Similar to my previous post on Risk Assessments, I believe Uncertainty is also a 2-part trend:
– Uncertainty about future regulatory changes, and
– Uncertainty about the interpretation of existing regulations (more…)
Information security, business continuity, vendor management, ID theft, RDC, Internet banking…it seems that every time you do anything these days you’re expected to perform a risk assessment. This is nothing new, risk assessments have been around since risk management began, but I think we’re going to see even more focus on them in the future. Furthermore, I believe this is actually a 2 part trend. Not only will the volume of assessments increase, but the scope will expand to include additional risks as well. So perhaps this trend should be called:
First of all, as I’ve said before the blame for the largest recent failures in the financial industry has been placed largely on managements’ inability to properly assess and manage risk. Additionally the vast majority of FDIC Consent Orders require increased Board and senior management involvement. The intent is to place the accountability firmly at the top, because management is expected to make decisions based on an accurate understanding of the risks involved. And that always requires a risk assessment.
Secondly, there has been a clearly discernible shift towards including enterprise-wide risks into all risk assessments. This started with the FDIC Winter 2009 Supervisory Insights newsletter, which basically redefined the customer information risk assessment to include “assessment of risks across all business lines, including, but not limited to, risks to information security“. We also saw this trend exhibited in the disaster recovery process, where the term “enterprise-wide” is mentioned 39 times in the latest FFIEC guidance. Finally, we’ve seen this enterprise-wide focus validated in recent regulatory examinations. Regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.
In order to fully understand and prepare for this trend, it’s important to understand 2 things:
So, lacking a universal template for risk assessments, how do you proceed? You start by understanding that risk assessments are actually step 2 in the risk management process. The essential elements of an effective risk management program are:
Exactly how the risk management process is documented is not specifically prescribed by the regulators, it is up to the institution to adopt a process that works best for them. I do suggest you try to adopt a consistent format that can be easily duplicated for all occasions requiring a risk assessment, and is also flexible enough to accommodate change. I’ve found that a spreadsheet-type risk ranking matrix works best, with assets on the vertical axis, and threats and controls on the horizontal axis, but other approaches work fine too. Regardless of how it’s done, the process should include all 5 of the required elements, and include enterprise-wide risks. From the FDIC:
“Risk assessment findings should be tied to business risks more broadly. These efforts will help ensure that senior management, the Board of Directors, and the institution’s regulators gain sufficient insight into the institution’s true risk posture and help reduce the potential for an unforeseen, escalated risk profile.”
I’ve written about the importance of this before, and from many different angles, but I want to recap and explain why I think management (both IT and enterprise) will be an area of increased regulatory focus in the year ahead. To recap my criteria for inclusion in the “2012 Trends” list, it must have a basis in:
Management, or as it is sometimes referred, governance, is defined by the FFIEC in the IT Examination Management Handbook as;
“…an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”
And…
“Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance.”
So regulators have always considered IT management critical, and most institutions address that obligation by assigning responsibility for day-to-day management of IT to a committee, such as a technology or IT Committee. In recent examinations we have seen regulators ask specifically to see committee minutes, looking for things such as discussion of vendors before they are approved, and discussion of new technology before it is implemented. They want to know that the institution considered the strategic value of the vendor and the new technology prior to approval. Was the decision to approve consistent with (in alignment with) the overall goals and objectives of the strategic plan? Can you document that?
Effective management of IT has significance way beyond just IT and strategic alignment though, after all…
“…IT management is an essential component of effective corporate governance and operational risk management.”
An institution that fails to demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide. I further explained this here, and examiners agree. Consider this…the two most often repeated statements in FDIC enforcement orders this year is for the institution to “have and retain qualified management”, and for the Board of Directors to “increase its participation in the affairs of the Bank”.
For all these reasons I believe the CAMELS “M” will be in the minds of examiners. So how can you prepare? In a word, reporting. Take a look at the following illustration:
Once the overall strategy has been communicated top-down (left side), reporting (right side) will document that the strategy has been successfully incorporated into the policies and procedures of the organization, and (most importantly) that day-to-day practices abide by those policies and procedures. Implementing an internal self-assessment program can be a very effective way of both communicating strategy and documenting compliance. Use automated controls and monitoring (like this for example), and employ outside expertise whenever possible.
In my first post in this series I discussed training (employee and customer) as a good candidate for increased regulatory scrutiny in 2012. Although these posts are in no particular order, I had initially intended to list “Management” as the next trend. However a comment made to me by a banker at a recent conference leads me to believe that vendor management has already started to emerge as an area of increased regulator focus, so I am making this trend #2.
