An IS auditor is reviewing a bank`s service level agreement (SLA) with a third-party provider that hosts the bank`s secondary data center. Which of the following findings should be of GREATEST concern to the auditor? 

Answer options:

A. The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan
B. The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan
C. Backup data is hosted online only
D. The SLA has not been reviewed in more than a year

B