Five Key Areas of Focus for Your Regulatory IT Exam
We’re back with part two of our IT Exam Prep blog series.
Picking up where we left off, there are five key areas where we expect you’ll likely be scrutinized closely at your next exam cycle:
- Business continuity management
- Outsourcing and third-party vendors
- Governance and management engagement
- Strategic planning
Of these, the most challenging, and most important, for smaller institutions might be governance and management engagement; the CAMELS “M”. This is true because often smaller institutions may have a more informal reporting structure.
For example, relevant issues may be discussed in committees and may even be reported upstream—but they may not be sufficiently documented. The issue is not just a matter of how you engage and report to senior management and the board, but rather, how you document that the necessary practices are in place. This is important when discussing day-to-day operational matters, but even more important when addressing issues of long-term strategic significance.
Although documenting management engagement can be particularly challenging, institutions must focus on all areas when prepping for an exam. You may not have time to rigorously prepare for every aspect, but you cannot afford to be lax in any one area, as examiners expect all areas of information security to be addressed. However, even if you are not where you need (or want) to be in any particular area, knowing where you are will often buy you additional time.
Our experience is that examiners will often give you additional time to address an issue if they know A) you are aware of it, and B) you have a plan in place (including a timeline) to address it. In short, if you haven’t had the opportunity to conduct a BCM exercise in the past 12 months, at least acknowledge it and have one on the calendar for the near future.
Ransomware on The Rise
As we discussed here and here, both the pandemic and cybersecurity will continue to dominate the infosec landscape for the foreseeable future, and because of that, are sure to receive special consideration during your next exam cycle. In particular, ransomware is a hot-button issue for examiners as attacks have been accelerating and cybercriminals capitalize on the security vulnerabilities and disruption caused by more employees working from home.
These malicious destructive malware attacks are becoming more targeted, more sophisticated and more costly, according to the FBI. Even more disconcerting is the fact that modern ransomware variants can not only lock data in place so that it’s no longer available to the institution but also exfiltrate data, making a secondary data disclosure attack much more likely. Another recent variant locks your data and initiates a distributed denial of service (DDoS) attack against your website if you don’t respond.
One common denominator between all five areas of focus is the concept of “resiliency”, which is the ability to withstand and recover from unplanned and unanticipated events. Examiners increasingly want to see a proactive approach to resilience, and when institutions implement the proper measures ahead of time, this can reduce their risk of operational downtime during a cyberattack, pandemic, natural disaster or another event.
Simply put, once ingrained into your practices and procedures, the reactive measures taken today become the proactive measures of tomorrow. Also, don’t forget to build resiliency into all future initiatives. If the initiative is important enough to implement and maintain, it’s important enough to protect from downtime.
Today, banks and credit unions are taking advantage of a host of resources to mitigate ransomware and other IT security issues, including the Cybersecurity Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and the Ransomware Self-Assessment Tool (R-SAT). In addition, consulting with a third-party IT expert can help institutions better prepare for assessments and respond to difficult questions from examiners.
The bottom line is that regardless of the format regulators require for an examination, you can expect them to address a wide variety of areas. So, focus on the areas outlined here and in part one of this series, but be prepared to discuss all the relevant actions your institution is undertaking.