Tag: FFIEC

05 Aug 2020
Reading Between the Lines

Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19

On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020

This statement this is only one of several interagency statements issued since the start of the Covid-19 Pandemic outlining supervisory principles examiners will use to guide their safety and soundness examinations in the context of this event. Simply put, this statement makes it clear that regulators expect financial institutions to take prudent actions and make reasonable accommodations to address the impact of the event on their customers (and by extension, on themselves).

The focus on this post is on what may be less clear, because ambiguity opens the door to interpretation, and differences of opinion between management and regulators are where the most contentious examination findings occur. We’re going to look at a few passages that caught my eye, and discuss how to interpret them and what specific action to take. We’ll focus on the Management section starting on page 9. The first few sentences state that:

Examiners should evaluate the extent to which management factors the results of these efforts into its longer-term business strategy. Strategies could evolve throughout the local and national recovery. Institutions may be compelled to reconsider branching, mergers, or other expansions.

Interpretation and actions to be taken

This one is pretty straightforward. When the dust settles from this event, examiners will be asking you to see specific changes you’ve made to your strategic planning based on the lessons-learned. Not if you’ve made adjustments to strategy, but what you’ve done to respond. Even if no material changes are forthcoming, make sure the Board and senior management meeting minutes reflect your thinking.

The next area we’ll try to read between is right after the previous one:

When rating an institution’s management, examiners will distinguish between problems caused by the institution’s management and those caused by external factors beyond management’s control.

Interpretation and actions to be taken

This relatively short sentence is much trickier to decode because it depends on the definition of “…external factors beyond management’s control.” Does “beyond control” mean beyond the capacity of management to anticipate? Virtually all natural disasters (and most man-made disasters and cyber events) are beyond management’s control, but that doesn’t mean the event should not be foreseen and assessed for probability and impact. In fact the most recent FFIEC BCM Booklet makes no reference to risks beyond management’s control, instead using the term “reasonably foreseeable events”, (including low probability, high impact events, like Pandemic) to describe the scope of events expected to be foreseen and risk-assessed by management. How should we reconcile the two concepts; “external factors beyond management’s control”, and “reasonably foreseeable/anticipated risks”? Again, most threats facing financial institutions today are both beyond management’s control, and reasonably foreseeable. Understanding how to approach this issue is more than an academic exercise, the Management component of your CAMELS rating may be affected by it.

Continuing in the same section:

“…management of an institution with problems largely related to the pandemic may warrant a more favorable rating than management of an institution operating with problems stemming from weak risk management practices that are, or should have been, substantially within the institution’s control.”

Interpretation and actions to be taken

To me this was the most difficult to interpret. Hypothetically, let’s say you’ve encountered credit quality issues largely related to the effects of the Covid-19 Pandemic. No downgrade because it’s outside your control and not a sign of weak management practices. Just retroactively adjust your loan loss reserves and move on. Now, substitute “pandemic” with “major storm”. Let’s says you’ve experienced significant operational problems largely related to the storm. Also outside your control, but regulators will probably take the position that operational issues arising from a natural disaster should have been reasonably foreseen, and your failure to anticipate that is a sign of weak management practices. In this case your Management component will likely take a hit. Both Pandemic and severe weather are very likely addressed in your BCM plan, but the impact of one may be forgivable, while the other is attributed to weak management?

What we think the regulators are saying here is that it’s not the specific event, or problems arising from that event, or even whether or not management foresaw the problems in advance, that regulators really care about. It’s management’s response to the event, whether or not it was within their control, whether or not it was foreseen. That is the core of the issue; how management improvises, adapts, and overcomes.

This brings us back to the beginning and the first “actions to be taken”. This event has been an unprecedented event in both scale and scope, and we believe when the dust settles, examiners will be asking to see your specific adaptations to procedures and processes to ensure continued delivery of financial services. This will include your ability to assess and implement additional controls (including cyber) to “…manage heightened risks related to the adjusted operating environment.”

One last sentence to decipher, and this one may be the easiest to understand:

“…examiners will consider the impacts on the control environment from instances of imprudent cost cutting, insufficient staffing, or delays in implementing needed updates in their assessment of the institution.”

