Author: The Safe Systems Compliance Team

18 Aug 2023
Third-Party Risk Management Final Guidance – An In-depth Analysis

Third-Party Risk Management Final Guidance – An In-depth Analysis 

Background 

In July of 2021, the three primary bank regulators (OCC, FDIC, and Federal Reserve) proposed new guidance on third-party risk management (TPRM).  According to the agencies, “The proposed guidance provides a framework based on sound risk management principles that banking organizations may use to address the risks associated with third-party relationships.”  In June of 2023 all three (OCC, FDIC, Federal  Reserve) jointly adopted the final guidance, stating that: “The final guidance offers the agencies’ views on sound risk management principles for banking organizations when developing and implementing risk management practices for all stages in the life cycle of third-party relationships.”  The agencies issued this simultaneously to “promote consistency in supervisory approaches”, something we fully support and have long advocated.  It replaces each agency’s existing guidance on this topic and is applicable to all banking organizations supervised by the agencies (currently all financial institutions except credit unions). 

Analysis 

Since third-party relationships represent a significant amount of residual enterprise-wide strategic, operational, and information security risk to many financial institutions (we refer to this as the ‘inherited risk’), and because we believe regulators will greatly increase their scrutiny of your risk management efforts in this area, we’ve taken the last couple months to take a deep dive into the details of the guidance, and the potential implications to your TPRM program.  The following is a summary of our observations. 

The agencies are advising a 5-step continuous life-cycle, wrapped in a formal, 3-phase governance process: 

Each of the 5 phases consists of one or more sections, each of those with one or more statements:   

  1. Planning – 1 section, 11 statements 
  1. Due Diligence & Third-Party Selection – 14 sections, 40 statements 
  1. Contract Negotiation – 17 sections, 61 statements 
  1. Ongoing Monitoring – 1 section, 14 statements 
  1. Termination – 1 section, 6 statements 

and 

  • Governance – 3 sections, 29 statements 

In total, there are 161 statements to evaluate, and they range from what we’ve interpreted as strong recommendations (“It is important for contracts to stipulate…”), to what we’ve determined are general observations and best practices (“May want to consider whether the contract…”).   

Implications 

In addition to factoring the “must have vs. nice to have” interpretation of each statement into the analysis, institutions will also need to determine the applicability of each individual statement to your organization.  No fewer than 13 times in the guidance they mention some variation of “…commensurate with the banking organization’s risk appetite and the level of risk and complexity of its third-party relationships.”  This is the applicability filter through which your “implement/do not implement” determination will pass.   Simply put, although you should be familiar with each statement and its implications, you may not necessarily need to adopt them all.  Indeed, if you currently have and maintain a compliant third-party management program, many are very likely already in place.   

However, the single most important take-away for us is how the statements are distributed throughout the sections, which we believe give a pretty good indication of how the regulators will evaluate your TPRM program on the exam side.  The vast majority (~70%) of statements are clustered in what can be referred to as “pre-engagement” phase, or before you formally engage (by contract or otherwise) with the third-party; the Planning, Due Diligence and Contract phases: 

Does this mean that ~70% of your third-party management efforts going forward should be pre-engagement?  We think that is a reasonable assumption, and we anticipate that sooner or later the regulators will also align their expectations in that direction.  And since most compliant TPRM programs very likely already address the On-going Monitoring and Governance areas, the biggest challenge for most folks will be: 

  1. Evaluating each of the 112 statements in this pre-engagement phase, and determining, 
  1. Whether the statement is already addressed somewhere in your current program, 
  1. If not, deciding whether or not to implement it given the criticality, complexity, and nature of the service(s) provided by the third-party given your risk appetite. 

Pre-engagement vs. Pre-initiative 

Although significantly expanded here, due diligence and contract considerations have, to a greater or lesser degree, always been in place. However, the biggest challenge for most institutions will be in the Planning phase.  There are only 11 statements in this section, but they all address the risks of the business initiative itself, NOT the third-party!  These statements include items such as: 

  • “Understanding the strategic purpose of the business arrangement…” 
  • “Identifying and assessing the benefits and the risks associated with the business arrangement…”, and 
  • “Considering the nature of the business arrangement…” 

While most folks would consider these types of strategic (“why” instead of “how”) discussions to be beyond the scope of a traditional TPRM program, it is clear that regulators are certain to look for them going forward.  Make sure to build this pre-initiative “why” phase into your program.   

