A New Era of IT Exams: Are You Ready?
Cybersecurity has become the buzz topic in the banking industry over the last year. In June 2015, the Federal Financial Institutions Examination Council (FFIEC) released its Cybersecurity Assessment Tool and, yet, as many banks look to implement this assessment tool, it is only one part of a much larger emphasis that for many banks will require a cultural change.
In November 2015, the FFIEC issued a revised Management Booklet, which is a part of the IT Examination Handbook, with updated Information Technology (IT) examination procedures. This is considered a major revision of the booklet and the first one to take place since 2004. Several major updates to the booklet will have a significant impact on financial institutions and how they are measured during their regulatory examinations.
The Cybersecurity Assessment Tool and the Examination Handbook together have been viewed by some as two parts of the same effort by bank regulators to set very specific expectations about how a good risk management program should function. It is unclear how a bank’s size and complexity will play into the new examination procedures; but what is clear is that the Examination Handbook seeks to scrutinize financial institution risk mitigation processes at a level of detail that’s well beyond what we’ve seen before.
Examinations based on the new FFIEC handbook seek to determine whether:
- There is satisfactory board and executive management oversight of an effective risk management structure.
- There are well defined IT risk management responsibilities and functions.
- There is adequate IT risk management planning and oversight, including planning for adequate resources and budget.
- The HR function is adequate to attract and retain a competent workforce.
- Management effectively reviews and oversees IT controls, including IT audit and compliance.
- The risk management program facilitates effective risk identification and measurement.
- The board effectively oversees and proactively mitigates operational risk.
- Management implements an IT risk management process that supports the enterprise-wide risk management process.
- The institution maintains a coordinated and consistent risk identification process across the enterprise.
- There are satisfactory risk mitigation practices.
- There are satisfactory measures for defining, monitoring and reporting metrics, performance benchmarks, service level agreements, policy compliance, control effectiveness and quality assurance.
So what does satisfactory board and executive management oversight look like? The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include:
- Reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity, and ensuring that there are adequate resources to do so;
- Overseeing an institution’s process for approving third-party vendors;
- Approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary;
- Holding management accountable for identifying, measuring, and mitigating IT risks; and
- Providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures
In summary, cybersecurity continues to be a driving force in examination oversight. This is now putting more responsibility on the board of directors to ensure a top down emphasis. For additional and ongoing information on cybersecurity, the Federal Financial Institutions Examination Council (FFIEC) launched a webpage on cybersecurity (www.ffiec.gov/cybersecurity.htm). The webpage is a central repository for current and future FFIEC-related materials on cybersecurity. Additional information and the updated Management Booklet can also be found on FFIEC web page (http://ithandbook.ffiec.gov/it-booklets/management.aspx).