Interpretation and actions to be taken

Self-explanatory. Examiners will take a dim view of cost-cutting even if you can use the Pandemic to rationalize it. Don’t sacrifice your control environment on the altar of saving money. Additionally, this is not the time to cancel or delay projects, stay on track with your initiatives but make any necessary strategic adjustments resulting from the lessons-learned, including new technology and staffing considerations.

In summary, we believe that when all the direct and indirect impact from this event is calculated, it will prove to be no less significant than a major natural disaster or even a recession. The regulators are giving every indication that they think so too, and plan to treat it that way.

15 Mar 2018
Going beyond the FFIEC Cybersecurity Assessment Tool (CAT)

Cybersecurity – Beyond the Assessment

The FFIEC Cybersecurity Assessment Tool has been out since 2015, and by now almost all financial institutions have completed it at least once, some as many as 3-4 times. Although most of the examiner feedback we’ve gotten indicates that simply completing is all regulators are looking for at this time, the FFIEC made it clear that competing the assessment is only the first step. It is designed to be a means to an end, not the end itself. The goal of the assessment process is a plan consisting of specific actions the institution can, and ultimately must, take to strengthen their cybersecurity posture. Fortunately, the tool provides those specific actions, called declarative statements. Unfortunately, there are a total of 497 declarative statements spread among 5 domains:

5 Domains of the CAT

So selecting the right domain (or domains) is the first challenge, followed by somehow drilling down to the exact statements that have the greatest impact.

The 5 Cybersecurity Steps

To best approach this challenge, let’s take a step back and re-visit the guidance. The FFIEC specifies 5 steps in the cybersecurity process:

  1. Assess maturity and inherent risk
  2. Identify gaps in alignment
  3. Determine desired state of maturity
  4. Implement plans to attain and sustain maturity
  5. Reevaluate

If all you are doing is skipping from step 1 to step 5 (i.e. just reassessing each year), you are missing the point of the exercise. Step 4 (the action plan) is actually the goal, but to get there you must add a missing step to the process, we’ll call it step 1a:

  1. Assess maturity and inherent risk
    a. Interpret and analyze results
  2. Identify gaps in alignment
  3. Determine desired state of maturity
  4. Implement plans to attain and sustain maturity
  5. Reevaluate

According to the FFIEC, interpreting and analyzing assessment results means that management should review the institution’s inherent risks and the control maturity “…for each domain to understand whether they are aligned.” Here is where the initial challenge begins for most institutions, because the assessment tool does not provide any direct correlation between individual risks and specific controls, or even risks and domains. This critical process is left to the assessor (you). Certainly some controls and control groups are more effective against certain risks, but there really isn’t a one-to-one relationship between risks and controls. In fact, in a layered security approach to risk management it’s really a one-to-many relationship; one risk requires multiple controls. What we suggest is that you try to identify the common denominators between high risk areas, and then focus on the domain or domains that contain those common denominators.

For example, let’s say your risks are mostly least or minimal, with a few moderate. (This is what we generally see with community FI’s.) Further, let’s say that after you interpret and analyze the results, one of the common denominators with the higher (moderate) risk items is that they all rely on third-party relationships (again, very common with community FI’s). In this example, identifying declarative statements in Domain 4 – External Dependency Management would be most appropriate. But how do you get from the domain level all the way down to the declarative statement level? Here is the next challenge, because in order to identify specific controls you have to drill down into the domain to get to specific declarative statements.

Continuing with our example, since we’ve decided that additional controls in domain 4 would be most effective, let’s take a deeper dive. Here is how Domain 4 breaks down:

Domain 4 of the CAT

Let’s further assume that of the 2 Assessment Factors, the Relationship Management section is more relevant to us than Connections, since we have a pretty good idea of who we connect to and how we connect (a data flow diagram is the key to documenting information flow to external parties). Under that section, there are a total of 35 declarative statements distributed among three Contributing Components, which can be loosely described as pre-contract (Due Diligence), legal (Contract), and Ongoing. While all three are important, let’s say that since we already have a contractual relationship with the vendor(s), we’ve decided that ongoing monitoring should be our focus for increasing control maturity. Now we are down to only 11 declarative statements, and all we do from here is simply work our way up from Baseline (containing 3 statements) which is the minimum required level, through Evolving (4 statements), and into Intermediate (2 statements). According to the FFIEC, intermediate level controls are more than adequate to off-set moderate and even significant risk levels, so it’s unlikely you’ll have to progress beyond that.

In Summary

To summarize, in order to “implement a plan to attain and sustain maturity”, you must:

  1. Analyze the results of your assessment
  2. Find the common denominators among your increased risk areas
  3. Identify the domain or domains most effective against those common denominators
  4. Select the most relevant Assessment Factor(s) within those domains
  5. Select the most appropriate Contributing Component(s) within the Assessment Factors
  6. Identify specific Declarative Statements from among the 5 Maturity Levels, starting at Baseline and working up

The statements identified become your “plan to attain and sustain,” once they are assigned to a responsible party or group, and followed to completion. Next time you reassess, you’ll be able to check a few more statements, demonstrating your commitment to increasing your cybersecurity maturity level. And a steady increase is what you’ll need to keep pace with the increasing cyber threat environment.

13 Jun 2017
Banker looking over the CAT

FFIEC Cybersecurity Assessment Tool Update

The FFIEC recently released a long-awaited update to the Cybersecurity Assessment Tool, and we think overall it is a relatively minor but useful evolution. But before we get into the details of what the update does address, it’s important to note that it did not address the ambiguity issues that plague the current assessment. One example…in the Inherent Risk section, there are a plethora of semicolons. Are they supposed to be interpreted as “or” or “and”? Take the question about personal devices being allowed to connect to the corporate network (4th question in the Technologies and Connection Types category).

The minimal risk level states the following:

“Only one device type available; available to <5% of employees (staff, executives, managers); e-mail access only.”

If the semicolons are interpreted as “or,” the statement reads like this:

“Only one device type available OR available to <5% of employees (staff, executives, managers) OR e-mail access only”.

This is considerably different than:

“Only one device type available AND available to <5% of employees (staff, executives, managers) AND e-mail access only”.

Unfortunately, the update did not offer any clarification on this, and as a result we are left to guess what the regulator’s intentions are. Our approach has been to risk-rank each question segment individually. So in the example above, what is the greater risk? The number of device types, the number of employees using them, or what they are allowed to access? We rank the risk of what employees are allowed to access highest, followed by the number of employees accessing, followed by the device types. And this is just one example, 18 of the 39 inherent risk questions require this type of interpretive challenge, and correct interpretation is absolutely critical, because your gap analysis and subsequent cyber action plan depend on an accurate inherent risk assessment.

Appendix A

However, the FFIEC CAT update does impact 2 areas; the first is a more detailed cross-reference in Appendix A mapping the baseline statements to the 2 recently released IT Handbooks (Management and Information Security), and the second will give most FI’s more flexibility when evaluating declarative statements.

First, the changes to Appendix A. Compare the original Risk Management/Audit section…

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.B.13: Risk assessments should be updated as new information affecting information security risks is identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change, or configuration change). IS.WP.I.3.3: Determine the adequacy of the risk assessment process.
* Information Security, E-Banking, Management, Wholesale Payments

…with the updated section:

Risk Management/Risk Assessment: The risk assessment is updated to address new technologies, products, services, and connections before deployment.

Source: IS.II.A: pg7: External events affecting IT and the institution’s ability to meet its operating objectives include natural disasters, cyber attacks, changes in market conditions, new competitors, new technologies, litigation, and new laws or regulations. These events pose risks and opportunities, and the institution should factor them into the risk identification process.

IS.II.C:pg11: Additionally, management should develop, maintain, and update a repository of cybersecurity threat and vulnerability information that may be used in conducting risk assessments and provide updates to senior management and the board on cyber risk trends.

IS.WP.8.3.d: Determine whether management has effective threat identification and assessment processes, including the following: Using threat knowledge to drive risk assessment and response.

This more detailed and expanded set of cross-refences will be useful for both institutions and consultants as they navigate their way through this interpretive minefield.

However, this could be the most significant change:

“The updated Assessment will also provide additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.” (Emphasis added)

It took us a while to find how this one was implemented because we were looking for a whole new section, but all the FFIEC has done is add a third option to your response to the declarative statements in the Control Maturity section. Prior to this update, you could only answer either “Y” or “N”. Now there is a third option; “Y(C)”, or Yes with Compensating Controls:

CAT Yes/No Controls

The FFIEC defines a Compensating Control as:

“A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.”

Essentially what this means is now institutions will be able to document adherence to a declarative statement using either direct off-set (primary) controls, or alternative compensating controls, IF they are able to properly identify them. Because these controls are “in lieu of” recommended controls, they are necessarily more difficult to identify and document, much more so than a primary control.

That said, having a way for institutions to document their adherence to a particular declarative statement using either direct or compensating controls is a significant improvement, and should ultimately result in more declarative statements being marked as achieved. Be careful though, although we haven’t seen any IT exams since the update, a “Y(C)” response may very well prompt additional regulatory scrutiny precisely because it requires more documentation.

Safe Systems has assisted almost 100 customers through the CAT so far, helping to document their responses, producing stakeholder reports, and crafting action plans. Let us know if we can help you.

21 Mar 2017
Late Night Exam Questions

Ask the Guru: How Can I Best Determine My Cyber Risk Profile?

Hey Guru!

We just completed the Cybersecurity Assessment, so now we have our current risk and control maturity levels identified.  Can we draw any conclusions about our average risk and control levels?  For example, most of our risks are in the Least and Minimal areas, but we do have a few Moderate as well.  Can we just average them and conclude that our overall cyber risk levels are minimal?


Towards the end of last year the FFIEC released a Frequently Asked Questions document about the Cybersecurity Assessment Tool, and item #6 directly addressed your question.  The Council stated that “…when a majority of activities, products, or services fall within the Moderate Risk Level, management may determine that the institution has a Moderate Inherent Risk Profile.”

This would seem to validate the approach of using the average1 of all risk levels to identify your overall risk level.  However, they go on to state that each risk category may pose a different level of risk. “Therefore, in addition to evaluating the number of times an institution selects a specific risk level, management may also consider evaluating whether the specific category poses additional risk that should be factored into the overall assessment of inherent risk.”  This would appear to directly contradict the averaging approach, indicating (correctly, in my opinion) that since all risks are NOT equal, you should NOT determine overall risk based on an average.

For example, let’s say that all of your risks in the Technologies and Connection Types category are in the Least and Minimal level except for Unsecured External Connections, which is at the Moderate level.  So you have 13 items no higher than minimal, and 1 item moderate.  Sounds like an overall minimal level of risk, right?  Except a Moderate level of risk for Unsecured External Connections indicates that you have several (6-10) unsecured connections.  As any IT auditor will tell you, even 1 unsecured connection can be a serious vulnerability!

So although the FFIEC says that “…you may determine…” you’re at one level if the majority of your responses fall within that level, they go on to say you really shouldn’t really draw that conclusion without additional evaluation.

This is just one of many examples of confusing, conflicting, and occasionally misleading elements in the CAT, and a very good reason to have assistance filling it out (shameless plug).

 

1 There are 3 primary ways of defining “average”; mean, mode and median.  If you’ve assigned 1-5 numeric values to the risk levels, we can define average as “mean”.  If we’re assuming average is “mode”, it’s simply the value that occurs most often.  This would appear the way the FFIEC is approaching it.  Regardless how you define “average”, it leads to the same (inaccurate) conclusion.

27 Sep 2016

FFIEC Rewrites the Information Security IT Examination Handbook

In the first update in over 10 years, the FFIEC just completely rewrote the definitive guidance on their expectations for managing information systems in financial institutions.  This was widely expected, as the IT world has changed considerably since 2006.

There is much to unpack in this new handbook, starting with what appears to be a new approach to managing information security risk. The original 2006 handbook put the risk assessment process up front, essentially conflating risk assessment with risk management.  But as I first mentioned almost 6 years ago, the risk assessment is only one step in risk management, and it’s not the first step.  Before risk can be assessed you must identify the assets to be protected and the threats and vulnerabilities to those assets.  Only then can you conduct a risk assessment.  The new guidance uses a more traditional approach to risk management, correctly placing risk assessment in the second slot:

  1. Risk Identification
  2. Risk Measurement (aka risk assessment)
  3. Risk Mitigation, and
  4. Risk Monitoring and Reporting

This is a good change, and it is also identical to the risk management structure in the 2015 Management Handbook.  Its also very consistent with the 4 phase process specified in the 2015 Business Continuity Handbook:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management, and
  4. Risk Monitoring and Testing

Beyond that, here are a few additional observations (in no particular order):

More from Less:

  • The new handbook is about 40% shorter, consisting of 98 pages as contrasted with 138 in the 2006 handbook.

…HOWEVER…

  • The new guidance contains 412 references to the word “should”, as opposed to 341 references previously.  This is significant, because compliance folks know that every occurrence of the word “should” in the guidance, generally translates to the word “will” in your policies and procedures.  So the handbook is 40% shorter, but increases regulator expectations by 20%!

Cyber Focus:

  • “…because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”  Cybersecurity is scattered throughout the new handbook, including an entire section.

Assess Yourself:

  • There are 17 separate references to “self-assessments”, increasing the importance of utilizing internal assessments to gauge the effectiveness of your risk management and control processes.

Take Your Own Medicine:

  • Technology Service Providers to financial institutions will be held to the same set of standards:
    • “Examiners should also use this booklet to evaluate the performance by third-party service providers, including technology service providers, of services on behalf of financial institutions.”

The Ripple Effect:

  • The impact of this guidance will likely be quite significant, and will be felt across all IT areas.  For example, the Control Maturity section of the  Cybersecurity Assessment Tool contains 98 references and hyperlinks to specific pages in the 2006 Handbook.  All of these are now invalid.  I’m sure we can expect an updated assessment tool  from the FFIEC at some point in the not-too-distant future.  (Which will also necessitate changes to certain online tools!)
  • The new FDIC IT Risk Examination procedures (InTREx) also contains several references to the IT Handbook, although they are not specific to any particular page.

Regarding InTREx, I was actually hoping that the new IT Handbook and the new FDIC exam procedures would be more closely coordinated, but perhaps that’s too much to ask at this point.  In any case, the similarity between the 3 recently released Handbooks indicates increased standardization, and I think that is a good thing.  We will continue to dissect this document and report observations as we find them.  In the meantime, don’t hesitate to reach out with your own observations.

11 Nov 2015

FFIEC Updates (and Greatly Expands) the Management Handbook

This latest update to the IT Examination Handbook series comes 11 years after the original version.  And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed.  This new Handbook contains many changes that will introduce new requirements and new expectations from regulators.  Some of these changes are subtle, others are more significant.  Here is my first take on just a few differences between the original and the new Handbook:

Cybersecurity

  • The original Handbook contained only a single reference to “cyber”.  The revised Handbook contains 53 references.

IT Management

  • The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management.  Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”.  Simply put, no more “rubber stamps”.  The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.

The IT Management Structure has changed.  The 2004 Handbook listed the following structure:

  • Board of Directors / Steering Committee
  • Chief Information Officer / Chief Technology Officer
  • IT Line Management
  • Business Unit Management

The Updated Guidance is a bit more granular, and recommends the following structure (changes in bold):

  • Board of Directors  / Steering Committee
  • Executive Management
  • Chief Information Officer or Chief Technology Officer
  • Chief Information Security Officer
  • IT Line Management
  • Business Unit Management

“Risk Appetite”

  • The FFIEC Cybersecurity Assessment Tool introduced this new term (addressed here), and the Management Handbook makes an additional 11 references.  Institutions should understand this relatively new (for IT anyway) concept and incorporate it into their strategic planning process.

Managing Technology Service Providers

  • The 2004 guidance contained a separate section on best practices in this area.  The new guidance has removed the section, incorporating references to vendor management best practices throughout the document.  This reflects the reality of the prevalence and importance of outsourcing in today’s financial institutions.

Examination Procedures (Appendix A)

  • The 2004 Handbook had 8 pages containing 9 examination objectives.  The new guidance is almost completely re-written, and has 15 pages containing 13 objectives.  Several of these new objectives deal with internal governance and oversight, and a couple address the enterprise-wide nature of IT management.  All areas have been greatly expanded.  For example, the objective dealing with IT controls and risk mitigation (Objective 12) consists of 18 separate examination elements with 53 discrete items that examiners must check.




Free White Paper



Best Practices for Control and Management of Your Community Bank’s IT

A community bank’s digital assets are every bit as valuable as the money in the vault.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



In summary, the updated Handbook represents a significant evolution in both the breadth and depth of IT management requirements.  It will set the standard for IT management best practices for both examiners and institutions for some time to come, and should be required reading for all Board members, CEO’s, CIO’s, ISO’s, and network administrators.