The FFIEC just issued new BCP Guidance in the form of a 16 page addendum to the existing 2008 IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers, and across the entire business relationship […]
Vendor Management in 3 Parts. Part 3 – Risk Management (or, “can we or can’t we?”)
The last step in the vendor management process is to manage, or control, the risk that was identified in step 1, and assessed (as inherent risk) in step 2. Controlling risk is defined as applying risk mitigation techniques (or “controls”) to reduce risk to acceptable levels It’s important to understand that risk can never be completely eliminated, […]
Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)
In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases; Identify the risk Assess the risk, and Control the risk I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential […]
Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments
(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.) In this edition: The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC […]
Vendor Management in 3 Parts. Part 1 – Risk Identification (or, “do they or don’t they?”)
Service provider oversight (aka vendor management) is undoubtedly the hottest hot-button item on the regulator’s agenda right now, and for good reason. For one thing, regulators know that the vast majority of financial institutions outsource at some point, in fact recent studies put the number of FI’s that either transmit, process or store information with […]
Cybersecurity – Part 2
In Part 1 I discussed the increasing regulatory focus on cybersecurity, and what to expect in the short term. In this post I want to dissect the individual elements of cybersecurity, and list what you’ll need to do to demonstrate compliance on each one going forward. So here are the required elements of a cybersecurity program, followed […]
Cybersecurity – Part 1
Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future. But exactly what are they expecting from you, and how does that differ from what you may be doing already? More importantly, how should you demonstrate that you are […]
Ask the Guru: The Vendor Report of Examination (ROE)
Hey Guru Where in the handbook does it state the Bank should request exam reports on vendors from their regulatory body? Although there is no formal FFIEC written requirement for obtaining the service provider’s regulatory examination report (report of examination, or ROE), it is mentioned as a best practice in the FFIEC 2012 TSP Handbook: […]
FDIC Re-issues Service Provider Guidance
Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships: Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers What struck me about this re-release, and the fact that they were released without modification of any […]
FFIEC Issues Final Social Media Guidance…and Challenges Remain (UPDATE)
UPDATE 1/22/2014 – Compliance Framework Checklist added (scroll down) Originally proposed back in January 2013, and following a comment period in which they received and evaluated 81 official comments, the FFIEC has at last released their final guidance for financial institutions engaging in social media activities. I expect all the regulatory agencies to adopt it […]