Category: Hot Topics

13 Jan 2020
FFIEC Rewrites Business Continuity guidance
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution” has been changed to “entity”, and this may prove to be more than simply semantic because entities are defined as

“…depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.”
(emphasis added)

It looks like your critical third-party providers will be expected to meet the same standard you are, and that makes sense, as these providers may be key interdependencies of your internal systems and business processes.

By the Numbers

Before we get into some of the other changes, let’s look at some select differences between the current and previous Handbooks.

Business Continuity Planning Handbook

February 2015

Business Continuity Management Handbook

November 2019
Total Pages 135 pages 85 pages
Appendices 10 (A – J) 4 (A – D)
Testing section 5 11
“Resilience” references 57 126
“Institution(s)” references 645 32
“Entity/Entities” references 1 253
“Risk Appetite” references 1 10
Pandemic sections2 1 0

Material Changes

One of the most significant changes is also more than simply semantic. The end result of the planning process is no longer referred to as a Business Continuity Plan (BCP), but more broadly, Business Continuity Management (BCM). Your recovery plan (the traditional BCP) is now simply a sub-section in your overall BCM document.

This leads to perhaps the most significant change; a focus on “resilience” in addition to (and in advance of) your response and recovery efforts. Resilience is defined as

“the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”

Since most traditional BCPs probably already have detailed recovery procedures documented, the missing piece is the pre-recovery part, the pro-active measures you either already have in place, or can implement, to withstand and/or minimize the impact of a disruptive event. As the guidance states:

“Resilience extends beyond recovery capabilities to incorporate proactive measures for mitigating the risk of a disruptive event in the overall design of operations and processes.”

One way to measure (and document) resilience is to factor any existing threat-specific measures such as fire suppression, data backups, redundant data circuits, succession plans, alternate vendors, etc. into your net risk/threat impact formula. Simply put, resilience is the difference between the inherent impact of a threat, and the residual impact.

Perhaps the best way to characterize the new approach to business continuity is to look at the recommended development process.

The previous Handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Next Steps

What do all these changes mean for your continuity plan? Is it time to start fresh, or can a few simple adjustments bring your current program into alignment with the new guidance? For example, it may be tempting to do a simple word search/replace and change all occurrences of “Business Continuity Plan” to “Business Continuity Management”. But even if your current program is compliant with the 2015 Handbook, simple fixes may miss the spirit of the new guidance unless more substantive changes are made.

Here is a high-level checklist using the structure of the new guidance to help you decide whether a few minor tweaks, or a major re-write is in order.

Answer each question as “Yes, completely,” “Yes, somewhat,” or “No”:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business
      process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Have you identified all existing resilience (including cyber) measures for all critical interdependencies in your program? Interdependencies include all assets and all vendors for each business process.
  5. Do you use the business processes identified in your BIA, including the interdependencies and recovery priorities, to guide your BCP testing? (Must be documented)
  6. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  7. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  8. Does your Board report include a written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues?
  9. BONUS QUESTION: Do you assess Pandemic impact and probability alongside other risks/threats instead of separately?

If you answered more than 5 out of the 9 questions with “No” or “Yes, somewhat” it might be a good time to reevaluate the entire plan. On the other hand, if you are able to respond “Yes, completely” or “Yes, somewhat” to 6 or more, you should be in pretty good shape with only minor adjustments necessary.

Summary

All plans, even largely compliant plans, will need some level of adjustment. The good news is that historically it takes time for auditors and examiners to adjust to new regulations, so there should be enough time to make even major adjustments. Use your regularly scheduled 2020 BCP/BCM update sessions as an opportunity to re-visit your program, and be ready to provide all stakeholders (including auditors, examiners, and the Board) with a definitive plan, including timeline, for achieving compliance.


1 The Handbook states at the outset that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Regardless, as anyone in the banking industry knows, any standard the regulators deem worthy of use as the basis of assessing an entity’s practices is a defacto requirement!
2 The new Handbook eliminates the separate Pandemic section.
03 Oct 2019
Banker reading over the FFIEC's latest press release
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach

On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more confusion and complication than clarification on regulator expectations.

Here is some background. Back in the summer of 2014, the FFIEC piloted a cybersecurity examination work program (Cybersecurity Assessment) at over 500 community financial institutions to evaluate their preparedness to mitigate cyber risks. As a result of the Cybersecurity Assessment, FFIEC members found that many financial institutions (and most community institutions) would benefit from a standardized approach to cybersecurity assessment. As a result, in 2015 (and subsequently updated in 2017) the FFIEC:

“…developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”

This Tool has since become the defacto standard for all primary federal regulatory agencies since. This isn’t surprising, since FFIEC members consist of all federal regulatory agencies, plus the CFPB and state agencies.

Here is what the Federal Reserve said back in 2015:

“Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions’ cybersecurity preparedness…”

Similarly, the OCC stated in 2015:

“The OCC will implement the Assessment as part of the bank examination process over time to benchmark and assess bank cybersecurity efforts.”

The NCUA advised back in 2018 that:

“NCUA examiners will use the (FFIEC’s cybersecurity assessment tool) as a guide for assessing cybersecurity risks in credit unions.”

(The NCUA also subsequently developed their own tool called the ACET, modeled word-for-word on the FFIEC Tool.)

Finally, while the FDIC did state that use of the Tool was voluntary, they indicated that:

“FDIC examiners will discuss the Cybersecurity Assessment Tool with institution management during examinations to ensure awareness and assist with answers to any questions.”

One more thing… Since the Tool is “officially” voluntary, when asked in a regulator panel discussion earlier this year what other standards or tools examiners were seeing instead of the FFIEC, all the examiners (including the FDIC) admitted that the only assessment methodology they’ve seen is the FFIEC.

A Variety of Options

Clearly the Tool is now, and has always been, the defacto standard, and here is where the press release complicates things. First, I’ve always been a proponent of the Tool in the sense that any attempt to standardize examiner expectations is a good thing, because shared standards will usually result in less misinterpretation, and fewer deviations from those expectations, i.e. fewer exam findings! But now the agencies seem to be backing away from a single standard, stating instead that “Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness.” They list the following as possible standardized tools:

Most confusing of all, the FFIEC even seems to be backing away from their own tool, stating that “…the FFIEC does not endorse any particular tool…”

What You Should Do

In summary, what should institutions do to adapt to this free-for-all of cyber preparedness standards? In short, nothing. If you’re already using the FFIEC Tool (or a service based on the FFIEC tool, like this), keep using it. Of the 4 competing standards, only the FFIEC Tool is specific to depository financial institutions. Additionally, using a different standard, while permitted, may invite additional scrutiny if the regulator is not well versed on that standard. And anything that invites additional scrutiny is not something most institutions prefer.

One final thought… Regardless of what tool you utilize, don’t forget that completing the assessment is only the first step in the cybersecurity preparedness process. As we have discussed before, determining where the gaps are in your program, and making a plan to close those gaps, are the next steps!

19 Apr 2019
DDos Attacks
Hot Topics The Safe Systems Compliance Team 0 comment

Misuse, Denied Access, and Incident Response

It may be a good time to review your Incident Response Plan and determine if additional clarification regarding the term “misuse” should be added to incorporate denial of access to information. The FFIEC Information Technology Examination Handbook for Information Security was published in September 2016 and refers to misuse as “attacks from within the organizations”. This definition comes from internal employees accessing unauthorized information through improperly configured (or lack thereof) security controls. Due to the availability of ransomware and DDoS attack services, denial of access to critical information is becoming a more common risk financial institutions are facing.

The IT Examination Handbook defines distributed denial of service (DDoS) as “A type of attack that makes a computer resource or resources unavailable to its intended users”. Financial institutions that experience DDoS attacks may face operational and reputation risks depending on which resources were targeted in the attack. The FFIEC expects financial institutions to address DDoS readiness as part of their Information Security Program and Incident Response Plan.

DDos Readiness

The FFIEC Information Technology Handbook on Business Continuity Planning and Information Security booklets provide the following steps that should be taken to improve DDoS readiness:

  1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts.
  2. Monitor Internet traffic to the institution’s website to detect attacks.
  3. Activate Incident Response Plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts.
  4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring precontracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack.
  5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics.
  6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly

The growing threat landscape and increased accessibility to ransomware and DDoS services encourage Information Security Programs and Incident Response Plans to constantly evolve to ensure financial institutions can effectively respond to these types of attacks. It’s important for your procedures to cover specific containment and remediation steps to quickly respond when your financial institution becomes the target of one of these attacks. We’re commonly seeing additional clarification in Incident Response Plans that moves the focus of misuse from internal threats, to a broader definition that includes the idea of denied access: “Misuse includes all unauthorized access to data, with or without data disclosure. It also includes unauthorized denial of access to data”.

01 May 2018
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Issues Joint Statement on Cyber Insurance

The statement is here, and is intended to provide additional awareness about the possible use of cyber insurance to off-set financial losses resulting from cyber incidents. Here are a few high-level observations:

  • First of all, we’ve seen several announcements from various organizations stating that “the FFIEC has released new guidance…”. The statement makes it clear in the second sentence that “This statement does not contain any new regulatory expectations.” The statement goes on to reference the existing Information Technology (IT) Examination Handbook booklets for specific regulatory expectations. Again, this statement does not change existing regulatory expectations.
  • Second, this is a joint statement from all members, so we don’t expect any of the individual regulatory bodies to issue separate guidance. This is good, as we will not have to deal with any interpretation deviations. In fact, the FDIC just issued FIL-16-2018, which just links directly to the FFIEC page.
  • Third, the statement makes the same point we’ve already learned from the Incident Response Tests we facilitate with our customers; cyber insurance coverage is all over the map right now (or as the statement points out, “Many aspects of the cyber insurance marketplace…continue to evolve”). In other words, “Buyer Beware”*.

So how does this statement change your current approach to managing cyber risk? Probably not much. The 2015 FFIEC Management Handbook already provides guidance on the general use of insurance policies as a part of your risk mitigation strategy. Regarding cyber, they state that “These policies generally exclude, or may not include, liability for all areas of IT operations and cybersecurity.” Again, that has been our experience as we’ve conducted cyber incident response testing for FI’s, and you can try this for yourself next time you test. Whatever scenario you simulate; whether it’s malware, or customer account takeover, or a third-party breach, bring cyber insurance into the discussion. If you have (or think you have) cyber coverage, check with your agent to see if it would cover the estimated costs of the incident you’re simulating. If you don’t currently have coverage, this is a good opportunity to decide if it’s justified by evaluating costs vs. coverage limitations and exclusions using a real-life scenario.

In summary, if you already have cyber insurance coverage, the statement really doesn’t change anything. Just make sure it will be there for you if and when you need it. If you don’t currently have cyber insurance, the statement makes it clear that it’s not a requirement, but you should make sure any future consideration utilizes the framework they provide for weighing the benefits and costs.

One final thought…risk management is all about reducing risk to acceptable levels, and insurance should be the last control considered. As the Management Handbook states, “Insurance complements, but does not replace, an effective system of controls.” In our opinion, it’s a last resort, and utilized only if avoidance and mitigation efforts aren’t sufficient.

*UPDATE – Warren Buffett of Berkshire Hathaway Inc. recently confirmed this, stating “I don’t think we or anybody else really knows what they’re doing when writing cyber insurance. We don’t want to be a pioneer on this… Anyone who claims to know the base case or worst case for losses is kidding themselves”.

15 Mar 2018
Going beyond the FFIEC Cybersecurity Assessment Tool (CAT)
Hot Topics The Safe Systems Compliance Team 0 comment

Cybersecurity – Beyond the Assessment

The FFIEC Cybersecurity Assessment Tool has been out since 2015, and by now almost all financial institutions have completed it at least once, some as many as 3-4 times. Although most of the examiner feedback we’ve gotten indicates that simply completing is all regulators are looking for at this time, the FFIEC made it clear that competing the assessment is only the first step. It is designed to be a means to an end, not the end itself. The goal of the assessment process is a plan consisting of specific actions the institution can, and ultimately must, take to strengthen their cybersecurity posture. Fortunately, the tool provides those specific actions, called declarative statements. Unfortunately, there are a total of 497 declarative statements spread among 5 domains:

5 Domains of the CAT

So selecting the right domain (or domains) is the first challenge, followed by somehow drilling down to the exact statements that have the greatest impact.

The 5 Cybersecurity Steps

To best approach this challenge, let’s take a step back and re-visit the guidance. The FFIEC specifies 5 steps in the cybersecurity process:

  1. Assess maturity and inherent risk
  2. Identify gaps in alignment
  3. Determine desired state of maturity
  4. Implement plans to attain and sustain maturity
  5. Reevaluate

If all you are doing is skipping from step 1 to step 5 (i.e. just reassessing each year), you are missing the point of the exercise. Step 4 (the action plan) is actually the goal, but to get there you must add a missing step to the process, we’ll call it step 1a:

  1. Assess maturity and inherent risk
    a. Interpret and analyze results
  2. Identify gaps in alignment
  3. Determine desired state of maturity
  4. Implement plans to attain and sustain maturity
  5. Reevaluate

According to the FFIEC, interpreting and analyzing assessment results means that management should review the institution’s inherent risks and the control maturity “…for each domain to understand whether they are aligned.” Here is where the initial challenge begins for most institutions, because the assessment tool does not provide any direct correlation between individual risks and specific controls, or even risks and domains. This critical process is left to the assessor (you). Certainly some controls and control groups are more effective against certain risks, but there really isn’t a one-to-one relationship between risks and controls. In fact, in a layered security approach to risk management it’s really a one-to-many relationship; one risk requires multiple controls. What we suggest is that you try to identify the common denominators between high risk areas, and then focus on the domain or domains that contain those common denominators.

For example, let’s say your risks are mostly least or minimal, with a few moderate. (This is what we generally see with community FI’s.) Further, let’s say that after you interpret and analyze the results, one of the common denominators with the higher (moderate) risk items is that they all rely on third-party relationships (again, very common with community FI’s). In this example, identifying declarative statements in Domain 4 – External Dependency Management would be most appropriate. But how do you get from the domain level all the way down to the declarative statement level? Here is the next challenge, because in order to identify specific controls you have to drill down into the domain to get to specific declarative statements.

Continuing with our example, since we’ve decided that additional controls in domain 4 would be most effective, let’s take a deeper dive. Here is how Domain 4 breaks down:

Domain 4 of the CAT

Let’s further assume that of the 2 Assessment Factors, the Relationship Management section is more relevant to us than Connections, since we have a pretty good idea of who we connect to and how we connect (a data flow diagram is the key to documenting information flow to external parties). Under that section, there are a total of 35 declarative statements distributed among three Contributing Components, which can be loosely described as pre-contract (Due Diligence), legal (Contract), and Ongoing. While all three are important, let’s say that since we already have a contractual relationship with the vendor(s), we’ve decided that ongoing monitoring should be our focus for increasing control maturity. Now we are down to only 11 declarative statements, and all we do from here is simply work our way up from Baseline (containing 3 statements) which is the minimum required level, through Evolving (4 statements), and into Intermediate (2 statements). According to the FFIEC, intermediate level controls are more than adequate to off-set moderate and even significant risk levels, so it’s unlikely you’ll have to progress beyond that.

In Summary

To summarize, in order to “implement a plan to attain and sustain maturity”, you must:

  1. Analyze the results of your assessment
  2. Find the common denominators among your increased risk areas
  3. Identify the domain or domains most effective against those common denominators
  4. Select the most relevant Assessment Factor(s) within those domains
  5. Select the most appropriate Contributing Component(s) within the Assessment Factors
  6. Identify specific Declarative Statements from among the 5 Maturity Levels, starting at Baseline and working up

The statements identified become your “plan to attain and sustain,” once they are assigned to a responsible party or group, and followed to completion. Next time you reassess, you’ll be able to check a few more statements, demonstrating your commitment to increasing your cybersecurity maturity level. And a steady increase is what you’ll need to keep pace with the increasing cyber threat environment.

13 Jun 2017
Banker looking over the CAT
Hot Topics The Safe Systems Compliance Team 0 comment

FFIEC Cybersecurity Assessment Tool Update

The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One example…in the Inherent Risk section, there are a plethora of semicolons. Are they supposed to be interpreted as “or” or “and”? Take the question about personal devices being allowed to connect to the corporate network (4th question in the Technologies and Connection Types category).

The minimal risk level states the following:

“Only one device type available; available to <5% of employees (staff, executives, managers); e-mail access only.”

If the semicolons are interpreted as “or,” the statement reads like this:

“Only one device type available OR available to <5% of employees (staff, executives, managers) OR e-mail access only”.

This is considerably different than:

“Only one device type available AND available to <5% of employees (staff, executives, managers) AND e-mail access only”.

Unfortunately, the update did not offer any clarification on this, and as a result we are left to guess what the regulator’s intentions are. Our approach has been to risk-rank each question segment individually. So in the example above, what is the greater risk? The number of device types, the number of employees using them, or what they are allowed to access? We rank the risk of what employees are allowed to access highest, followed by the number of employees accessing, followed by the device types. And this is just one example, 18 of the 39 inherent risk questions require this type of interpretive challenge, and correct interpretation is absolutely critical, because your gap analysis and subsequent cyber action plan depend on an accurate inherent risk assessment.

Appendix A

However, the FFIEC CAT update does impact 2 areas; the first is a more detailed cross-reference in Appendix A mapping the baseline statements to the 2 recently released IT Handbooks (Management and Information Security), and the second will give most FI’s more flexibility when evaluating declarative statements.

First, the changes to Appendix A. Compare the original Risk Management/Audit section…

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.B.13: Risk assessments should be updated as new information affecting information security risks is identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change, or configuration change). IS.WP.I.3.3: Determine the adequacy of the risk assessment process.
* Information Security, E-Banking, Management, Wholesale Payments

…with the updated section:

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.II.A: pg7: External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber attacks, changes in market conditions, new competitors, new technologies, litigation, and new laws or regulations. These events pose risks and opportunities, and the institution should factor them into the risk identification process.

IS.II.C:pg11: Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.

IS.WP.8.3.d: Determine whether management has effective threat identification and assessment processes, including the following: Using threat knowledge to drive risk assessment and response.

This more detailed and expanded set of cross-refences will be useful for both institutions and consultants as they navigate their way through this interpretive minefield.

However, this could be the most significant change:

“The updated Assessment will also provide additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” (Emphasis added)

It took us a while to find how this one was implemented because we were looking for a whole new section, but all the FFIEC has done is add a third option to your response to the declarative statements in the Control Maturity section. Prior to this update, you could only answer either “Y” or “N”. Now there is a third option; “Y(C)”, or Yes with Compensating Controls:

CAT Yes/No Controls

The FFIEC defines a Compensating Control as:

“A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.”

Essentially what this means is now institutions will be able to document adherence to a declarative statement using either direct off-set (primary) controls, or alternative compensating controls, IF they are able to properly identify them. Because these controls are “in lieu of” recommended controls, they are necessarily more difficult to identify and document, much more so than a primary control.

That said, having a way for institutions to document their adherence to a particular declarative statement using either direct or compensating controls is a significant improvement, and should ultimately result in more declarative statements being marked as achieved. Be careful though, although we haven’t seen any IT exams since the update, a “Y(C)” response may very well prompt additional regulatory scrutiny precisely because it requires more documentation.

Safe Systems has assisted almost 100 customers through the CAT so far, helping to document their responses, producing stakeholder reports, and crafting action plans. Let us know if we can help you.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy