BCM Archives - Safe Systems

27 Jul 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

19 Jan 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Balancing Strategy and Compliance: Addressing the Strategic Needs of Your Institution While Remaining Compliant

Balancing Strategy and Compliance

Banks and credit unions require a complex interconnected infrastructure to support their employees, serve customers, and maintain their operations. This entails an array of owned and outsourced elements: hardware, software, controls, processes, and evolving technologies such as cloud, artificial intelligence (AI), machine learning, and more. In addition, effective data governance and data management are fundamental to maintaining the confidentiality, integrity, and availability of information. The data management process is highly regulated and financial institutions are under increasing pressure when trying to balance the strategic needs of their organization with the increased demands for remote employees and online customers.

Evolving Remote Workforce and Customer Base

Over the past couple of decades, advancements in communication and technologies have allowed for a more mobile workforce and customer base, and the ongoing COVID-19 pandemic quickly intensified this trend. During the first year of the pandemic, Gartner conducted a survey that found 82% of businesses intended to allow remote work at least part of the time, with 47% of companies allowing it full time. Although 2o20 represented a significant increase in remote work and digital engagement, the trend seems to be continuing for the foreseeable future. According to Upwork’s Future Workforce Report 2021, 40.7 million American professionals, nearly 28% of respondents, will be fully remote in the next five years, up from 22.9% from the last survey conducted in November 2020.

This trend requires adding more technology and devices to enable online access to financial services, and to enable secure access to the information and other resources needed for remote workers to perform their duties away from the office. Banking customers want convenient access to financial services, whether through a physical location, the internet, or a mobile app, and institutions need the tools and techniques to keep them secure. With more devices in the hands of employees and customers, there are many more vectors for cyberattacks and way more endpoints to secure. Even institutions that have been trying to avoid the risks that come with enabling remote engagement are forced to reevaluate the costs and benefits.

Increasing Regulatory Requirements

Privacy and data security have become key compliance issues for financial institutions as they adapt to accommodate employees and customers who prefer to work and bank remotely. From a regulatory standpoint, the Federal Financial Institution Examination Council (FFIEC) has always expected financial institutions to have data management controls in place to protect data in physical and digital forms wherever the data is stored, processed, or transmitted. This includes any data relating to the organization, its employees, and its customers. “The data management process involves the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet. “Effective data management ensures that the required data are accessible, reliable, and timely to meet user needs.”

The FFIEC requires institutions to follow a wide range of other guidelines and procedures, which are reflected in various FFIEC booklets and include:

Governance – Management should promote effective IT governance by establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.
Know-your-customer – Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institution’s risk assessment considerations.
Resilience – Financial institutions are responsible for business continuity management (BCM), which is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

Strategic Compliance Solutions

With so many compliance issues to address, it can be difficult to balance the needs of your financial institution, your remote workers, and your customers. Safe Systems has a team of compliance experts and a broad range of compliance solutions to help you manage government regulations, information security, and reporting efficiently. Our team of compliance experts are trained in banking regulations, hold numerous certifications, and are laser-focused on delivering the tools and knowledge to give you compliance peace of mind.

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

13 May 2021

Banks, Compliance, Credit Unions Safe Systems 0 comment

Is Your Financial Institution BCM Compliant?

It’s been a few years since the FFIEC updated its BCM IT Examination Handbook and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM).” While most financial institutions should already be aware of the updates to the handbook, it’s always beneficial for banks and credit unions to refresh their plan to remain up to date and compliant when it relates to business continuity.

In a recent post, Safe System’s compliance expert, Tom Hinkel, discusses five key points to keep in mind when evaluating your Business Continuity Management plan:

Resilience
Entities vs. Institutions
MAD vs. MTD
Exercises and Tests
Guidance vs. Requirements

In case you missed the full blog, view it here

22 Apr 2021

Banks, Compliance, Credit Unions Marshall Jones 0 comment

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

04 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

08 Jan 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2020 in the Rearview: A Regulatory Compliance Update

The COVID-19 pandemic dominated the regulatory landscape early in 2020, with cybersecurity dominating the last couple of months. Here is a look back at important regulatory changes and trends in 2020 and a look ahead at what to anticipate for 2021.

