Ask the Guru – Compliance Guru

01 Jun 2022

Ask the Guru The Safe Systems Compliance Team 0 comment

Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

Hey Guru!

Do you have any additional blogs about FDIC changing the annual IT report to the board? I saw the article from 2012 and was wondering if there are any updates to that. Has the FFIEC updated its Information Security IT Handbook after 2016 in regard to this subject?
Thank you,
Lynn

Hi Lynn, and thanks for the question! We haven’t seen any official board reporting updates from regulators since the 2016 revision to the FFIEC InfoSec Handbook, most of what we’ve heard on this topic lately is anecdotal (e.g., feedback from recent IT audits and examinations). The popular consensus is that the volume of information expected to be communicated to the board has greatly increased. We believe it’s because of the relatively recent requirement for the board to provide a “credible challenge” to management, which requires more information on all aspects of information security. Combine that with the hyper-focus on cybersecurity, and “the buck stops with the board” mentality, and it’s almost impossible to imagine over-informing the board.

A bit of background on board reporting… the Examination Procedures section (Appendix A) of the 2016 FFIEC Information Security IT Handbook instructs examiners to:

Determine whether the board approves a written information security program and receives a report on the effectiveness of the information security program at least annually. Determine whether the report to the board describes the overall status of the information security program and discusses material matters related to the program such as the following:

Risk assessment process, including threat identification and assessment.
Risk management and control decisions.
Service provider arrangements.
Results of security operations activities and summaries of assurance reports.
Security breaches or violations and management’s responses.
Recommendations for changes or updates to the information security program

We feel that this is a decent framework assuming sufficient detail is added to each item, and the reporting is presented to the board in a manner in which they are most likely to understand it. Because each one is unique, that often means dialing the level of detail up or down depending on the specific comprehension level of your board.

We also recommend folks add a “Strategic IT Planning” section to the report, with updates on all significant IT initiatives, including how each of those initiatives aligns with enterprise-wide strategic goals and objectives.

You may also want to check out Appendix A, Objective 2 of the Management Handbook. Again, nothing new, but it does help define the broad scope of Board oversight from the examiner’s perspective. Remember, for every item listed in #2 of Objective 2, there must be one or more associated reports supporting the activity, and both the activity and the supporting documentation should be part of the board minutes:

Review the minutes of the board of directors and relevant committee meetings for evidence of board support and supervision of IT activities.

Wherever there is a lack of prescriptive guidance or there is room for interpretation in the guidance, risk managers must choose the path of least risk. For us, although the official guidance hasn’t changed recently, it’s much less risky to over-report information security activities to the Board than it is to under report. To date, we’ve never had an examiner criticize one of our customers for over-reporting!

29 Mar 2022

Ask the Guru, Vlog Tom Hinkel 0 comment

Vlog: Are Bank Regulators Considered Vendors?

In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s thoughts on the matter.

30 Sep 2020

Ask the Guru The Safe Systems Compliance Team 0 comment

Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Hey Guru!

Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that GDPR has placed a higher premium on the protection of a narrower definition of data. So, my question is more about whether FFIEC requirements for the protection of data extends equally to both Confidential PII and the narrow data type called out by GDPR.

Hi Steve, and thanks for the question! Comparing Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) is instructive as they both try to address the same challenge; privacy and security. Specifically, protecting information shared between a customer and a service provider. GLBA is specific to financial institutions, while GDPR defines a “data processor” as any third-party that processes personal data. However, they both have a very similar definition of the protected data. GDPR uses the term “personal data” as any information that relates to an individual who can be directly or indirectly identified, and GLBA uses the term non-public personal information (or NPI) to describe the same type of data.

To answer the question of whether the two are similar enough to apply the same or similar set of layered controls, my short answer is since using layering controls is a risk mitigation strategy best practice, it would apply equally to both.

Here’s a bit more. The most important distinction between GLBA and GDPR is that GLBA has two sections; 501(a) and 501(b). The former establishes the right to privacy and the obligation that financial institutions must protect the security and confidentiality of customer NPI. 501(b) empowers the regulators to require FI’s to establish safeguards to protect against any threats to NPI. Simply put, 501(a) is the “what”, and 501(b) is the “how”. Of course, the “how” has given us the 12 FFIEC IT Examination Handbooks, cybersecurity regulations, PEN tests, the IT audit, and lots of other stuff with no end in sight.

By contrast, GDPR is more focused on “what” (what a third-party can and can’t do with customer data, as well what the customer can control; i.e. right to have their data deleted, etc.) and much less on the “how” it is supposed to be done.

