FFIEC Issues Stealth Update to BCP Handbook

This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook. Here is what the press release said in part:

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)

If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet. But the first sentence states that they issued a revised booklet. And sure enough, they changed the date.

Here is the old booklet:

Cover page from 2008 FFIEC_IT_Booklet_BusinessContinuityPlanning

And here is the new booklet:

Cover page from 2015 FFIEC_IT_Booklet_BusinessContinuityPlanning

I’ve written about the wide-ranging implications of “Appendix J” previously. In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A. Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!

7 Reasons Why Small Community Banks Should Outsource IT Network Management

I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes. If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here. The complete BCP Handbook is here.

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

6 replies added

Marilyn Brooks April 29, 2015 Log in to Reply

Tom, I read the same thing you did I thought appendix J was the only addition. Thanks for the update.
- Tom April 29, 2015 Log in to Reply
  
  Hi Marilyn, this one took me by surprise as well. I wonder if future booklet updates will be done this way? Guess I’ll have to pay even closer attention!
Leesa April 30, 2015 Log in to Reply

The Appendix A changes are significant, in my opinion. The focus continues to be on third-party oversight and cybersecurity. Although this isn’t brand new, it confirms that these two areas will come under ever-increasing scrutiny. Thank you for pointing this out, Tom! 🙂
- Tom April 30, 2015 Log in to Reply
  
  Agreed, and as a second-tier TSP we have already made significant changes to accommodate Appendix J’s oversight expectations for financial institutions. The only question is when will the Appendix A changes make their way into examinations?
Carol July 13, 2016 Log in to Reply

Thanks Tom.. this is a lot to update and consider.
- Tom Hinkel July 14, 2016 Log in to Reply
  
  Hi Carol! Yes it is, and it will be interesting (to say the least) to see how this actually looks when the examiners fully digest it.

Leave your comment Cancel Reply

You must be logged in to post a comment.