Many financial institutions are entering their 2017 budget season. Creating a budget is essential in helping you execute your strategy and plan for the future, however, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, Security and Compliance budget items that are often overlooked. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints, and offer some points for consideration in your budgeting for 2017.
In 2016, regulatory agencies have seemed to be more aggressive. We are consistently hearing from institutions that traditionally pass exams with ease that they have now been cited for new issues or have been asked to go above and beyond their normal remediation steps. We are now seeing that it is not uncommon for institutions to be cited for their handling of Cybersecurity Assessments, Business Continuity Planning and/or Vendor Management. 2016 was also the year of malware, and examiners are now focusing more attention on it as a pervasive problem in the industry. In addition, multiple institutions have been encouraged, if not “required,” to have a forensic analysis performed if the institution did not do a thorough job of performing their incident response procedures during a malware outbreak.
Often, once regulators cite an institution for one item, they dig deeper into other processes as well. Rarely have we seen an institution written up for one issue. The shift to a more proactive approach, including better preparation for and addressing of concerns or potential regulatory issues prior to an exam, is a much more efficient course of action and one that more financial institutions are adopting.
With these ideas in mind, here are some areas financial institutions should consider when budgeting for 2017:
Malware/Ransomware Layers: $1,500 – $5,000
While the price will depend on the layers you choose and how many you choose to add, you should really consider taking a more aggressive step in your fight against malware. If 2016 taught us anything, it is that malware, and specifically Ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past. Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers. It’s now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.
Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.
Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500
Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.
Business Continuity Planning and Testing: $3,000 – $8,000
You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:
- BCP updated to meet current regulations
- Annual plan testing to validate
- Training for gaps found during test or updates to the plan
Robust Vendor Management Solution: $2,500 – $5,000
With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this.
New and Replacement Technology: $500 – $10,000
Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
- Windows® Server 2003
- VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
- SQL 2005 or earlier instances (end of support April 12, 2016)
- Domain replication from FRS to DFSR
- Extending warranties on hardware more than 3 years old
- VEEAM Backup & Recovery version to 8 or higher
Training: $500 – $1,500
Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.
Vendor and User Conferences: $1,000 – $1,800
It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.
Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.