FFIEC – Page 2 – Compliance Guru

16 Jul 2015

Hot Topics Tom Hinkel 4 Comments

FFIEC Releases Cybersecurity Assessment Tool

UPDATE: Safe Systems just released their Enhanced CyberSecurity Assessment Toolkit (ECAT) – This enhanced version of the FFIEC toolkit addresses the biggest drawback of the tool; the ability to collect, summarize, and report your risk and control maturity levels.

Once risks and controls have been assessed (Step 1 below), institutions will now be better able to identify gaps in their cyber risk program, which is step 2 in the 5 step process.

This long-anticipated release of the Cybersecurity Assessment Tool (CAT) is designed to assist institution management in both assessing their exposure to cyber risk, and then measuring the maturity level of their current cybersecurity controls. Users must digest 123 pages, and must provide one of five answers to a total of 69 questions in 10 categories or domains. This is not a trivial undertaking, and will require input from IT, HR, internal audit, and key third-parties.

After completing the assessment, management should gain a pretty good understanding of the gaps, or weaknesses, that may exist in their own cybersecurity program. As a result, “management can then decide what actions are needed either to affect the inherent risk profile or to achieve a desired state of maturity.” I found the CAT to be quite innovative in what it does, but it also has some baffling limitations that may pose challenges to many financial institutions, particularly smaller ones.

[pullquote]The CAT is quite innovative in what it does, but it also has some baffling limitations…[/pullquote]

First of all, I was stunned by the specificity of both the risk assessment and the maturity review. Never before have we seen this level of prescriptiveness and granularity from the FFIEC in how risks and controls should be categorized. For example, when assessing risk from third-parties:

No third-parties with system access = Least Risk
1 – 5 third parties = Minimal Risk
6 – 10 third parties = Moderate Risk
11 – 25 third parties = Significant Risk, and
> 25 third parties = Most Risk

Again, this is quite different from what the FFIEC has done previously. If Information Security guidance used the same level of detail, we might see specific risk levels for passwords of a certain length and complexity, and correspondingly higher control maturity levels for longer, more complex passwords. Of course we don’t see that from current guidance, what we get is a generic “controls must be appropriate to the size and complexity of the institution, and the nature and scope of its operations”, leaving the interpretation of exactly what that means to the institution, and to the examiner.

I see this new approach as a very good thing, because it removes all of the ambiguity from the process. As someone who has seen institutions of all sizes and complexities struggle with how to interpret and implement guidance, I hope this represents a new approach to all risk assessments and control reviews going forward. Imagine having a single worksheet for both institutions and examiners. Both sides agree that a certain number of network devices, or third-parties, or wire transfers, or RDC customers, or physical locations, constitute a very specific level of risk. Control maturity is assessed based on implementation of specific discrete elements. Removing the uncertainty and guess-work from examinations would be VERY good thing for over-burdened institutions and examiners alike.

7 Reasons Why Small Community Banks Should Outsource IT Network Management

So all that is good, but there are 2 big challenges with the tool; collection, and interpretation and analysis. The first is the most significant, and makes the tool almost useless in its current format. Institutions are expected to collect, and then interpret and analyze the data, but the tool doesn’t have that capability to do that because all the documents provided by the FFIEC are in PDF format.

If you can figure out how to record your responses, that still leaves the responsibility to conduct a “gap” analysis to the institution. In other words, now that you know where your biggest risks reside, how do you then align your controls with those risks?

One more challenge…regulators expect you to communicate the results to the Board and senior management, which is not really possible without some way of collecting and summarizing the data. They also recommend an independent evaluation of the results from your auditors, which also requires summary data.

In summary, there is a lot to like in this guidance and I hope we see more of this level of specificity going forward. But the tool should have the ability to (at a minimum) record responses, and ideally summarize the data at various points in time. In addition, most institutions will likely need assistance summarizing and analyzing the results, and addressing the gaps. But at least we now have a framework, and that is a good start.