Summary 

As with all things in the compliance space, be sure to document your entire decision-making process and don’t hesitate to reach out to our experts for assistance.  As the guidance also states,  “A banking organization may involve experts across disciplines, such as compliance, risk, or technology, as well as legal counsel, and may engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.” 

The agencies have indicated that they plan to develop additional resources to assist smaller, less-complex community banking organizations in managing relevant third-party risks, and we’re keeping an eye on this.  In the meantime, we have created an interactive tool that lists all sections and statements, allows you to acknowledge each statement, add your notes, and track your overall progress.  Click here for a copy.   

We also offer a complimentary high-level regulatory compliance evaluation of your existing vendor management program. Click here to request more information. 

We will be hosting an in-depth webinar and analysis on this new guidance on September 20th. A registration link will be available on our webinar page within the next week. 

03 May 2023
Is it Time to Take the Cybersecurity Assessment Tool (CAT) to the Vet?

Is It Time to Take the CAT to the Vet?

How a New Framework Can Improve Cybersecurity Assessments in Financial Institutions.

In the age of digital banking, maintaining robust cybersecurity risk assessments and control reviews is paramount to protecting sensitive data from potential threats, and passing rigorous IT audits and examinations. Historically, a key tool in the arsenal has been the Cybersecurity Assessment Tool (CAT) developed by the Federal Financial Institutions Examination Council (FFIEC). This blog post will delve into the CAT, its limitations, and the potential for the CRI/NIST framework to enhance cybersecurity assessments within financial organizations.

The FFIEC CAT: A Brief Overview

The CAT, initially released in 2015 and updated in 2017, is a comprehensive tool designed to help financial institutions A). identify their inherent cyber risk exposure, and B). assess their control maturity level. It provides a framework to give the institution a point-in-time snapshot of their current cybersecurity risks and practices.  The Inherent Risks section questions are organized around five domains:  Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats.  The Control Maturity section contains almost 500 declarative statements in 5 domains:  Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience.

While the CAT is a valuable resource for financial institutions, and the defacto gold standard, it has been criticized for its rigidness and lack of clarity in some areas. Rigidity can lead to confusion when applying the tool to real-world situations and may not provide the necessary flexibility for organizations with different cybersecurity needs.  Lack of clarity can introduce subjectivity in the interpretation of various questions and statements.  In our experience this subjectivity has resulted in considerable differences in how the examiners interpret and apply the framework.  Simply put, the basic framework was a good attempt at a standardized set of best practices.  But given the built-in weaknesses, and the fact that it is now 8 years old and many feel it has not kept pace with the cyber threat and control environment, it may be time to consider adopting a new framework.

Introducing the CRI/NIST Framework

To address these limitations, the ABA recently issued an open letter to the FFIEC encouraging them to turn to the National Institute of Standards and Technology (NIST) CSF-based assessment tool called the Financial Sector Profile (now the Cyber Risk Institute (CRI) Profile)*. The profile was developed in conjunction with the Financial Sector Coordinating Council (FSSCC), trade associations, and financial institutions, and contains a forward and backward mapping between their statements and the FFIEC CAT statements, in addition to the BCMP, Operations, Audit, and Management Handbooks.

The framework comprises five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a comprehensive outline for organizations to manage their cybersecurity risks effectively. The framework is designed to be adaptable, allowing institutions to prioritize and implement the most relevant security measures for their unique situation.

Benefits of Aligning the CAT with the New Framework

Incorporating and aligning the CRI/NIST framework into the CAT assessment process can greatly enhance cybersecurity within financial organizations. Some key benefits (and potential pitfalls) of this alignment could include:

  1. Flexibility and Customization: The NIST-based framework’s adaptable nature allows institutions to focus on the most relevant security measures, ensuring their cybersecurity practices are tailored to their unique risk profiles.  However, adaptability can also introduce differences of opinion among practitioners in how those measures should be implemented.
  2. Improved Clarity: By incorporating the NIST-based framework’s clearly defined functions, institutions can gain a better understanding of their cybersecurity requirements and make more informed decisions.  However, a clearer understanding of your cyber risk profile can only lead to better decision-making if (and only if) it can be effectively communicated to senior management.
  3. Enhanced Collaboration: The NIST-based framework encourages collaboration between financial institutions, fostering a community-driven approach to cybersecurity and promoting the sharing of best practices.  How (or if) this collaboration occurs remains to be seen, but smaller institutions generally interact with their peers less often than their larger counterparts. 
  4. Streamlined Assessment Process: Combining/converging the CAT with the CRI/NIST framework simplifies the assessment process, reducing redundancies and allowing organizations to focus on the most critical cybersecurity issues.  We have long been advocates of a single, shared standard for all guidance and best practices and in our opinion, this is the most valuable take-away from a potential CAT <-> CRI/NIST integration.  A single standard built on a widely accepted framework eliminates the primary weaknesses of clarity and lack of flexibility that surround the current cybersecurity assessment process.

