

Managing General Agents (MGAs) Guideline

Managing General Agents (MGAs) Guideline Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission

More information

Exhibit 2. Business Associate Addendum

Exhibit 2. Business Associate Addendum Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 200 ( Effective Date ), and entered into by and between, whose address is ( Business Associate ) and THE

More information

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Subject: Safety and Soundness Standards for Information

Subject: Safety and Soundness Standards for Information OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie

More information

Page 1 of 15. VISC Third Party Guideline

Page 1 of 15. VISC Third Party Guideline Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE* This is only sample language. The language should be changed to accurately reflect business arrangements between a covered entity and business associate or business associate and subcontractor. In addition,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

OCC BULLETIN OCC 2001-47

OCC BULLETIN OCC 2001-47 OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal

More information

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

The New Third-Party Oversight Framework: Trust but Verify kpmg.com Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory

More information

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into as of [Date] (hereinafter Effective

More information

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this "Agreement") is made as of, 201_ (the Effective Date ), and is entered into between ( Covered Entity ) and Delta Business System, Inc.

More information

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services Appendix J: Strengthening the Resilience of Outsourced Technology Services Background and Purpose Many financial institutions depend on third-party service providers to perform or support critical operations.

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Principles on Outsourcing by Markets

Principles on Outsourcing by Markets Principles on Outsourcing by Markets Final Report TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS July 2009 CONTENTS I. Introduction 3 II. Survey Results 5 A. Outsourced

More information

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group

the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group the evolving governance Model for CYBERSECURITY RISK By Gary owen, Director, Promontory Financial Group 54 Banking PersPective Quarter 2, 2014 Responsibility for the oversight of information security and

More information

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

More information

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Legislative Language

Legislative Language Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name

More information

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

Network Security: Policies and Guidelines for Effective Network Management

Network Security: Policies and Guidelines for Effective Network Management Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com

More information

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers

New York State Department of Financial Services. Update on Cyber Security in the Banking Sector: Third Party Service Providers New York State Department of Financial Services Update on Cyber Security in the Banking Sector: Third Party Service Providers April 2015 Update on Cyber Security in Banking Sector: Third-Party Service

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin

More information