While various sources of regulatory guidance address contractual information security requirements for financial institutions, the characteristic feature of these requirements is that they are flexible and risk-based. That is to say, the guidance avoids prescribing specific language that must appear in every contract or a contractual requirement that certain technologies be used, such as a particular encryption standard. Often the guidance does not even use the word "must" at all, instead reminding financial institutions that they "should" consider various recommended types of contractual protections (of course, those of us used to dealing with bank regulators know that "should" does not necessarily mean optional).
The overall thrust is that while some sort of written contract is required to hold the vendor responsible for the security of customer information, regulators are primarily concerned with informed risk assessments, i.e., making sure the financial institution has evaluated the level of risk as part of a systematic vendor due diligence process and that the contract requires reasonable or appropriate security measures, with reasonableness depending on identified risk factors such as the nature and amount of the
The overall thrust is that while some sort of written contract is required to hold the vendor responsible for the security of customer information, regulators are primarily concerned with informed risk assessments, i.e., making sure the financial institution has evaluated the level of risk as part of a systematic vendor due diligence process and that the contract requires reasonable or appropriate security measures, with reasonableness depending on identified risk factors such as the nature and amount of the
Comments
Post a Comment