Characterizing Causes of Weakness

When it became obvious that the pandemic would have a pervasive and wide-ranging effect, the Federal Financial Institution Examination Council’s (FFIEC) issued several statements to address the situation. The FFIEC outlined some of the adjustments and accommodations that regulators expect bankers to make concerning lending, operational risks, and other areas. For instance, if an exam results in downgrading component or composite ratings for an institution, a distinction will be made between any weakness caused by the pandemic vs. management and governance issues.

Essentially, examiners will differentiate between a weakness resulting from an external event versus an internal systemic issue—even if the event is beyond management’s control.

The statement issued in June 2020, states, “Examiners will consider whether institution management has managed risk appropriately, including taking appropriate actions in response to financial and operational stresses caused by COVID-19 impacts.”

It is uncertain exactly how this issue will be interpreted in a post-pandemic world. After all, pandemic should be a part of all financial institutions’ business continuity planning, and as such, not completely outside the realm of a reasonably anticipated threat. So ideally management should have anticipated such an event, and have been prepared to respond. The only unanticipated aspect of the current Covid 19 event is the extreme extended duration compared to a standard Pandemic. It will be interesting to see how the agencies square the concepts of a “reasonably anticipated threat” vs. “external factors beyond management’s control”. Aren’t most threats both reasonably anticipated, and also beyond management’s control? We’ll let you know if and when we get any clarification on that.

Regardless of the scenario, documentation is crucial and often overlooked. Most folks are laser-focused on just getting past this and back to “normal” business, but memories fade over time, and documenting what adjustments you’ve made (or plan to make) during the pandemic will make the post-pandemic adjustments easier to explain to management and justify to examiners. Documentation can also help establish your increased ability to anticipate and respond to the next threat, also referred to as “resilience”. Institutions should make every attempt to document all management decisions, such as the minutes from management meetings, communications with third-parties, and any strategic or procedural changes you may have made or need to make. For example, if you’ve implemented technology to enable an increased mobile workforce (a strategic change), have you updated the remote access procedures and best practices in your employee Acceptable Use Policy accordingly (a procedural change)? Have all remote employees signed the updated AUP?

In our next blog post, we will dive into the focus on ransomware mitigation, how best to address cybersecurity, and what to expect heading into 2021.

01 Dec 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Why Documentation is an Essential Priority During the COVID-19 Pandemic

While financial institutions have spent the last nine months focused on pandemic response and ensuring critical services remain available to their customers and members, there are other key areas of consideration to ensure their institutions remain compliant and can thrive in the future, including documentation. Unfortunately, few financial institutions are adequately documenting their efforts and new strategies as they are being implemented. Below are three key reasons why they really should.

1. Regulatory Expectations

Examiners will expect to see how financial institutions have handled the pandemic and that all of the lessons learned are reflected in their business continuity management plans (BCMP).

Some key questions regulators may ask regarding pandemic response include:

What have you learned from this event?
What have you done to enhance your pandemic plan based on those lessons learned?
Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time?
Have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access?
If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

2. Key Lessons Learned

All banks and credit unions must take a different approach to pandemic planning that fits well with their institution’s unique needs. They need to consider all of the challenges they’ve faced throughout the pandemic and apply key lessons learned to enhance their operations, including the importance of cross-training staff, enhancing security measures, succession planning, or improving technology for an employee to work at home. Until the pandemic passes, financial institutions should continue to reference their business continuity plans and document the entire process to create a blueprint for reference if a similar situation arises again in the future.