Conclusion

While the FFIEC’s CAT has served as a valuable tool for assessing cybersecurity maturity, its limitations can hinder financial institutions in fully understanding the risks and making the best decisions for protecting their data. By aligning (or even replacing) the CAT with the NIST/CRI Cybersecurity Framework, institutions can benefit from a more flexible, consistent, and customizable approach, ultimately leading to improved cybersecurity measures and a safer financial ecosystem. 

*We have received feedback from some of our OCC regulated institutions that their examiners have already started using the CRI Profile in their examinations.

21 Mar 2023
NCUA Chairman Todd M. Harper

The State of the (Credit) Union According to the NCUA Chairman

Last month, NCUA chairman Todd M. Harper delivered his “State of the (Credit) Union” during the 2023 Governmental Affairs Conference. Harper covered multiple areas of interest to credit unions including:

  • The State of the Credit Union System
  • Credit Risk
  • Interest Rate Risk
  • Liquidity Risk
  • Consumer compliance
  • Minority institutions, and
  • Community development

But in this post, we’ll focus on 3 topics directly related to information security: cybersecurity risk, the need for centralized vendor authority, and Fintechs.

  • Cybersecurity Risk – Ransomware, social engineering, phishing, and other known risks continue to keep him (and many CU admins and ISO’s) awake at night, but the unknown threats are the biggest concern. He encourages CU’s to continue to assess their cyber threats and control maturity levels by utilizing the Automated Cybersecurity Evaluation Toolbox. The NCUA also recently approved the new cyber incident notification rule that sets parameters for what constitutes a reportable incident, and the minimum notification requirements.
  • Vendor Authority – Unlike the other federal regulators, the NCUA does not have the ability to examine significant third-party providers. Called the Report of Examination (or RoE) by the FDIC, OCC, and Federal Reserve, this report is very similar to the IT examination that non-CU depository financial institutions undergo. In fact, it is based on the exact same FFIEC URSIT methodology. Chairman Harper strongly believes that the NCUA should be granted the authority to supervise credit union service organizations and key vendors.
  • Financial Technology – This is closely related to vendor authority; the chairman believes critical third-party Fintechs have insufficient oversight by regulators, and that the agency should have the ability to enforce Fintech compliance with laws and regulations. This is largely consistent with what the Treasury Department recommended late last year.

The chairman also referred to recent changes in how the NCUA will conduct examinations. A summary of those changes is here. Simply put, this new supervisory initiative will be tailored to your credit union’s size and complexity.*

When you consider the pending third-party risk management guidance expected to drop later this year, it would seem there is rapidly becoming a regulatory consensus on the need for increased scrutiny of third-parties providing services to financial institutions. This is an area we are watching closely, and proactive Credit Union information security officers should plan to prepare for deeper dives by the NCUA into how they are managing their significant third-parties as well.

* Perhaps ironically, this “size and complexity” approach also provides the most effective defense against examination findings that may apply to larger CU’s, but not necessarily smaller institutions.

01 Feb 2023
Small town bank

FTC Redefines a Financial Institution. Could your customers and members be impacted?

Way back in 2002, the FTC proposed new standards that would require all “financial institutions” to develop, implement, and maintain “…reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”   Officially known as Standards for Safeguarding Customer Information, this should sound very familiar to all “traditional” financial institutions, as we adopted the very same safeguards back in 2000 under GLBA.  After a lengthy (10 year) phase-in period, and several extensions, all businesses that fall under the FTC’s definition of a “financial institution” must comply with most of the provisions by June 9, 2023.  As the FTC is defining a financial institution much more broadly than how it is traditionally defined, it is highly likely that some of your customers or members could fall under these new regulations, and be subject to legal action, including civil money penalties for non-compliance.