My understanding is that the scope of GLBA (and all the information security standards based thereon) is strictly limited to customer NPI, it does not expend to confidential or PII. One distinguishing factor between NPI and PII is that in US regulations NPI always refers to the “customer”, and PII always refers to the “consumer”. (Frankly there isn’t really any difference between data obtained from a customer or consumer by a financial institution during the process of either pursuing or maintaining a business relationship.) We have always taken the position that for the purposes of data classification, NPI and confidential (PII) data share the same level of sensitivity, but guidance is only concerned about customer NPI. GDPR does not make that distinction.

In my opinion, our federal regulations will move towards merging NPI and PII, and in fact some states are already there. So, although it’s not strictly a requirement to protect anything other than NPI, it’s certainly a best practice, and combining both NPI and PII / confidential data in the same data sensitivity classification will do that.

One last thought about enforcement… So far, we have not heard of US regulators checking US based FI’s for GDPR compliance, but since our community-based financial institutions have very little EU exposure, your experience may be different.

23 Mar 2020

Are Banks and Credit Unions Required to Address Your COVID-19 Readiness with Your Customers?

Ask the Guru The Safe Systems Compliance Team 0 comment

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru!

Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online products if they are concerned about coming out in public to the branch. Thanks!

I wouldn’t call it a requirement to post a statement, but it’s definitely a best practice. I could easily see the examiners being just fine with your generic Pandemic planning, but next time they come in asking “what specific steps did you take in reaction to the recent COVID-19 event?”

Lots of generic best practices out there (CDC, etc.), and of course your response would depend on your capabilities (encouraging e-banking vs. face-to-face transactions, and e-signatures for physical signatures on loan documents, for example), but here are some FI-specific resources:

The ABA has some good stuff here: https://www.aba.com/banking-topics/risk-management/incident-response/coronavirus (you need to be a member to access some of the areas).
The ICBA site might be very helpful too: https://www.icba.org/news/Crisis-Preparedness
American Banker also has some good ideas for communicating with customers: https://www.americanbanker.com/news/how-banks-are-helping-customers-withstand-coronavirus-shock
The Federal Reserve has some good information here: https://www.federalreserve.gov/newsevents/pressreleases/bcreg20200309a.htm
The FDIC also has a page dedicated to COVID-19: https://www.fdic.gov/coronavirus/index.html
The FFIEC has updated their guidance identifying actions to minimize the adverse effects of a pandemic: https://www.ffiec.gov/press/pr030620.htm
The NCUA has issued their FAQ and resources: https://www.ncua.gov/coronavirus

In addition to providing hand sanitizers and wipes in the branches, we’ve also heard of some folks making a point of wiping down their FI-owned ATM keypads (and/or offering wipes to customers for that purpose).
Here are some additional tips we’ve gathered from other financial institutions that may also be useful for you to consider (in no particular order):

Plan to restock FI-owned ATMs more frequently, and/or consider temporarily increasing daily withdrawal limits. Keep in mind that if reloading services are outsourced the vendor may be overwhelmed. Also check if your blanket bond insurance coverage needs to be adjusted for the higher limits.
Tracking (via log) what employees are entering your buildings each day to create a “contact tracking map” in case someone is diagnosed as a confirmed case.
Check HR policies (and communicate same) regarding employees needing to take extended sick leave or requiring additional time off to care for family members. Do you have a “flex-hours” policy for job duties that can be performed off-hours?
Is your succession plan at least three resources deep for most functions and possibly four resources deep for highly critical and specialized functions?
Depending on your primary demographic, consider creating special hours at certain locations specifically for more vulnerable elderly customers.
If you don’t already offer these services, have you considered consumer capture, “Smart” ATMs and other alternatives to face-to-face transactional services?
Define banking services that can be completed through drive-thru, and those that require in person interaction (and an appointment). (I.e. Large Cash or Coin Transactions may need to be in-person for security or drive-thru equipment limitations)
Consider moving to an “appointment-only” approach for in-person banking services.
Consider evaluating your check cashing limits through the drive-thru or requiring additional identify verification.
Additional training on remote access hygiene. Does your Information Security Program require these users to sign a remote access agreement?
Remind all employees (especially those telecommuting) to continue to be vigilant to the potential uptick in cyber-attacks (phishing, vishing, etc.) and fraud attempts.
Law360 shares good information regarding cyber hygiene when telecommuting: https://www.law360.com/articles/1250758/as-covid-19-increases-remote-work-cyberhygiene-is-a-must

We have posted on this already and will likely be offering some additional best practices for bankers at both complianceguru.com and safesystems.com.

Hope all this helps. Stay tuned, and stay healthy out there!!

05 Dec 2019

Ask the Guru The Safe Systems Compliance Team 0 comment

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru!

In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing?

