Tag: 2022

16 Jun 2022
E-Banking Booklet

FFIEC Cancels E-Banking Handbook

On May 13, 2022, the FFIEC very quietly rescinded the FFIEC Information Technology Examination Handbook (IT Handbook) booklet entitled E-Banking.  The original booklet was released in 2003 and was accompanied by a flurry of activity by financial institutions to come up with a separate E-banking policy and risk assessment.  In effect, the FFIEC is now declaring (admitting?) that these are no longer necessary because all the basic risk management principles that apply to E-Banking are already addressed in other Handbooks.  Operational risk is addressed in the Business Continuity Management Handbook, information security risk is addressed in the Information Security Handbook, cyber risk is assessed in the Cybersecurity Assessment Tool, and third-party risk is addressed here, here, and here

We agree with this approach, and have long held that separately addressing each new emerging or evolving technology was cumbersome, duplicative, and unnecessary.  In our opinion, shifting the focus of the handbooks to basic risk management principles and best practices that can apply to all business processes makes more sense and is long overdue. Could the Wholesale and Retail Payment Systems handbooks be phased out next?  How about the Cybersecurity Assessment Tool?  Since cybersecurity is simply a subset of information security more broadly, could we see a phase-out of a separate cyber assessment?  Or even better, could we see the Information Security Handbook include a standardized risks and controls questionnaire that includes cyber?

Admittedly this is only one less policy and one less risk assessment, but we’ll be watching this trend with great interest. Anything that can help ease the burden on overworked compliance folks is a welcome change!

01 Jun 2022
Reading Guidance

Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

Hey Guru!

Do you have any additional blogs about FDIC changing the annual IT report to the board? I saw the article from 2012 and was wondering if there are any updates to that. Has the FFIEC updated its Information Security IT Handbook after 2016 in regard to this subject?
Thank you,
Lynn


Hi Lynn, and thanks for the question! We haven’t seen any official board reporting updates from regulators since the 2016 revision to the FFIEC InfoSec Handbook, most of what we’ve heard on this topic lately is anecdotal (e.g., feedback from recent IT audits and examinations). The popular consensus is that the volume of information expected to be communicated to the board has greatly increased. We believe it’s because of the relatively recent requirement for the board to provide a “credible challenge” to management, which requires more information on all aspects of information security. Combine that with the hyper-focus on cybersecurity, and “the buck stops with the board” mentality, and it’s almost impossible to imagine over-informing the board.

A bit of background on board reporting… the Examination Procedures section (Appendix A) of the 2016 FFIEC Information Security IT Handbook instructs examiners to:

Determine whether the board approves a written information security program and receives a report on the effectiveness of the information security program at least annually. Determine whether the report to the board describes the overall status of the information security program and discusses material matters related to the program such as the following:

  1. Risk assessment process, including threat identification and assessment.
  2. Risk management and control decisions.
  3. Service provider arrangements.
  4. Results of security operations activities and summaries of assurance reports.
  5. Security breaches or violations and management’s responses.
  6. Recommendations for changes or updates to the information security program

We feel that this is a decent framework assuming sufficient detail is added to each item, and the reporting is presented to the board in a manner in which they are most likely to understand it. Because each one is unique, that often means dialing the level of detail up or down depending on the specific comprehension level of your board.

We also recommend folks add a “Strategic IT Planning” section to the report, with updates on all significant IT initiatives, including how each of those initiatives aligns with enterprise-wide strategic goals and objectives.

You may also want to check out Appendix A, Objective 2 of the Management Handbook. Again, nothing new, but it does help define the broad scope of Board oversight from the examiner’s perspective. Remember, for every item listed in #2 of Objective 2, there must be one or more associated reports supporting the activity, and both the activity and the supporting documentation should be part of the board minutes:

Review the minutes of the board of directors and relevant committee meetings for evidence of board support and supervision of IT activities.

Wherever there is a lack of prescriptive guidance or there is room for interpretation in the guidance, risk managers must choose the path of least risk. For us, although the official guidance hasn’t changed recently, it’s much less risky to over-report information security activities to the Board than it is to under report. To date, we’ve never had an examiner criticize one of our customers for over-reporting!