29 Apr 2015

Hot Topics Tom Hinkel 6 Comments

FFIEC Issues Stealth Update to BCP Handbook

This caught me by surprise as it was not formally announced in the “What’s New” section, but the Appendix J update to the Business Continuity Planning Handbook apparently constituted a complete update to the Handbook. Here is what the press release said in part:

The Federal Financial Institutions Examination Council (FFIEC) members today issued a revised Business Continuity Planning Booklet (BCP Booklet), which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The update consists of the addition of a new appendix, entitled Strengthening the Resilience of Outsourced Technology Services. (emphasis added)

If you only focused on the last sentence (as I did), you would think all they did was add an appendix to the existing booklet. But the first sentence states that they issued a revised booklet. And sure enough, they changed the date.

Here is the old booklet:

Cover page from 2008 FFIEC_IT_Booklet_BusinessContinuityPlanning

And here is the new booklet:

Cover page from 2015 FFIEC_IT_Booklet_BusinessContinuityPlanning

I’ve written about the wide-ranging implications of “Appendix J” previously. In comparing the old and new BCP booklets I was unable to find any other changes in the document except the addition of Appendix J, and some changes to Appendix A. Regular readers know that each of the 11 booklets has an Appendix A which contains the examination procedures. The message here is that the FFIEC considered the addition of Appendix J significant enough to warrant new examination procedures, and a whole new handbook with a new revision date!

7 Reasons Why Small Community Banks Should Outsource IT Network Management

I’ve gone through Appendix A of both the new booklet and the previous booklet and highlighted all of the changes. If you’re interested in how your next BCP exam might differ, you can download a copy of my marked-up document here. The complete BCP Handbook is here.

31 Mar 2015

Hot Topics Tom Hinkel 0 comment

FFIEC Issues 2 Statements on Cybersecurity

Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware. The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to both threats (highlighted in bold).

The statement on compromised credentials lists the following risk mitigation steps:

Conduct ongoing information security risk assessments.
Perform security monitoring, prevention, and risk mitigation.
Protect against unauthorized access.
Implement and test controls around critical systems regularly.
Enhance information security awareness and training programs.
Participate in industry information-sharing forums.

The statement on destructive malware lists the following steps:

Securely configure systems and services.
Review, update, and test incident response and business continuity plans.
Conduct ongoing information security risk assessments.
Perform security monitoring, prevention, and risk mitigation.
Protect against unauthorized access.
Implement and test controls around critical systems regularly.
Enhance information security awareness and training programs.
Participate in industry information-sharing forums.

As you can see there is a core set of 6 steps, or controls, that are common to both threats. I’m certain that you can expect them to be a part of the FFIEC cybersecurity self-assessment tool and policy updates when they are released later this year. Forward thinking institutions would be wise to evaluate their cybersecurity controls now and make sure all 6 are in place, up-to-date, and functioning properly.

10 Feb 2015

Hot Topics Tom Hinkel 1 Comment

FFIEC Issues Update to Business Continuity Guidance

The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship between the two.

The following excerpt summarizes the intent of the update pretty succinctly:

A financial institution should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a TSP (technology service provider) for all types of adverse events (e.g., natural disaster, infrastructure failure, technology failure, availability of staff, or cyber attack).

The appendix is focused on third-party Technology Service Providers (TSP’s), and organized in four sections (with associated sub-sections):

Third-party management
- Due Diligence
- Contracts
- Ongoing Monitoring
Third-party capacity
- Significant TSP Continuity Scenarios
- TSP Alternatives
Testing with third-party TSP’s
- Testing Scenarios
- Testing Complexity
Cyber resilience

Assuming that you already have a relatively compliant* business continuity plan, I see several areas that may need immediate attention:

Vendor management. Expect expanded vendor pre-contract due diligence and on-going oversight, including a detailed understanding of how the vendor manages their subcontractors. The guidance also introduces the concept of “concentration risk”, which is the increased use of, and over-reliance on, one or more key service providers.
Contracts. Expect increased contract requirements, including provisions related to subcontracting (see above), the right-to-audit, data ownership and handling, and how the servicer plans to respond to new guidance and regulations.
Testing. Expect an expanded testing section, including participation in critical vendor testing.
Cyber security. Cyber events should be factored into all aspects of your BCP, with emphasis on responding effectively to a cyber attack. Expect your incident response planning and testing to get increased scrutiny as well.

