The FFIEC Cybersecurity Assessment Tool has been out since 2015, and by now almost all financial institutions have completed it at least once, some as many as 3-4 times. Although most of the examiner feedback we’ve gotten indicates that simply completing is all regulators are looking for at this time, the FFIEC made it clear […]
The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One […]
Hey Guru! We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified. Can we draw any conclusions about our average risk and control levels? For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well. Can we […]
Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]
In the first update in over 10 years, the FFIEC just completely rewrote the definitive guidance on their expectations for managing information systems in financial institutions. This was widely expected, as the IT world has changed considerably since 2006. There is much to unpack in this new handbook, starting with what appears to be a […]
Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007. The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase. In fact, the InTREx has only 26 questions vs. 59 for the 12/07 […]
Hey Chuck, A bank I used to work for had a bad scare recently – they got hit with ransomware!! Best they can tell, an email attachment was the culprit. That bank is very similar to my current bank, and I thought they had a solid Information Security program while I was there. As the […]
“A topic is at times of such significant interest to bankers and examiners that it warrants a special issue…” Whenever something from a regulatory body begins this way all bankers should take notice, and the latest Special Corporate Governance Edition from the FDIC is no exception. In fact the Guru did a little research and the last time the FDIC released […]
The FDIC released FIL-17-2016 today, which will increase the examination cycle for community banks meeting certain criteria from 12 months to 18 months, thereby potentially decreasing one of the most intrusive events in the bankers life. The criteria is as follows: Must be less than $1 B in assets Must have a CAMELS composite rating […]
This latest update to the IT Examination Handbook series comes 11 years after the original version. And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed. This new Handbook contains many changes that will introduce new requirements and new expectations […]
