Author: The Safe Systems Compliance Team

  • Home
  • The Safe Systems Compliance Team
13 Jan 2020
FFIEC Rewrites Business Continuity guidance
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution” has been changed to “entity”, and this may prove to be more than simply semantic because entities are defined as

“…depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.”
(emphasis added)

It looks like your critical third-party providers will be expected to meet the same standard you are, and that makes sense, as these providers may be key interdependencies of your internal systems and business processes.

By the Numbers

Before we get into some of the other changes, let’s look at some select differences between the current and previous Handbooks.

Business Continuity Planning Handbook

February 2015

Business Continuity Management Handbook

November 2019
Total Pages 135 pages 85 pages
Appendices 10 (A – J) 4 (A – D)
Testing section 5 11
“Resilience” references 57 126
“Institution(s)” references 645 32
“Entity/Entities” references 1 253
“Risk Appetite” references 1 10
Pandemic sections2 1 0

Material Changes

One of the most significant changes is also more than simply semantic. The end result of the planning process is no longer referred to as a Business Continuity Plan (BCP), but more broadly, Business Continuity Management (BCM). Your recovery plan (the traditional BCP) is now simply a sub-section in your overall BCM document.

This leads to perhaps the most significant change; a focus on “resilience” in addition to (and in advance of) your response and recovery efforts. Resilience is defined as

“the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”

Since most traditional BCPs probably already have detailed recovery procedures documented, the missing piece is the pre-recovery part, the pro-active measures you either already have in place, or can implement, to withstand and/or minimize the impact of a disruptive event. As the guidance states:

“Resilience extends beyond recovery capabilities to incorporate proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes.”

One way to measure (and document) resilience is to factor any existing threat-specific measures such as fire suppression, data backups, redundant data circuits, succession plans, alternate vendors, etc. into your net risk/threat impact formula. Simply put, resilience is the difference between the inherent impact of a threat, and the residual impact.

Perhaps the best way to characterize the new approach to business continuity is to look at the recommended development process.

The previous Handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Next Steps

What do all these changes mean for your continuity plan? Is it time to start fresh, or can a few simple adjustments bring your current program into alignment with the new guidance? For example, it may be tempting to do a simple word search/replace and change all occurrences of “Business Continuity Plan” to “Business Continuity Management”. But even if your current program is compliant with the 2015 Handbook, simple fixes may miss the spirit of the new guidance unless more substantive changes are made.

Here is a high-level checklist using the structure of the new guidance to help you decide whether a few minor tweaks, or a major re-write is in order.

Answer each question as “Yes, completely,” “Yes, somewhat,” or “No”:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business
      process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Have you identified all existing resilience (including cyber) measures for all critical interdependencies in your program? Interdependencies include all assets and all vendors for each business process.
  5. Do you use the business processes identified in your BIA, including the interdependencies and recovery priorities, to guide your BCP testing? (Must be documented)
  6. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  7. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  8. Does your Board report include a written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues?
  9. BONUS QUESTION: Do you assess Pandemic impact and probability alongside other risks/threats instead of separately?

If you answered more than 5 out of the 9 questions with “No” or “Yes, somewhat” it might be a good time to reevaluate the entire plan. On the other hand, if you are able to respond “Yes, completely” or “Yes, somewhat” to 6 or more, you should be in pretty good shape with only minor adjustments necessary.

Summary

All plans, even largely compliant plans, will need some level of adjustment. The good news is that historically it takes time for auditors and examiners to adjust to new regulations, so there should be enough time to make even major adjustments. Use your regularly scheduled 2020 BCP/BCM update sessions as an opportunity to re-visit your program, and be ready to provide all stakeholders (including auditors, examiners, and the Board) with a definitive plan, including timeline, for achieving compliance.


1 The Handbook states at the outset that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Regardless, as anyone in the banking industry knows, any standard the regulators deem worthy of use as the basis of assessing an entity’s practices is a defacto requirement!
2 The new Handbook eliminates the separate Pandemic section.
05 Dec 2019
Scheduling IT Audits Using Risk Scoring
Ask the Guru The Safe Systems Compliance Team 0 comment

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru!

