Operational Resiliency, Part II
Well this is convenient: one week after we had a post exploring the intersection of operational resiliency and compliance, two examples of the issue ripped from the headlines show just how much this obscure idea has real impact on compliance professionals’ lives.
First, one of the Federal Reserve’s top regulators said last week that the Fed wants to broaden its examinations of tech firms that provide services to the banking industry. That could include looking at those tech firms’ compliance programs, security protocols, and even their governance structures.
Richard Ashton, the Fed’s deputy general counsel for litigation, made the comments at a conference in New York. Ashton didn’t go into too many details, but here’s the key quote from an article in the Wall Street Journal:
“How far the authority goes to conduct examinations is, I think, something we are looking closely at. Is it something that we can look at the governance structure at these third-party providers? Can we look at their overall compliance management program?”
Second is the hair-raising tale of ransomware at Virtual Care Provider, a Wisconsin company that provides data storage, email hosting, and other services to more than 110 nursing homes and other healthcare companies around the United States.
On Nov. 17, VCP was hit by hackers who shut down pretty much the entire business — and then demanded a $14 million ransom from VCP, which the company does not have. The firm’s owner told the Krebs on Security blog that the company might fold, leaving its customers unable to access patient records, process Medicaid claims, or perform other mission-critical tasks. So those customer nursing homes might be in jeopardy too.
Again, Operational Resiliency Defined
As we said last week, operational resiliency is the ability to withstand disruption to operations and keep providing services to your customers.
As we can see this week, banking regulators are already thinking about this issue quite a bit. And if you don’t believe regulators in healthcare and other sectors will follow suit, re-read what’s happening to VCP and then slap yourself in the face. Of course this is going to become a higher regulatory priority across all industries.
In truth, banking regulators have been worrying about tech service providers and operational resilience for years. The Treasury Department published a report two years ago listing systemic risks to the financial system, and banks’ reliance on third parties was one of them. At the time, the Treasury Department called for clearer authority to examine tech providers.
As recently as this summer, Fed examiners were inspecting Amazon Web Services because it provides IT hosting to so many banks. One of those AWS customers was Capital One — which announced in July a breach of 106 million customer records that the bank had been storing on AWS. (The hacker was a former AWS employee, and apparently the Fed’s inspection of AWS at the same time as the breach was a coincidence.)
Legally, the question is whether the Fed has sufficient authority under the Bank Service Company Act to inspect the industry’s tech providers. As a practical matter, however, few people would dispute that regulators have a compelling interest here. Sooner or later, inspection of tech firms — or of your company’s reliance on tech firms — will become standard practice.
After all, consider this from the regulators’ perspective. In our previous post, we defined operational resilience as the ability to keep providing services to your customers, so each company in the financial services supply chain should think about how it can keep doing that.
Well, regulators need to assure that the whole financial system can keep providing services to their customers — who are otherwise known as the public. Regulators need to assure that banks deliver their services to the public as promised. If that means inspecting suppliers of the technology that banks use to deliver services, then so be it.
Beyond Financial Services
The horror story from Virtual Care Provider just demonstrates that same dynamic outside the banking sector. Nursing homes’ operational resilience has been threatened by their reliance on tech service providers.
This is exactly the scenario that produces new regulatory scrutiny. Nursing homes get locked out of their data. Elderly parents complain to their tax paying children, who complain to the news and to public officials. Said public officials then raise the issue with regulators at a public hearing, legislation gets drafted… you get the idea.
Operational resilience is so crucial because the opposite of resilience is disruption, and that’s what drives a company’s customers bananas. It’s not the same as theft of my personal data, which really is annoying only until I get a new ATM card. Operational disruption is the ATM not working at all, when my money is there — or any other system not working, when people need it to work.
Sure, business continuity is nothing new to risk assurance people; internal auditors have been worrying about it for years. What’s changed is how business processes work: more reliance on technology, and more of that technology provided by others. So assuring that those processes can work continuously now involves a very different set of policies, procedures, controls, and tests.
We’ll need to pay much more attention to how tech vendors enter your extended enterprise in the first place, and how your company evaluates those vendors. We’ll need to do much more training of employees that this stuff matters, since it will be much easier for them to ignore those policies and onboard a vendor with no thought about security or resilience.
I don’t know whether we call that audit, compliance, risk management, or something else. But I do know this risk of operational resilience is getting bigger for us all.