3. Strategic Planning

According to the FFIEC, an entity’s strategic planning should be developed to address all foreseeable risks, and these risks should cover the potential impact on personnel, processes, technology, facilities, and data. Throughout the pandemic, financial institutions should track what they are doing, how they are doing it, and whether any new procedure should be included in their existing crisis management or response plan.

The key is for institutions’ steering or strategic planning committee to stop periodically and document—or backfill information after the fact (at least a month or a quarter later.) Failing to document this process will result in institutions returning to business as usual after the crisis subsides and potentially making serious mistakes if a pandemic situation occurs in the future.

To learn more about pandemic response and key priorities for financial institutions, download our latest white paper, “Navigating the Coronavirus pandemic: Best Practices for Pandemic Planning and Key Lessons Learned for Community Banks and Credit Union.”

19 Nov 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

3 Key Concepts to Incorporate into Your Business Continuity Management Plans

The 2019 FFIEC Business Continuity Management Handbook represented a significant change in how bank and credit union examiners will assess your business continuity planning efforts going forward. Here are 3 concepts to make sure you’ve incorporated into your Business Continuity Management Plan (BCMP):

1. Likelihood and Impact

According to the Federal Financial Institution Examination Council’s (FFIEC) Business Continuity Management Handbook, “management should evaluate the likelihood and impact of disruptive events. Risks may range from those with a high likelihood of occurrence and low impact such as brief power interruptions to those with a low probability of occurrence and high impact such as pandemics. The most difficult risks to address are those that may have a high impact on the entity but a low probability of occurrence.”

Performing a risk assessment helps financial institutions identify all potential risks and classify them based on probability and impact. They should also quantify the impacts and define loss criteria as either quantitative (financial) or qualitative (e.g., impact to customers, reputational impact). However, to efficiently assess these risks, banks and credit unions need to be able to visualize them and plan accordingly. One way to do this is to use a four-quadrant matrix to scatter graph and plot the likelihood and impact of every threat.

Likelihood and Impact Graph

There are many other ways to do this, but whichever method you choose, examiners expect financial institutions to be able to document both probability and impact, and not only for the high probability and high impact threats, but also for the low probability high impact threats.

Although the Handbook lists Pandemic as an example of a low probability, high impact event, you may want to adjust the probability (and possibly the impact) rating upward based on the COVID 19 event. At this point, it is a certainty that everyone has been impacted somehow.

2. Resilience

Resilience is the ability to prepare for—and adapt to—changing conditions, and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The first step to resiliency is to identify your proactive measures for mitigating the risk of a disruptive event such as:

Off-site repository of software (Data vaulting)
Appropriate backups of data

Cloud-based disaster recovery services may be considered as part of resilience programs

Off-site/redundant infrastructure (Hardware, data circuits, etc.)
Third parties (Alternate vendors/suppliers)
Key personnel (Succession planning)
Cybersecurity assessment tool

Annual process of considering changes in inherent risk and how your evolving in maturity

These are things you probably are already doing. If so, you can use your calculations to show that you already have proactive resilience measures in place.

Make sure to incorporate any adjustments made and lessons-learned from the recent Pandemic into your inventory of resilience measure against the next pandemic.

3. Inherent vs. Residual Impact

Although the residual risk rating is often used as the measure of the effectiveness of your risk management program, best practices mandate that management should use inherent risk ratings to guide their recommendations for (and use of) mitigating controls. However, when calculating residual threat impact, you can factor in any existing impact mitigation measures you already have in place. For example, if you use forewarning, duration, and speed of onset to calculate impact, any measures taken to reduce those 3 factors can also reduce your impact rating:

Example 1: Smoke detector & Fire detection equipment decreases the impact of fire by increasing the forewarning factor
Example 2: Auxiliary power decreases the impact power outage by decreasing the duration factor
Example 3: Good project management practices decrease impact of strategic risk by slowing the speed of onset factor

This is how you can take advantage of the existing measures you already have in place to decrease the residual impact of an event. You don’t have to do anything new, just take into account all of things you’ve already done to build resilience into your business continuity plan. Then simply add on where residual risks are still above your risk appetite!