In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing?

By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that IT is a major source of risk in your organization. I don’t think the examiner is criticizing your decision, they’re only asking that you document how you came to that determination. Why every 12 months? Why not 6, or 18, or 24? The FFIEC Audit Handbook states that your risk assessment guidelines specify:

A maximum length for audit cycles based on the risk scores. (For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas. Audit cycles should not be open-ended.);

In the past, saying “…because that’s how we’ve always done it” might have been sufficient, but lately examiners often want a more definitive basis for IT audit scope and frequency. The Audit Handbook states that risk-based IT audit programs should:

Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products;

This highlights a recent trend we’re seeing which we refer to as the “defacto scoring system”. This refers to any situation where someone in your organization makes an undocumented risk-based decision, and it happens more often than you might realize. One example is when you decide that certain vendors do not need to be included in your vendor management program because they don’t meet a minimum risk threshold. Far better to risk assess and score every vendor, then apply controls (or not) based on that inherent risk score.

Similarly, by keeping to a 12-month audit scope and frequency, someone in your organization made an undocumented determination that IT risks and controls should be reviewed on a 12 month cycle. Again, I don’t think the examiner is faulting that decision, only the decision-making process (or lack thereof).

Implementing a robust IT (or vendor) risk scoring system is not an easy task, but it is a regulatory expectation, and it seems to be where the examiner is leading you. A comprehensive risk management system will evaluate the source of risk (typically your business processes and the assets required for those processes), the risks and threats to those sources, and the controls implemented for the risks and threats identified. Apply a numeric score at each step. (I’ve oversimplifed the process a bit for brevity. This FDIC FIL is an excellent reference if you want to take a deeper dive into risk modeling.)

At this point you should be able to list all risk sources from high to low, all risks/threats from high to low, and all controls from strongest to weakest. Most importantly, risks should be scored both at the inherent level (before controls), and the residual level (after controls). Your audit plan* should then specify that your IT audits are risk-based; the scope will focus on inherent (NOT residual) risk levels for your riskiest assets, highest risks and threats, and most critical controls, and the audit cycle (frequency) will be every 12 months or less for these high-risk areas.

This approach should more than satisfy the examiner, AND as an added bonus, providing this to your IT auditor prior to the engagement will also greatly assist them as they build their scope of work.

*FFIEC IT Handbook: Audit Booklet, (Appendix B: Glossary):

  • Audit Program – The audit policies, procedures, and strategies that govern the audit function, and cover all of an institution’s major activities including IT audit.
  • Audit Plan – A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.

Other Compliance Guru posts related to this topic include: Ask the Guru: The IT Audit “Scope” and Audits vs. Examinations.

03 Oct 2019
Banker reading over the FFIEC's latest press release
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach

On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more confusion and complication than clarification on regulator expectations.

Here is some background. Back in the summer of 2014, the FFIEC piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. As a result of the Cybersecurity Assessment, FFIEC members found that many financial institutions (and most community institutions) would benefit from a standardized approach to cybersecurity assessment. As a result, in 2015 (and subsequently updated in 2017) the FFIEC:

“…developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”

This Tool has since become the defacto standard for all primary federal regulatory agencies since. This isn’t surprising, since FFIEC members consist of all federal regulatory agencies, plus the CFPB and state agencies.

Here is what the Federal Reserve said back in 2015:

“Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness…”

Similarly, the OCC stated in 2015:

“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”

The NCUA advised back in 2018 that:

“NCUA examiners will use the (FFIEC’s cybersecurity assessment tool) as a guide for assessing cybersecurity risks in credit unions.”

(The NCUA also subsequently developed their own tool called the ACET, modeled word-for-word on the FFIEC Tool.)

Finally, while the FDIC did state that use of the Tool was voluntary, they indicated that:

“FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”

One more thing… Since the Tool is “officially” voluntary, when asked in a regulator panel discussion earlier this year what other standards or tools examiners were seeing instead of the FFIEC, all the examiners (including the FDIC) admitted that the only assessment methodology they’ve seen is the FFIEC.

