SECURITY PROVISIONS NEGOTIATION IN THE WAKE OF THE OCC RISK REPORT

The “severity of cyber threats is increasing.” It’s something most of us inherently understand, but now we have the Department of the Treasury’s Office of the Comptroller of the Currency (“OCC”) weighing in with its Fall Risk Report for banks and savings associations. The OCC has been sounding the alarm for years now. Even back in 2000, the OCC opined that “[s]enior management and the board of directors are responsible for overseeing the development and implementation of their bank’s security strategy and plan.” Last week’s Semiannual Risk Report highlights cybersecurity trends facing our nation’s financial institutions. A couple of conclusions are worth note.

The OCC warned that the number and complexity of third-party relationships is expanding, which in turn increases risk management challenges on banks. The OCC recommends a heightened supervisory focus. But what does that mean? In view of the report, banks may want to start by revisiting their contract security provisions, which are often attached as an addendum to master agreements with vendors. Security provisions include obligations for a third party to implement protocols at least as rigorous as a given standard, adhere to the bank information security policy, provide SOC 2 reports, notify the bank within a certain timeframe in the event of a breach, warrant any software is free of vulnerabilities, perform periodic penetration testing, and allow a bank to audit the vendor’s compliance with these provisions. As banks outsource more and more of their operations (according to the OCC), it is even more important that they unify their third-party security requirements under a common policy.

The OCC lists, as an additional risk, the concentration of outsourced services in the hands of a few large service providers. This effectively reduces the bargaining power of banks as against the third parties. Regulatory authorities and trade associations can help by releasing model security provisions for adoption by financial institutions (like the Association of Corporate Counsel did). But that’s rare this early in the game. In the meantime, banks may want to consider sharing best practices with each other to collectively improve their position against the service providers.

The issue of contractual security provisions will only grow in importance. When I design cyber law events and lunch and learns, or submit proposals for speaking engagements, I almost always include the subject as a dedicated session. If you find the opportunity to attend a session on security provisions negotiation, by all means, go!