For more information, watch our webinar recording, “The New Business Continuity Guidance Requires a Whole New Approach.”

05 Nov 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

Banks and credit unions of all sizes experience some level of turnover or unexpected absence that can affect internal positions. When the IT administrator role is impacted, it can cause the most disruption, especially for smaller community institutions, as many have limited resources and may rely on only one employee in the role. When an IT administrator leaves, he or she takes with them the institutional knowledge and expertise gained through working with the FI’s unique IT infrastructure and network management processes. To lessen the impact, it’s up to the institution to effectively build continuity into its IT strategy and pay attention to the strategic decisions being made by the IT team.

In a recent Safe Systems webinar, we discussed the importance of continuity in IT and ensuring effective management of the network through transition periods. In this blog post, we highlight three key areas of focus to achieve continuity and keep the institution operating efficiently.

1. Strategic Decisions

We have seen financial institutions fall victim to the “power of one”, where the IT admin has all the knowledge and authority to make IT strategic decisions alone. Then when they leave, the rest of the institution doesn’t have a clear view of what’s been done to the network and how to properly maintain it.

Some IT admins prefer to try new technologies and add more automation to the institution’s processes. While others might stick to their comfort zone and not push for new IT tools. While it’s important to provide an appropriate level of autonomy to the IT admin, it is critical to also have a system of checks and balances in place and to examine the benefits and consequences of these decisions closely to ensure the institution has the right tools to succeed .

2. Strategic Management

For IT personnel to be successful, it is important to outline what your institution wants the IT admin to accomplish and let them know what success will look like when they achieve these goals. Some key questions to consider include: What are the desired outcomes you’re expecting from IT? Is the goal to spend their time and budget on efficiency projects, redundancy projects, or security projects? In other words, what is your tolerance for downtime, security risks, or ineffective and slower processes? How will these goals be measured?

Once these expectations are established, the IT admin should be given the freedom to do what they need to do to achieve the institution’s goals but there should also be a clear chain of command to provide oversight and to evaluate their work.

You do not want to let an employee’s expertise (or lack thereof) impact your technology or for the institution’s security to be affected negatively. Define clear objectives for your IT personnel, whether that’s uptime, recovery time objectives (RTOs), redundancy, budgeting, or specific controls you’d like to have in place to ensure the institution is operating securely.

3. Strategic Plan

Make sure the expectations and objectives you set for IT personnel align with your strategic plan. According to the Federal Financial Institution Examination Council (FFIEC), “strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution’s technology plans are consistent and aligned with the institution’s business plan. Effective strategic IT planning can ensure the delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.”

When discussing the strategic plan with management, it’s important to identify the key areas of improvement and provide information on price, level of risk, and what exactly the institution is trying to accomplish. Sometimes having an outside perspective can help push key initiatives along and get them into the budget for the year ahead.

To learn more, download the recording of our webinar, “Understanding The Lifecycle of the IT Administrator: Ensure Effective Management of Your Network.”

08 Oct 2020

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Best Practices for Developing a Compliant Cyber Incident Response Program

If you think a cyber incident won’t impact your financial institution, you are seriously underestimating the lengths cybercriminals will go to steal your customers’ or members’ non-public information. According to a new report from NuData Security, a Mastercard company, financial institutions receive the highest percentage of sophisticated attacks (96%) amongst all industries.

As cybercriminals continue to exploit organizations and increase the quality of their attacks, financial institutions need to have a compliant incident response plan in place to control, contain, and recover from a potential cyber incident quickly and efficiently.

Safe Systems held a webinar discussing what a compliant cyber incident response plan should look like and shared key best practices community banks and credit unions should use to effectively document a cyber incident. In this blog, we’ll cover a few of the key points from the webinar.