I’ve already posted numerous times on the importance of vendor management…most recently when risk assessing on-line backup vendors, and how the phase-out of the SAS 70 will affect vendor management (here and here), and I even selected it as a potential trend for 2011. And all the existing reasons still apply, but a couple of fairly recent developments are pushing this issue up the priority list:
All these really go together. Think about this…is there a critical product or service you offer that doesn’t involve a third-party relationship? I’ve asked that question at a number of meetings and conferences this year and have yet to have anyone come up with an example. And to further underscore the point, how many of your vendors have vendors of their own?
So more reliance on outsourcing means that examiners are hearing the phrase “they handle that” more often when they ask about data security. But as we all know…
Management is responsible for ensuring the protection of institution and customer data, even when that data is transmitted, processed, stored, or disposed of by a service provider.1
In the past, saying “they handle that” to an auditor or examiner was usually followed up with “OK, let’s see the SAS 70 and financials on that vendor”. You would produce the reports, and that was pretty much the end of that conversation, and indeed often the extent of your vendor management responsibility. I believe this will change, and I’ve already gotten some validation on that.
Going forward expect examiners to ask to see your entire vendor management program, not just the third-party reviews and financials, and not just on select vendors. Any vendor that could have access (even incidental access) to non-public information (yours or your customers) must be risk-ranked by your vendor management program. And the process of evaluating vendors starts well before they become a vendor, when you are still in the pre-implementation stage.
Here are some of the essential, and yet often missing, elements of a vendor management program:
Additionally, the new electronic banking guidance will force financial institutions to take a closer look at their Internet banking providers in order to conduct the required (starting in January) risk assessments. When the examiner asks for your electronic banking risk assessment, and wants to know what layered controls have been implemented, you can not say “our provider handles that”. The whole point of a risk assessment is to assure that you know, and are comfortable with, the residual risk.
And finally, the third-party report that will likely replace the SAS 70 for most service providers will be the SOC 2, and unlike the SAS 70 the SOC 2 is designed to be a deep dive into the control environment of the service provider. Also unlike the SAS 70, financial institutions will have to actually review the SOC 2 document to assure themselves that there are no exclusions or other qualifications in the report, and to review the results of control testing (for a Type II). And unless the service provider specifically excludes it from the report, you will also have a high degree of confidence that any sub-service organizations (providers to your provider) have an adequate control environment as well.
So for all these reasons, expect vendor management to be an increased regulatory priority in 2012.
This post will begin a series of 5 topics that I consider to be good candidates for increased regulatory scrutiny in the coming year. For each topic, I will make the case for increased scrutiny based on 3 criteria:
In keeping with my policy of trying to provide clear actionable solutions to each challenge, I will also provide suggestions to keep you ahead of the trend.
The first topic is actually making its debut appearance this year, and although training has always been important for financial institutions, it only recently crept into the top 5. And this is really a two-part trend;
First, the case for employee training. I have always placed the importance of this in the top 10, but a recent event and examination experience have moved this into my top 5. The recent event is the RSA breach, which I first wrote about here right after the news broke in March, and again here a couple of months ago. This turned out to be a rather standard social engineering attack conducted over a long period of time exploiting the trust of a single employee. The FFIEC defines social engineering this way:
Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.
Additionally we continue to see employee security policy and awareness training questions in every pre-examination questionnaire, regardless of whether the examiners are Federal or State. With the increased use of social media by financial institutions, and the understanding that the employee is still the weak link in the security chain*, I predict increased need for, and emphasis on, employee training.
Customer training has always been a best practice, but it’s now a requirement. Also referred to as customer awareness and education, the case for customer training as a trend is two-fold. The first is the recent updated FFIEC guidance on Internet authentication. Customer training is listed as one of the effective controls that may be included in a layered security program for both retail and commercial account holders with Internet access capability (in other words, almost all account holders), and compliance starts in January. According to the FFIEC, customer training should contain, at a minimum:
The second reason for the importance of customer training is the realization by the fraudsters that customers are an easy target. As one recent example of this trend, Trusteer just issued a warning that fraudsters are actually setting up call centers to facilitate ID theft by targeting merchants. This goes way beyond simply installing malware and grabbing login credentials, this attacks the most secure elements in the transaction chain; controls such as the one-time passwords, IP blocks (black lists) and positive pay (white lists). Although the actual details of the attack are fascinating…and frightening…at its core this is really nothing more than an extremely sophisticated social engineering attack, and as such the standard social engineering controls apply.
In summary, re-examine your employee AND customer training and awareness programs, and plan on increasing your training in both areas in 2012. Make sure your customer training contains at least the minimum elements, and that you periodically repeat the training. Finally, conduct testing on both groups to validate comprehension where you can (easier for employees than customers), and document everything!
*Additional reading:
http://www.csoonline.com/article/print/691910