Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, August 25, 2004

Joint Forum Issues High-Level Outsourcing Principles

The Joint Forum, a working group of international bank regulators, has issued high-level principles on the topic of outsourcing in financial services.

The principles are intended to guide firms and regulators to maintain high standards of corporate governance and risk management in an environment of rapid IT innovation and a high reliance on external service providers.

The Joint Forum consists of the Basel Committee on Banking Supervision, the International Organization of Securities Commissions, and the International Association of Insurance Supervisors.

In summary, regulated entities should:

- Assess whether and how activities can be appropriately outsourced, under the aegis of the board of directors.
- Establish a comprehensive outsourcing risk management program.
- Prevent outsourcing from impeding regulatory supervision or disrupting customer obligations.
- Conduct appropriate due diligence when selecting third-party service providers.
- Use written contracts to govern all material aspects of outsourcing relationships.
- Establish and maintain contingency plans with service providers.
- Ensure that confidential information is protected from unauthorized disclosure.

On the last point, regulators have taken note of the potential vulnerability in having too many banks using too few service providers, or having several banks share a common disaster recovery site.

The report states: “When a limited number of outsourcing service providers (sometimes just one) provide outsourcing services to multiple regulated entities, operational risks are correspondingly concentrated, and may pose a systemic threat.”

The Joint Forum recommends risk mitigation tools including adequate contingency planning by regulated entities, ongoing monitoring and awareness, supervisory programs and risk assessments.

Posted on 08/25