For financial institutions to be successful today, they must have — and implement — a comprehensive IT strategic plan. The IT strategic plan must align with the overall strategic plan, outline future goals and objectives, and identify the steps needed to achieve such in a three-to-five-year timeframe.
The institution’s board of directors is directly responsible for developing the overall, or enterprise-wide, strategic plan, but they will most likely delegate the responsibility of the IT strategic plan to a board or management level committee (typically the IT Steering Committee). The board is still responsible for reviewing and approving it to ensure it aligns with the overall business strategy.
To understand the difference between the 2 plans, it’s important to note that the overall plan is where the broad goals and objectives of the organization are defined. This could mean many things like achieving certain revenue gains and financial ratios, but almost always includes adhering to current guidance and best practices relating to information security. The plan must include an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity. The IT strategic plan adopts the broad goals and objectives of the overall plan, and connects the specific day-to-day practices to those broader objectives. For example, the overall plan might have a broad objective to keep information secure. The IT strategic plan will identify each of the practices and proposed initiatives that align with that objective. Simply put, the IT strategic plan provides the linkage between the specific actions of the IT committee, and the broader goals and objectives of the organization.
Components of an IT Strategic Plan
Since the IT strategic plan is the document that outlines specific activities required to overcome challenges, there must be a solid understanding of the institution’s goals, business model, and objectives. In addition, there are three main components that all strategic plans should include:
- Mission and Vision Statement
The mission statement is the summary or explanation of an organization’s overall purpose, as well as the goals, values, and objectives. Having a solid mission statement ensures employees understand the direction and purpose of the financial institution and helps create a sense of identity. The vision statement will often be more concise and is designed to paint a picture of what a bank or credit union aspires to be in the future. While these components of the strategic plan may seem time consuming to develop initially, they are the necessary foundations for a successful organization, and unless the organization is experiencing a high pace of change, they are not difficult to maintain going forward.
- Risk Appetite Statement
Risk Appetite is defined as the amount of risk a financial institution is prepared to accept when working to achieve its objectives. In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level, or risk remaining after controls have been applied, is within their pre-defined acceptable range. Failure to have a risk appetite statement could result in a financial institution improperly managing its risk, or misallocating its resources.
- IT Roadmap
The IT Roadmap is where all current and proposed strategic initiatives are tracked. The roadmap is the beating heart of the IT Strategic Plan and should be reviewed and updated at each committee meeting. Each roadmap initiative should identify how it aligns with specific enterprise-level goals which, although they will differ from one institution to the next, should include the following:
- Institution growth and customer demographic targets — Inc. mergers and acquisitions
- Current technology standards — the ability to adopt and upgrade/replace systems and software and integrate new technology to remain competitive
- Regulatory requirements (e.g., privacy, security, consumer disclosures, and other reporting requirements)
- Cost containment, process improvement, and efficiency gains
- Customer service and technology performance quality
- Third-party relationship opportunities versus in-house expertise
The plan should also focus on specific interdependencies, personnel, tools, internal and external resources, and timetables to achieve the designated goals. This also includes hardware and software architecture, third-party providers, and budget estimates.
Technology evolves rapidly, requiring institutions to implement enhancements to existing systems, and prompting new investment in infrastructure, systems, and applications. IT strategic plans serve as a powerful tool, one that positions banks and credit unions to identify and achieve key goals and desired outcomes. As the FFIEC states in the Management Handbook, “A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success.” A comprehensive IT strategic plan will ensure delivery of IT services in a cost-efficient and effective way, while enabling financial institutions to meet the competitive demands of the marketplace.
We want to hear from you for our annual industry report examining how community banks and credit unions plan to meet their IT, compliance and security needs in 2019.
In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.
“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”
The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.
Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind. 
Using Continuum, Safe Systems established a site-to-site Virtual Private Network (VPN) between the branch in Blairsville and the Continuum site hosting the recovered servers to get operations back up and running quickly. Displaced employees could remotely access the network, and the bank was able to leverage Continuum for two full days until power was restored at all branches and the production servers were powered back on. 
The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.
Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
Each new regulatory guidance, update, change, and interpretation requires additional expertise and more employee resources. It’s a never ending cycle. The last decade has brought about an increase in compliance changes including: the 
A relatively new term, RegTech, refers to a set of companies and solutions that address regulatory challenges through innovative technology. RegTech is a subset of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than traditional compliance processes. 
Due to the complexity and momentum of regulatory changes, RegTech solutions must be customizable and easy to integrate into a variety of environments. No two institutions are alike but properly designed RegTech solutions should help to guide institutions to a better overall compliance posture. 
Aside from having a BCP and associated 
Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.
Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.
Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal technology and compliance resources. The right third-party solution provider can serve as a true partner and work alongside current staff to manage the technology, compliance and regulatory aspects of the institution. When the technology or compliance staff is out or unavailable, outsourcing select business processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all.
This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.
The CAT also enables financial institutions to review their Inherent Risk Profile in relation to their Cybersecurity Maturity results, which will indicate if they are aligned. As one might expect, as inherent risk rises, an institution’s maturity level should also increase. However, an institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change, making it necessary for institutions to complete the CAT periodically or when making adjustments to their organizations. 
Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins. 
To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.
Regulations define cybersecurity as:
Regulators expect financial institutions to be not just cyber-secure, but cyber resilient, and that requires close cooperation with all their critical third-parties. Assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions regardless of where they may occur, requires financial institutions to have proven plans in place to meet regulatory expectations. The FFIEC has issued specific guidance on how it expects organizations to manage this process. The FFIEC IT Examination Handbook’s “
In today’s banking environment, community banks recognize and embrace the use of technology and remain committed to investing in new technologies and services moving forward. In fact, nearly 77% of respondents claim they are spending more on technology today than they have in the past. However, the challenge often lies in trying to keep pace with the rapid rate of change that is influencing their business. Community banks are continuing to explore ways to enhance and augment their IT departments, as many institutions struggle to maintain adequate personnel needed to manage the complex activities required of the IT department. To counter this, 71% of respondents have turned to outsourcing their network management and 63% have outsourced their IT support.
It is important to make sure that all functional areas of the institution are involved in testing. This means that in addition to the Senior Management and Information Security roles defined in your plan, the team should also consist of key department heads with detailed operating knowledge of the processes and functions impacted by your scenario. These individuals must be aware of how to quickly recover and adequately support customer needs, regardless of whether normal operating procedures are available. Therefore, tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. Although technology is important, the disaster response must not hinge on waiting for technology glitches to be resolved. Your departmental specialists know how to do their job under normal circumstances, but including them in testing allows them to gain familiarity with their alternate procedures in a specific emergency scenario.