Elements of a Compliant Incident Response Program

The requirements for incident response have changed significantly since 2005. The guidance was broad enough to encompass many of the events that are occurring today including cybersecurity and pandemic-related events. According to the Federal Deposit Insurance Corporation (FDIC), there are five key elements of a compliant incident response program:

Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused
Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
If required, filling a timely suspicious activity report (SAR), and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities
Taking appropriate steps to contain and control the incident to prevent further unauthorized access or use of customer information
Notifying customers when warranted in a manner designed to ensure that a customer can reasonably expect to receive it

Although these requirements have essentially stayed the same, there is one key change that has occurred in the FFIEC’s 2019 update to the Business Continuity Handbook. The guidance now requires financial institutions to reference or include the incident response plan (IRP) in the business continuity management plan (BCMP). While still acceptable to have a separate incident response plan, somewhere within your BCMP you must now reference the IRP.

How to Document and Maintain Evidence of an Incident

Documentation is a key component of incident response to provide auditors, examiners, and other stakeholders with key information about the abnormal event or incident. Initial steps include the recording of basic facts about the suspicious event before it becomes an official incident.

Key questions include:

What specific abnormalities were noticed?
Where were they discovered?
When were they discovered?
Who first noticed the abnormality or event and who did they notify/involve?
If the event escalates to an incident, how did it happen, and what were the contributing factors that allowed it to happen?

If the event is categorized as an “incident,” you need to know how to document and maintain the evidence; what decisions were made; and the resulting actions taken. When enacting your containment strategies, part of that should involve collection and preservation of the evidence, including all the key records created by all the various technologies your institution uses. The guidance references that all financial institutions should have some type of logging intelligence. But which logs are most important for incident response?

When creating a logging strategy, there are five key challenges to consider:

Sources – Logs are generated from various sources such as users, databases or file shares, endpoints, networks, applications, and cloud services. With so many logs coming from different sources, it’s important to be aware of all the systems and applications generating logs and know how to access them to monitor efficiently
Log Volume – The volume can be different depending on the source. Some sources are quiet and easier to manage while other sources like network switches and firewalls are a constant torrent of volume and may be difficult to log. It’s important to determine what is realistic for your institution to store and manage
Log Protocols – All of the various sources speak different languages or protocols. Some of them are sending emails using a language called simple mail transfer protocol (SMTP), while other sources like network switches are sending information using a constant stream of Syslog data. It is nearly impossible to create a centralized system that can speak all of these languages perfectly so you must determine how your institution will extract intelligence from the logs
Log destinations – Once you’ve collected information, where are you going to send it? You’ll need to determine storage destinations for the different types of logs
Log interaction – After you’ve built the logging platform, do you want it to be searchable? You’ll need to decide how you want to interact with the data and how long you will keep it. Adding data retention can become significantly more expensive depending on the time frame for storage

Different types of data likely require different lengths of time for retention. Your retention policy should outline the expected retention time frame for each data log. Institutions should carefully consider all these key challenges when building a logging strategy that fits their unique needs.

If you’d like to learn more about cyber incident response, download our recorded webinar, “Not If, But When: Best Practices for Cyber Incident Response.”

01 Oct 2020

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

In 2020 we’ve learned a lot about ourselves, and whether the general population realizes it or not, they have learned a lot about something often relegated just to banking: Risk Tolerance. And with that in mind, here are seven key items that your institution should consider while budgeting for 2021:

1. Laptops

Supply is down, demand is up, so from a pricing standpoint, you are unlikely to find great deals on laptops, but their portability has been a key component to companies and employees being successful during the pandemic. Remote work is a great option for employees who do not need face-to-face interactions with customers or members, but not every department can work successfully outside of the main office or branch.

When planning for next year, each position in the institution needs to be evaluated, if it hasn’t already, to determine the ability and effectiveness of remote working. When possible, consider having remote employees use a company laptop going forward. In a recent Safe Systems survey of community financial institutions, 1/3 of respondents have already decided that they will be purchasing more laptops this year.

