FFIEC Updates (and Greatly Expands) the Management Handbook
This latest update to the IT Examination Handbook series comes 11 years after the original version. And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed. This new Handbook contains many changes that will introduce new requirements and new expectations from regulators. Some of these changes are subtle, others are more significant. Here is my first take on just a few differences between the original and the new Handbook:
Cybersecurity
- The original Handbook contained only a single reference to “cyber”. The revised Handbook contains 53 references.
IT Management
- The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management. Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”. Simply put, no more “rubber stamps”. The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.
The IT Management Structure has changed. The 2004 Handbook listed the following structure:
- Board of Directors / Steering Committee
- Chief Information Officer / Chief Technology Officer
- IT Line Management
- Business Unit Management
The Updated Guidance is a bit more granular, and recommends the following structure (changes in bold):
- Board of Directors / Steering Committee
- Executive Management
- Chief Information Officer or Chief Technology Officer
- Chief Information Security Officer
- IT Line Management
- Business Unit Management
“Risk Appetite”
- The FFIEC Cybersecurity Assessment Tool introduced this new term (addressed here), and the Management Handbook makes an additional 11 references. Institutions should understand this relatively new (for IT anyway) concept and incorporate it into their strategic planning process.
Managing Technology Service Providers
- The 2004 guidance contained a separate section on best practices in this area. The new guidance has removed the section, incorporating references to vendor management best practices throughout the document. This reflects the reality of the prevalence and importance of outsourcing in today’s financial institutions.
Examination Procedures (Appendix A)
- The 2004 Handbook had 8 pages containing 9 examination objectives. The new guidance is almost completely re-written, and has 15 pages containing 13 objectives. Several of these new objectives deal with internal governance and oversight, and a couple address the enterprise-wide nature of IT management. All areas have been greatly expanded. For example, the objective dealing with IT controls and risk mitigation (Objective 12) consists of 18 separate examination elements with 53 discrete items that examiners must check.
Best Practices for Control and Management of Your Community Bank’s IT
A community bank’s digital assets are every bit as valuable as the money in the vault.
In summary, the updated Handbook represents a significant evolution in both the breadth and depth of IT management requirements. It will set the standard for IT management best practices for both examiners and institutions for some time to come, and should be required reading for all Board members, CEO’s, CIO’s, ISO’s, and network administrators.
