New IT Examination Procedures Impact Banks – Business Continuity Planning Becoming More Important Than Ever!
Over the coming months, FDIC-examined institutions will phase in new IT examination procedures, the first major overhaul since December 2007. The new format is called the InTREx program (Information Technology Risk Examination), and is designed to provide a more uniform and less subjective examination experience. The new format has cut the pre-examination questions nearly in half. Don’t be fooled though, this will not make for an easier exam, as these questions are more open-ended than a simply “Yes” or “No.” What the InTREx doesn’t cover in the pre-exam phase, it more than makes up for in the on-site examination.
This new process is a much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank. Proper documentation will often make the difference between a satisfactory and a less than satisfactory assessment. This means institutions must be adequately prepared for a more thorough and time consuming examination. One area the new IT examination procedures heavily reference is business continuity planning (BCP).
Business continuity planning has become a very important aspect of a bank and credit union’s successful IT exam and compliance rating. Business Continuity Planning is the process of creating systems and processes that provide resilience to, and recovery from, potential non-specific threats to a financial institution. Such events that could negatively impact normal operations include all man-made and natural disasters, such as failure of equipment, loss of or damage to critical infrastructure, and malicious cyber activity. Auditors and examiners are scrutinizing BCP processes more closely, specifically looking to verify that the institution’s methodology and plan structure closely adhere to the regulatory guidance.
Taking Business Continuity Planning to the Next Level:
A Better Way for Banks
Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.
In addition to the new FDIC procedures, the FFIEC has also made some significant guidance changes, specifically updating the Business Continuity Planning Handbook. The FFIEC has increased its focus on cybersecurity resilience and recovery as well as important interdependencies such as third-party providers.
There is also significant overlap between the elements in the InTREx program and the FFIEC’s Cybersecurity Assessment Tool (CAT), which means that actions taken to strengthen cybersecurity control maturity will also strengthen overall IT controls. The CAT dedicates an entire section to cyber resilience, a concept which encompasses elements from both BCP and incident response. These new examination requirements prove that business continuity planning has become a crucial element of a financial institution’s cyber resilience strategy and overall information security program.
Events of the past 10 years have significantly increased the need for attention to emergency preparedness within financial institutions. In the last decade, we have seen an increased dependence on technology and third party vendors, business disasters such as power outages and connectivity issues, as well as severe natural disasters like hurricanes, tornadoes, and floods. Community banks must have a comprehensive business continuity plan in place to successfully face these unique and unexpected challenges and ensure the institution can recover business operations quickly and efficiently.
At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes.
For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.