2. Hardware Management Software

How many of the controls you use to secure your institution’s devices require the device to physically be in the office? As the work environment changes and more people make the shift to working from home offices, your current controls need to be evaluated to ensure they work just as effectively outside of the branch. For years, the push for “agentless” controls has been popular, but many of these controls assumed the office was a well-defined building where all devices used the financial institution’s network. As the home office becomes the new standard for many banks and credit unions, the need for agent-based controls is greater than ever. Controls/security measures are no longer effective if they require the device to be on premise.

3. Business Continuity Plan (BCP) Update

Having an updated pandemic plan as part of your BCP is still likely a need for many institutions. Because it has been more than a century since a full-scale pandemic hit the U.S., many of the assumptions and concepts that pandemic plans were based on have proven to be incorrect. For instance, many plans outlined operational changes based on only 50% staff for just a week or two. Much of the concern before 2020 was making sure staff members were properly cross trained in the event key individuals were unavailable for days or perhaps a few weeks. While this is still very important, it represents only a tiny portion of truly being ready for a pandemic.

Pandemic plans often did not address managing operations for a long duration or important measures like social distancing, security measures, consumer access, etc. Financial institutions must take a hard look at key lessons learned so far during the COVID-19 pandemic and update their plans accordingly.

4. Moving to the Cloud

Recognizing that having employees working outside of the office is a real possibility moving forward, investing in new servers and putting them in offices is becoming an antiquated idea. The cloud provides a level of redundancy, scalability, and accessibility that cannot be matched by buying a single server. It also means no one has to be in the office to manage the infrastructure. As servers need to be replaced, banks and credit unions should seriously consider the process of moving to the cloud.

5. Client Experience

One question every institution should be asking itself is: “how can we better enhance the customer experience?” While IT is usually seen as a cost center, the events of the past year may have opened a door for IT to step up and offer solutions that directly affect the customer experience. The pandemic has forced many people, some maybe for the first time, to adopt digital banking solutions. If IT can offer specific tools and/or insight into how to improve the customer experience, this may be the opening that IT has hoped for to secure a “seat at the table” among their institution’s leadership.

6. Cybersecurity

Garmin, the GPS and active wear company, reportedly paid $10 million in 2020 to counter a ransomware attack. Their customers were without the services for over a week while Garmin’s data was held hostage. All of the information about their case is not available yet, but the sad reality is that they likely could have prevented the entire situation with just a few technology solutions and security settings being implemented correctly. The threat to your data is as real today as it ever has been. Be sure to have a conversation with a security company you trust to ensure that even if you are the target of a ransomware attack, it won’t be able to hurt your business long-term. Invest in cybersecurity now, so that your institution won’t end up paying much more later.

Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report, and cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights.

Unfortunately spend and layers of protection most likely need to increase annually to address this issue.

Employee training – to ensure adequate and effective
Perimeter protection – to ensure the appropriate layers are enabled and all traffic is being handled correctly including encrypted traffic
Advance threat protection and logging – to be able to identify how, if at all, malware or an intrusion created an incident
Backup and data redundancy – to ensure ransomware can’t wipe out your data

Per Computer Services, Inc (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

7. ISO

With the increase in responsibilities of the Information Security Officer and the focus on separation/segregation of duties, there has been an uptick in the number of institutions looking for virtual ISO (VISO)-type solutions. These solutions can help by taking some level of burden off of internal resources, provide staff with templates or toolsets when needed, and oversight to ensure nothing is falling through the cracks.

For 2021, there are a lot of things to consider. One focus should be to look at the changes your institution had to make because of the pandemic and what changes you should consider making in the future to improve cybersecurity, information security, and as always, your customers’ and members’ experience.

16 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

“Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
“Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
How do you plan to continue providing services in the event of the loss of key employees?
Have you been in communication with your critical third-party providers?
Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

16 Apr 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

Building a Pandemic Response Plan

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources