Compliance Guru • FFIEC Guidance

Are Banks and Credit Unions Required to Address Your COVID-19 Readiness with Your Customers?

By The Safe Systems Compliance Team | In Ask the Guru

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru! Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are working on an ad to educate our customers on how to use our online […]

By The Safe Systems Compliance Team | In Hot Topics

FFIEC Issues Statement on Pandemic Planning

Background Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency Statement on Pandemic Planning in response to the current COVID-19 epidemic. Similar to the Destructive Malware statement, this statement does not impose any additional regulatory expectations on […]

By The Safe Systems Compliance Team | In Hot Topics

FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new expectations regulators will be looking for from financial institutions1. In fact, that is one of the most interesting changes; the term “institution” […]

By The Safe Systems Compliance Team | In Ask the Guru

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we be doing? By conducting Information Technology audits every 12 months, you’ve effectively (and correctly) determined that […]

By The Safe Systems Compliance Team | In Hot Topics

FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness.” On the surface the this seems very logical and straightforward, but in fact this may have provided more […]

By The Safe Systems Compliance Team | In Ask the Guru

Pandemic Testing and the BCP

Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve the pandemic plan within the Business Continuity Plan. The pandemic plan has no defined action plan, nor has it been tested. […]

By The Safe Systems Compliance Team | In Ask the Guru

Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble? Thanks for the question, here is where this issue […]

By The Safe Systems Compliance Team | In Ask the Guru

Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response risks are adequately addressed” in our contracts? We do get copies of their BCP/IRP plans and their insurance, and we […]

By The Safe Systems Compliance Team | In Hot Topics

Misuse, Denied Access, and Incident Response

It may be a good time to review your Incident Response Plan and determine if additional clarification regarding the term “misuse” should be added to incorporate denial of access to information. The FFIEC Information Technology Examination Handbook for Information Security was published in September 2016 and refers to misuse as “attacks from within the organizations”. […]

By The Safe Systems Compliance Team | In From the Field

Asset Lifecycle Management

Since both Windows 7 and Server 2008 R2 will reach end-of-life support in January of 2020, many organizations have already made the jump to Windows 10 and Windows Server 2012, 2016, 2019, or Azure. If you have full control over the asset lifecycle management process for your financial institution you may have already completed this […]

By Holly Hooks | In Ask the Guru

Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?

Hey Guru! Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party? When evaluating this situation, the first step is to understand the parties […]