There is one more element of the guidance that may prove to be the most challenging of all for outsourced institutions. In the past, manual procedures were always the primary alternative to automation, but because of the increased dependence on outsourcing, it may no longer be feasible for an institution to operate manually for any length of time. In those situations the guidance suggests that you have an alternative service provider identified to assume operations, or that you consider the possibility of moving the operations in-house. Since the guidance admits that the latter option is likely not a valid one, that really only leaves the alternate provider as a possible solution. Of course any institution that has converted their core system to a new provider knows that process is fraught with challenges even when the conversion is anticipated and carefully planned. Undertaking the process after a sudden disruptive event is almost unthinkable, but the guidance expects you to going forward.

* A compliant BCP is built around a business impact analysis which identifies all critical business processes and their interdependencies, establishes clearly defined recovery time and recovery point objectives (RTO’s & RPO’s) for each process, specifies recovery procedures sufficient to restore process functionality within RTO’s, and then validates all procedures via testing.

18 Nov 2014

Hot Topics Tom Hinkel 5 Comments

Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)

In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases;

Identify the risk
Assess the risk, and
Control the risk

I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential data as well. Everyone from your technology providers to the office cleaning crew could have access to non-public or confidential data, and as a result must be included in Phase 2; the risk assessment. The good news is that even though all vendors must be assessed, only a handful will required significant follow-up in terms of controls reviews (phase 3).

So in this post I will discuss how the risk assessment of vendors has changed over the last few years. Traditionally assessing a vendor was limited to determining the extent to which the vendor had access to (and could possibly disclose) non-public customer information (NPI). This grew out of GLBA, specifically the privacy and security elements of the legislation. Today regulators expect a much broader assessment of third-party risk. In addition to NPI, you must also assess vendor access to confidential information, such as HR records, Board reports, strategic plans and unaudited financials. You should also understand how a failure of the vendor’s product might affect your ability to deliver critical products or services to your customers. Does the vendor provide interdependencies to critical products? If they failed, how many of your services would fail too? Additionally, how difficult (costly & time consuming) would it be to find an alternate vendor, should the need arise?

In a recent speech to a community bankers group, Thomas J. Curry (current FFIEC chairman and Comptroller of the Currency) stated:

“While they have important benefits and are in many ways an essential part of business, it can be easy for financial institutions to become overly dependent upon third parties and overly-trusting. But just because these contractors have long client lists and hard-to-duplicate expertise doesn’t mean they are infallible.”

So vendor risk assessments really come down to determining “will they or won’t they?”:

Will they or won’t they…disclose customer NPI?
Will they or won’t they…disclose confidential information?
Will they or won’t they…fail?
Will they or won’t they…meet the terms of the contract?
Will they or won’t they…continue to meet our strategic objectives?
Will they or won’t they…properly manage their third-party relationships?

Once these questions have been addressed (i.e. asked and answered) you have a good idea of the raw, or inherent, risk level. Now you are expected to…

“…have risk management practices in place that are commensurate with that risk.”

Asking the right “will they or won’t they” questions are the key to accurately assessing inherent risk. The next step is to manage (i.e. control) the risk at acceptable levels. More on that in Part 3.

[poll id=”9″]

11 Nov 2014

From the Field Tom Hinkel 1 Comment

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC. I comment on 3 recent OCC pronouncements.
The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s. Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action. While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified. Particularly one that I haven’t seen before…”Self-identified”. A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered. A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.“

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it. Instead of counting against you. this actually strengthens the regulator’s view of your risk management system. Essentially this is an MRA that has a positive impact on your institution! I’ve discussed this “control self-assessment” process before. Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently. Here are a few of my observations:

Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital. Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.” The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions? Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain. The challenge will be enforcing it. Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply. PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.

Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations. Summarizing:

Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
Key to this understanding your cybersecurity status is understanding who connects to you, and how.
Manage your third-party relationships, and understand how your vendors are managing their third-parties.
Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

“As a result of the Cybersecurity Assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk.” In other words, new guidance is on the way!

← Previous 123…15 Next →