The FTC defines a financial institution as:

“…any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”

So far this sounds pretty standard, however, here are the examples the FTC provides for “financial institutions”:

  • A retailer that extends credit by issuing its own credit card directly to consumers.
  • An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days.
  • A personal property or real estate appraiser.
  • A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization.
  • A business that prints and sells checks for consumers.
  • A business that regularly wires money to and from consumers.
  • A check cashing business.
  • An accountant or other tax preparation service that is in the business of completing income tax returns.
  • A business that operates a travel agency in connection with financial services.
  • An entity that provides real estate settlement services.
  • A mortgage broker.
  • An investment advisory company and a credit counseling service.
  • A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

Some of these are more obvious (mortgage brokers, check printers, real estate settlement), while others are not so obvious (car dealers, travel agents, tax preparation services, career counselor).  This new interpretation exempts more traditional FI’s[1], but is much broader than what most of us have historically considered a financial institution, and may require a new mindset as you evaluate your new and existing customers and members.  Could non-compliance trigger a monetary penalty that could in turn adversely impact the business’s ability to repay a loan?  Given the pending third-party risk management guidance, should you require proof of Safeguard rule compliance for your third-parties going forward?   And if so, is a management declaration or assertion sufficient, or should you also require third-party attestation?

To be clear, we haven’t heard from the federal regulators on how (or if) they will factor this into their Safety & Soundness exams going forward, but it seems reasonable to assume that auditors and examiners may ask if you (at a minimum) track your customer/member base’s exposure to these new rules.  We believe this is one example of a regulation that may actually prove beneficial, as having a clearer understanding of exactly how your business customers and significant third-party providers are managing their information security risks is good for all of us.


[1] The “financial institutions” subject to the Commission’s enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act.

16 Jun 2022
E-Banking Booklet

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks.  Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary.  In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next?  How about the Cybersecurity Assessment Tool?  Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment?  Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

01 Jun 2022
Reading Guidance

Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

Hey Guru!

Do you have any additional blogs about FDIC changing the annual IT report to the board? I saw the article from 2012 and was wondering if there are any updates to that. Has the FFIEC updated its Information Security IT Handbook after 2016 in regard to this subject?
Thank you,
Lynn


Hi Lynn, and thanks for the question! We haven’t seen any official board reporting updates from regulators since the 2016 revision to the FFIEC InfoSec Handbook, most of what we’ve heard on this topic lately is anecdotal (e.g., feedback from recent IT audits and examinations). The popular consensus is that the volume of information expected to be communicated to the board has greatly increased. We believe it’s because of the relatively recent requirement for the board to provide a “credible challenge” to management, which requires more information on all aspects of information security. Combine that with the hyper-focus on cybersecurity, and “the buck stops with the board” mentality, and it’s almost impossible to imagine over-informing the board.

A bit of background on board reporting… the Examination Procedures section (Appendix A) of the 2016 FFIEC Information Security IT Handbook instructs examiners to:

Determine whether the board approves a written information security program and receives a report on the effectiveness of the information security program at least annually. Determine whether the report to the board describes the overall status of the information security program and discusses material matters related to the program such as the following:

  1. Risk assessment process, including threat identification and assessment.
  2. Risk management and control decisions.
  3. Service provider arrangements.
  4. Results of security operations activities and summaries of assurance reports.
  5. Security breaches or violations and management’s responses.
  6. Recommendations for changes or updates to the information security program

We feel that this is a decent framework assuming sufficient detail is added to each item, and the reporting is presented to the board in a manner in which they are most likely to understand it. Because each one is unique, that often means dialing the level of detail up or down depending on the specific comprehension level of your board.

We also recommend folks add a “Strategic IT Planning” section to the report, with updates on all significant IT initiatives, including how each of those initiatives aligns with enterprise-wide strategic goals and objectives.

You may also want to check out Appendix A, Objective 2 of the Management Handbook. Again, nothing new, but it does help define the broad scope of Board oversight from the examiner’s perspective. Remember, for every item listed in #2 of Objective 2, there must be one or more associated reports supporting the activity, and both the activity and the supporting documentation should be part of the board minutes:

Review the minutes of the board of directors and relevant committee meetings for evidence of board support and supervision of IT activities.

Wherever there is a lack of prescriptive guidance or there is room for interpretation in the guidance, risk managers must choose the path of least risk. For us, although the official guidance hasn’t changed recently, it’s much less risky to over-report information security activities to the Board than it is to under report. To date, we’ve never had an examiner criticize one of our customers for over-reporting!