In their rush to sign contracts with vendors of outsourced IT services, banks may be exposing themselves to risks that could wipe out any anticipated savings, said the co-chair of an industry group.
"Many organizations go to outsourcing thinking it's cheaper," said Sharon O'Bryan, chief information security officer at ABN AMRO and co-chair of the BITS IT Service Provider working group. "But in many cases, some of the pieces left out are security and recovery planning. The reason contracts are cheaper is because the controls aren't there."
BITS, the technology arm of the Financial Services Roundtable, a Washington-based industry group, last year issued a framework on managing relationships with IT service providers. The framework, which is similar to guidance issued by federal regulators, is intended "to establish an industry approach to managing risk associated with outsourced service providers," O'Bryan said.
The goal is to "achieve a well-controlled financial services environment," said O'Bryan. It's important, she added, that the industry do so on its own, without prodding from regulators. "This framework is voluntary but advised. It's not being used by regulators."
The issue of vendor management has gained attention recently with the announcement of high-profile deals, including an IT services contract between American Express and IBM, and a deal between Deutsche Bank and EDS for IT services for the bank's North American cash management operations. J.P. Morgan Chase is also considering a deal with either IBM or EDS.
In April, BITS approved voluntary guidelines and business practices in emerging areas such as mobile financial services. Those recommendations are being spearheaded by James Rohr, chairman and CEO of PNC Financial Services, and the new chairman of BITS.
With banks increasingly relying on outside parties to run key portions of their business, the need for an industry approach is vital. "Outsourcing has become an important part of delivering financial services products using technology," said O'Bryan. "It's not just a regulatory compliance issue. It's time for the industry to establish a consistent approach."
Banks that fail to adequately address the issue put their reputations at risk. "Service providers become an extension of your business. An extension of your own network and information system," O'Bryan said.
Banks must actively investigate the operations of their service providers, she said. "We need to understand what controls are being relied on and that they're being tested. What are they doing to keep up with software patches so they don't have network vulnerabilities? To ensure that they are following a change control policy?"
Banks must also understand the different risks associated with outsourcing. "If I outsource a Web server, that 's one set of risks. If I outsource all of my data processing, that's another set of risk," said O'Bryan.
The BITS framework is aimed at leveraging the risk practices already in place at banks. "There are change control processes, security administration processes. They're audited by internal and external auditors. We wanted to match that," said O'Bryan.
The framework delineates steps banks must take at each stage of the IT provider relationship, starting with the request for proposal (RFP), and proceeding to due diligence and implementation.
At the RFP stage, the focus is on defining business objectives, technology requirements (hardware, software, databases, etc.) and costs. The RFP stage is also where procedures are defined for internal control, backup and recovery (e.g., system availability, service levels, response times).
Banks should treat vendor claims about system backup and recovery with a healthy dose of skepticism. As demonstrated by Sept. 11, it can take a week or longer for operations to return to normal following a disaster. "Outsource service providers generally speaking don't provide recovery capabilities in less than 72 hours," said O'Bryan. "And that's just to get the system up and running. That's not synchronizing the data."
Another oft-neglected aspect of IT provider relationships is data security.
"Security is not managed at all," said O'Bryan. "Contracts don't hold vendors liable for loss of data. With new privacy laws, that's a big deal."
The BITS IT Service Provider working group has formed two subgroups, one for evaluating best practices in IT service provider vendor management, and the other for studying security assessment and business continuity requirements.
Operational risk-the risk of loss from faulty internal processes, people and systems, or from external events-is being addressed by BITS on a number of other fronts. For example, working groups in mobile financial services and aggregation have both developed guidelines that enhance the security of those services.
Another BITS project aimed at mitigating operational risk is the Crisis Management Initiative, which is working out a process for communicating and sharing best practices in disaster recovery, business continuity and cybersecurity threat control.