Overview
Action Item
All vendor contracts are negotiable. Financial institutions should adjust vendor agreements to address recent trends. Contact us to discuss these issues or seek counsel in negotiating with your vendors.
Renewed Scrutiny for Vendor Management
Regulatory agencies are expressing increasing concern over bank contracting practices. Vendor management merits renewed scrutiny due to the focus on cybersecurity and the industry's increasing reliance on third-party providers. In our practice, we are routinely presented with vendor agreements that have not changed to address regulatory priorities.
Here are "hot topics" that merit the consideration of every regulated financial institution in 2016:
- What is a data breach? Requiring a vendor to provide timely notice of a data breach or related incident begs the question of what constitutes a data breach or cybersecurity incident. Consider how any definition relates to your data breach policies and applicable law.
- Cyber insurance coverage and indemnity. One recent survey found that fewer than half of examined institutions obtained indemnity from vendors for cybersecurity incidents or maintained insurance policies that explicitly cover vendor information security failures. Further, many vendor contracts limit the amount customers can recover from the vendor, even for failures caused by the vendor. Consider your contractual rights to indemnity, your insurance coverage and your vendor's coverage in light of its services.
- Limits on confidentiality obligations. Confidentiality provisions often permit disclosure of a vendor's confidential information to comply with applicable law or regulatory process but require advance notice to the vendor. Consider whether disclosures in an examination or other regulatory process would permit you to provide this notice in advance or at all.
- Protections in assignment and subcontracting. Although many vendors are sensitive to limitations on their assignment and subcontracting rights, banks' rights to due diligence and assurances regarding resources and skills of proposed assignees and subcontractors are reasonable requests and continue to be topics of regulatory discussion. In addition, information security requirements for a vendor should be imposed upon any subcontractor.
- What happens if your vendor runs afoul of your examining authority? Both parties must recognize the importance of regulatory oversight to their operations. If a vendor becomes a source of regulatory criticism for a financial institution, the vendor no longer provides an essential benefit bargained for by the bank. Consider your termination rights in this context.
We Can Help
Realize the terms of all vendor contracts are negotiable, and often provisions in one contract will be inconsistent with others, possibly to the detriment of your institution. Renewal notice deadlines can serve as an opportunity for adjustments to address recent trends. Please call us if you are interested in discussing these issues or seek counsel in negotiating with your vendors.