As 2016 budget season quickly approaches, I wanted to share the IT, Security and Compliance budget items community banks and credit unions should budget for, but often forget. While creating a budget can help you execute your strategy, any shortcomings (to respond to changes in regulation or things you didn’t think about ahead of time) can quickly derail your plans and force you to make critical trade-offs. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints. While this list is not comprehensive, it highlights the top items you should consider as you build your budget for 2016.
Here’s our list of what banks often forget to (but should) include in their budgets.
1. Business Continuity Planning and Testing: $3,000 – $8,000
You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:
- BCP updated to meet current regulations
- Annual plan testing to validate
- Training for gaps found during test or updates to the plan
2. Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500
Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.
3. New and Replacement Technology: $500 – $10,000
Be sure all products that vendors are sun setting are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices.
- Server 2003 servers
- VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
- SQL 2005 or earlier instances (end of support April 12, 2016)
- Domain replication from FRS to DFST
- Extending warranties on hardware more than 3 years old
- VEEAM Backup & Recovery version to 8 or higher
4. Robust Vendor Management Solution: $2,500 – $5,000
With financial institutions delivering more products and using more vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become quite cumbersome. An automated solution may enable you to be more efficient and will ensure all i’s are dotted and t’s are crossed.
5. Training: $500 – $1,500
Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee and customer.
6. Vendor and User Conferences: $1,000 – $1,800
It is important to stay up to date with the latest features and industry changes. One way to do this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.
Including these items within your 2016 budget now will prevent you from having to make difficult decisions and trade-offs next year.