A Variety of Options

Clearly the Tool is now, and has always been, the defacto standard, and here is where the press release complicates things. First, I’ve always been a proponent of the Tool in the sense that any attempt to standardize examiner expectations is a good thing, because shared standards will usually result in less misinterpretation, and fewer deviations from those expectations, i.e. fewer exam findings! But now the agencies seem to be backing away from a single standard, stating instead that “Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness.” They list the following as possible standardized tools:

Most confusing of all, the FFIEC even seems to be backing away from their own tool, stating that “…the FFIEC does not endorse any particular tool…”

What You Should Do

In summary, what should institutions do to adapt to this free-for-all of cyber preparedness standards? In short, nothing. If you’re already using the FFIEC Tool (or a service based on the FFIEC tool, like this), keep using it. Of the 4 competing standards, only the FFIEC Tool is specific to depository financial institutions. Additionally, using a different standard, while permitted, may invite additional scrutiny if the regulator is not well versed on that standard. And anything that invites additional scrutiny is not something most institutions prefer.

One final thought… Regardless of what tool you utilize, don’t forget that completing the assessment is only the first step in the cybersecurity preparedness process. As we have discussed before, determining where the gaps are in your program, and making a plan to close those gaps, are the next steps!

27 Aug 2019
Pandemic testing and the Business Continuity Plan
Ask the Guru The Safe Systems Compliance Team 0 comment

Pandemic Testing and the BCP

Hey Guru!

We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding:

Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested. Management needs to establish a clear action plan and test the action plan regularly.

They also commented that we did not test it in 2018, but we did test it in December of 2017. So I have 2 questions:

  1. Is pandemic testing an annual requirement?
  2. What can we do to satisfy the comment on the plan being too generic?

Addressing the second question first, this is a great example of having to read between the lines to determine what the examiner is really asking for. I also referred to this situation in another post. I’m guessing that the “action plan” they’re referring to is actually your succession & cross-training plan. Your recovery procedures won’t change, what they want is for you to develop your succession plan, cross-train alternate personnel, then test your recovery procedures with the alternate personnel.

We have seen this finding recently, and as a result we’ve added a succession plan section to each process in our BCP Blueprint application*. The next time you update your plan it will now prompt for the primary, secondary, and tertiary resources for each process. Just make sure the next time you conduct a BCP test (pandemic or otherwise), you test with alternate personnel in the primary recovery roles. That way you can validate your ability to recover critical processes and functions within recovery time objectives, regardless of key personnel availability AND regardless of the nature of the disaster. After all, the FFIEC guidance states that FI’s focus on the impact of the threat, not the nature of the threat:

“Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations.”

Ultimately your ability to continue critical operations is the primary concern of the regulators, not necessarily that you’ve tested for a specific natural disaster (or contagion).

Regarding your first question, there is no specific requirement to test pandemic (or any specific threat) on an annual basis. The guidance only states that you maintain.

“…A testing program to ensure that the institution’s pandemic planning practices and capacities are effective and will allow critical operations to continue.”

Because reading between the lines of an examination is an imperfect science, ask the examiner if this approach (succession plan, plus cross-training, plus testing with alternate personnel) will address their concerns. I’ll be very surprised if it doesn’t.

For more about the importance of process-based business continuity planning, check out this article: BCP Plans Continue to Draw Criticism.

*This question came from a current Safe Systems BCP Blueprint customer, but those with other plan formats can accomplish the same result by adding a succession plan section to their BCP.

17 Jul 2019
Ask the Guru The Safe Systems Compliance Team 0 comment

Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru!

We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble?

Thanks for the question, here is where this issue is coming from. The front cover of all examinations contains the following verbiage:

“The report is the property of the FDIC, and is furnished to the bank examined for their confidential use. Under no circumstances shall the registrant, or any of its directors, officers, or employees disclose or make public in any manner the report or any portion thereof.”

It goes on to say that doing so would violate Part 309 of the FDIC Rules and Regulations.