By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that IT is a major source of risk in your organization. I don’t think the examiner is criticizing your decision, they’re only asking that you document how you came to that determination. Why every 12 months? Why not 6, or 18, or 24? The FFIEC Audit Handbook states that your risk assessment guidelines specify:

A maximum length for audit cycles based on the risk scores. (For example, some institutions set audit cycles at 12 months or less for high-risk areas, 24 months or less for medium-risk areas, and up to 36 months for low-risk areas. Audit cycles should not be open-ended.);

In the past, saying “…because that’s how we’ve always done it” might have been sufficient, but lately examiners often want a more definitive basis for IT audit scope and frequency. The Audit Handbook states that risk-based IT audit programs should:

Use a measurement or scoring system that ranks and evaluates business and control risks for significant business units, departments, and products;

This highlights a recent trend we’re seeing which we refer to as the “defacto scoring system”. This refers to any situation where someone in your organization makes an undocumented risk-based decision, and it happens more often than you might realize. One example is when you decide that certain vendors do not need to be included in your vendor management program because they don’t meet a minimum risk threshold. Far better to risk assess and score every vendor, then apply controls (or not) based on that inherent risk score.

Similarly, by keeping to a 12-month audit scope and frequency, someone in your organization made an undocumented determination that IT risks and controls should be reviewed on a 12 month cycle. Again, I don’t think the examiner is faulting that decision, only the decision-making process (or lack thereof).

Implementing a robust IT (or vendor) risk scoring system is not an easy task, but it is a regulatory expectation, and it seems to be where the examiner is leading you. A comprehensive risk management system will evaluate the source of risk (typically your business processes and the assets required for those processes), the risks and threats to those sources, and the controls implemented for the risks and threats identified. Apply a numeric score at each step. (I’ve oversimplifed the process a bit for brevity. This FDIC FIL is an excellent reference if you want to take a deeper dive into risk modeling.)

At this point you should be able to list all risk sources from high to low, all risks/threats from high to low, and all controls from strongest to weakest. Most importantly, risks should be scored both at the inherent level (before controls), and the residual level (after controls). Your audit plan* should then specify that your IT audits are risk-based; the scope will focus on inherent (NOT residual) risk levels for your riskiest assets, highest risks and threats, and most critical controls, and the audit cycle (frequency) will be every 12 months or less for these high-risk areas.

This approach should more than satisfy the examiner, AND as an added bonus, providing this to your IT auditor prior to the engagement will also greatly assist them as they build their scope of work.

*FFIEC IT Handbook: Audit Booklet, (Appendix B: Glossary):

Audit Program – The audit policies, procedures, and strategies that govern the audit function, and cover all of an institution’s major activities including IT audit.
Audit Plan – A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.

Other Compliance Guru posts related to this topic include: Ask the Guru: The IT Audit “Scope” and Audits vs. Examinations.

27 Aug 2019

Pandemic testing and the Business Continuity Plan

Ask the Guru The Safe Systems Compliance Team 0 comment

Pandemic Testing and the BCP

Hey Guru!

We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding:

Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested. Management needs to establish a clear action plan and test the action plan regularly.

They also commented that we did not test it in 2018, but we did test it in December of 2017. So I have 2 questions:

Is pandemic testing an annual requirement?

What can we do to satisfy the comment on the plan being too generic?

Addressing the second question first, this is a great example of having to read between the lines to determine what the examiner is really asking for. I also referred to this situation in another post. I’m guessing that the “action plan” they’re referring to is actually your succession & cross-training plan. Your recovery procedures won’t change, what they want is for you to develop your succession plan, cross-train alternate personnel, then test your recovery procedures with the alternate personnel.

We have seen this finding recently, and as a result we’ve added a succession plan section to each process in our BCP Blueprint application*. The next time you update your plan it will now prompt for the primary, secondary, and tertiary resources for each process. Just make sure the next time you conduct a BCP test (pandemic or otherwise), you test with alternate personnel in the primary recovery roles. That way you can validate your ability to recover critical processes and functions within recovery time objectives, regardless of key personnel availability AND regardless of the nature of the disaster. After all, the FFIEC guidance states that FI’s focus on the impact of the threat, not the nature of the threat:

“Non-specific events should be identified so that management can concentrate on the impact of various disruptions instead of specific threats that may never affect operations.”

Ultimately your ability to continue critical operations is the primary concern of the regulators, not necessarily that you’ve tested for a specific natural disaster (or contagion).

Regarding your first question, there is no specific requirement to test pandemic (or any specific threat) on an annual basis. The guidance only states that you maintain.

“…A testing program to ensure that the institution’s pandemic planning practices and capacities are effective and will allow critical operations to continue.”

Because reading between the lines of an examination is an imperfect science, ask the examiner if this approach (succession plan, plus cross-training, plus testing with alternate personnel) will address their concerns. I’ll be very surprised if it doesn’t.

For more about the importance of process-based business continuity planning, check out this article: BCP Plans Continue to Draw Criticism.

*This question came from a current Safe Systems BCP Blueprint customer, but those with other plan formats can accomplish the same result by adding a succession plan section to their BCP.

12 3 Next →