FDIC 12 CFR Part 309 is titled “Disclosure of Information”, which governs information the FDIC maintains on all financial institutions (including examination reports), and the procedures for obtaining access to such information. Subsection 309.6 (a) states:

“…no person shall disclose or permit the disclosure of any exempt records, or information contained therein, to any persons other than those officers, directors, employees, or agents of the Corporation who have a need for such records in the performance of their official duties.” (Emphasis added)

I have always taken the opinion that if we are contracted to assist in the remediation of examination findings, we are considered an “agent” (acting on behalf of the institution) and require the examination report or the information contained therein, in order to perform our “official duties”. Of course as their agent, we are now bound by Part 309 and restricted from any further sharing of the information.

One additional thought… It’s important to see examination findings in the context of the entire report as opposed to simply being restated or copy/pasted. There are several reasons for this, primarily because often we can derive additional meaning from the broader context, allowing us to “connect the dots” between separate findings. Also because sometimes we can get additional clarity by reading “between the lines” of the report. For example, we recently assisted a customer with a finding to “Improve the Pandemic Plan within the BCP Plan”.

They went on to state that “Management should establish a clear action plan…for Pandemic.” Taken out of context, this would seem to indicate examiners wanted additional general recovery procedures in case of Pandemic. But they went on to mention “key personnel” and “employee training”, and so taken in the broader context what they were really looking for was a succession plan. Because the finding never specifically mentioned a succession plan, we may have gone in a different direction if not for seeing the entire report.

Hope this gives you a little insight into this Part 309 issue. Feel free to reach out any time with other compliance questions!

03 Jul 2019
Addressing BCP and Incident Response in a Vendor Contract
Ask the Guru The Safe Systems Compliance Team 0 comment

Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

Hey Guru!

I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we try to make sure things like IRTs in their documents match ours. Is there anything additional that you guys are suggesting we should do?

Based on the FIL, to successfully ensure that contracts with significant third-party providers* properly address business continuity and incident response, Financial Institutions should act to eliminate gaps with their key providers.

Here are the contractual specifics that examiners have identified as potential gaps in recent examinations:

  1. Some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery time objective.
  2. Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities. For example, details such as notifying the financial institution, regulators, or law enforcement when there was an event of a security or cybersecurity incident were not specified.
  3. Additionally, some contracts did not clearly define key contract terms used in contractual documentation relating to business continuity and incident response. An example of their use of undefined/unclear key contract terms is deciding what constitutes as a “security event” or a “service interruption”.

The FIL goes on to state that:

“When contracts leave gaps in business continuity and incident response, it is prudent for the financial institution to assess any resultant risks and implement compensating controls to mitigate them. For example, a financial institution may obtain supplementary business continuity documentation from the service provider or modify the financial institution’s own business continuity plan to address contractual uncertainties.”

The FIL concludes by reminding FI’s that under Section 3 of the Bank Service Company Act (BSCA), FI’s have a responsibility to report all contracts and relationships with certain service providers. The FI is responsible for notifying regulatory agencies of a relationship with a new vendor within 30 days after the service contract is created or the performance of the service, whichever occurs first. The actual reporting form is here. I provide more information on this (and have even quoted Don Saxinger, who is still with the FDIC and listed as the agency contact on the FIL!) in a previous blog post.

In summary, I think examiners expect you to more closely scrutinize your critical vendor contracts, looking for gaps that might indicate unmitigated risks. One way we address this for our customers is through testing. When we conduct testing, whether it’s a traditional disaster or a cyber incident scenario, we incorporate discussion of the actual vendor contract specifics. I.e., what does the contract say about the vendor meeting their recovery time objectives, and are their RTO’s within ours? What does the contract say about incident notification if the vendor has a cyber incident involving our data? How do they define a “recovery incident” or a “security incident”, and how does that compare to our definition? These details matter because your recovery procedures depend on what your provider is, and is not, legally obligated to do…and all that should be spelled out in the contract!

*According to regulators: “A third-party relationship should be considered significant if the institution’s relationship with the third party is a new relationship or involves implementing new bank activities; the relationship has a material effect on the institution’s revenues or expenses; the third party performs critical functions; the third party stores, accesses, transmits, or performs transactions on sensitive customer information; the third party markets bank products or services; the third party provides a product or performs a service involving subprime lending or card payment transactions; or the third party poses risks that could significantly affect earnings or capital.”

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy