13 May 2021

Banks, Compliance, Credit Unions Safe Systems 0 comment

Is Your Financial Institution BCM Compliant?

It’s been a few years since the FFIEC updated its BCM IT Examination Handbook and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM).” While most financial institutions should already be aware of the updates to the handbook, it’s always beneficial for banks and credit unions to refresh their plan to remain up to date and compliant when it relates to business continuity.

In a recent post, Safe System’s compliance expert, Tom Hinkel, discusses five key points to keep in mind when evaluating your Business Continuity Management plan:

Resilience
Entities vs. Institutions
MAD vs. MTD
Exercises and Tests
Guidance vs. Requirements

In case you missed the full blog, view it here

01 Dec 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Why Documentation is an Essential Priority During the COVID-19 Pandemic

While financial institutions have spent the last nine months focused on pandemic response and ensuring critical services remain available to their customers and members, there are other key areas of consideration to ensure their institutions remain compliant and can thrive in the future, including documentation. Unfortunately, few financial institutions are adequately documenting their efforts and new strategies as they are being implemented. Below are three key reasons why they really should.

1. Regulatory Expectations

Examiners will expect to see how financial institutions have handled the pandemic and that all of the lessons learned are reflected in their business continuity management plans (BCMP).

Some key questions regulators may ask regarding pandemic response include:

What have you learned from this event?
What have you done to enhance your pandemic plan based on those lessons learned?
Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time?
Have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access?
If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

2. Key Lessons Learned

All banks and credit unions must take a different approach to pandemic planning that fits well with their institution’s unique needs. They need to consider all of the challenges they’ve faced throughout the pandemic and apply key lessons learned to enhance their operations, including the importance of cross-training staff, enhancing security measures, succession planning, or improving technology for an employee to work at home. Until the pandemic passes, financial institutions should continue to reference their business continuity plans and document the entire process to create a blueprint for reference if a similar situation arises again in the future.

3. Strategic Planning

According to the FFIEC, an entity’s strategic planning should be developed to address all foreseeable risks, and these risks should cover the potential impact on personnel, processes, technology, facilities, and data. Throughout the pandemic, financial institutions should track what they are doing, how they are doing it, and whether any new procedure should be included in their existing crisis management or response plan.

The key is for institutions’ steering or strategic planning committee to stop periodically and document—or backfill information after the fact (at least a month or a quarter later.) Failing to document this process will result in institutions returning to business as usual after the crisis subsides and potentially making serious mistakes if a pandemic situation occurs in the future.

To learn more about pandemic response and key priorities for financial institutions, download our latest white paper, “Navigating the Coronavirus pandemic: Best Practices for Pandemic Planning and Key Lessons Learned for Community Banks and Credit Union.”

19 Nov 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

3 Key Concepts to Incorporate into Your Business Continuity Management Plans

The 2019 FFIEC Business Continuity Management Handbook represented a significant change in how bank and credit union examiners will assess your business continuity planning efforts going forward. Here are 3 concepts to make sure you’ve incorporated into your Business Continuity Management Plan (BCMP):

1. Likelihood and Impact

According to the Federal Financial Institution Examination Council’s (FFIEC) Business Continuity Management Handbook, “management should evaluate the likelihood and impact of disruptive events. Risks may range from those with a high likelihood of occurrence and low impact such as brief power interruptions to those with a low probability of occurrence and high impact such as pandemics. The most difficult risks to address are those that may have a high impact on the entity but a low probability of occurrence.”

Performing a risk assessment helps financial institutions identify all potential risks and classify them based on probability and impact. They should also quantify the impacts and define loss criteria as either quantitative (financial) or qualitative (e.g., impact to customers, reputational impact). However, to efficiently assess these risks, banks and credit unions need to be able to visualize them and plan accordingly. One way to do this is to use a four-quadrant matrix to scatter graph and plot the likelihood and impact of every threat.

Likelihood and Impact Graph

There are many other ways to do this, but whichever method you choose, examiners expect financial institutions to be able to document both probability and impact, and not only for the high probability and high impact threats, but also for the low probability high impact threats.

Although the Handbook lists Pandemic as an example of a low probability, high impact event, you may want to adjust the probability (and possibly the impact) rating upward based on the COVID 19 event. At this point, it is a certainty that everyone has been impacted somehow.

2. Resilience

Resilience is the ability to prepare for—and adapt to—changing conditions, and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The first step to resiliency is to identify your proactive measures for mitigating the risk of a disruptive event such as:

Off-site repository of software (Data vaulting)
Appropriate backups of data

Cloud-based disaster recovery services may be considered as part of resilience programs

Off-site/redundant infrastructure (Hardware, data circuits, etc.)
Third parties (Alternate vendors/suppliers)
Key personnel (Succession planning)
Cybersecurity assessment tool

Annual process of considering changes in inherent risk and how your evolving in maturity

These are things you probably are already doing. If so, you can use your calculations to show that you already have proactive resilience measures in place.

Make sure to incorporate any adjustments made and lessons-learned from the recent Pandemic into your inventory of resilience measure against the next pandemic.

3. Inherent vs. Residual Impact

Although the residual risk rating is often used as the measure of the effectiveness of your risk management program, best practices mandate that management should use inherent risk ratings to guide their recommendations for (and use of) mitigating controls. However, when calculating residual threat impact, you can factor in any existing impact mitigation measures you already have in place. For example, if you use forewarning, duration, and speed of onset to calculate impact, any measures taken to reduce those 3 factors can also reduce your impact rating:

Example 1: Smoke detector & Fire detection equipment decreases the impact of fire by increasing the forewarning factor
Example 2: Auxiliary power decreases the impact power outage by decreasing the duration factor
Example 3: Good project management practices decrease impact of strategic risk by slowing the speed of onset factor

This is how you can take advantage of the existing measures you already have in place to decrease the residual impact of an event. You don’t have to do anything new, just take into account all of things you’ve already done to build resilience into your business continuity plan. Then simply add on where residual risks are still above your risk appetite!

For more information, watch our webinar recording, “The New Business Continuity Guidance Requires a Whole New Approach.”

02 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

Business Impact Analysis
Risk Assessment
Risk Management (essentially, recovery procedures), and
Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

Risk Management (Business Impact Analysis, Risk/Threat Assessment)
Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
Training & Testing (aka Exercises)
Maintenance & Improvement
Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

Oversee and implement resilience, continuity and response capabilities
Align business continuity management elements with strategic goals and objectives
Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts
Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions
Develop effective strategies to meet resilience and recovery objectives
Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management
Implement a business continuity training program for personnel and other stakeholders
Conduct exercises and tests to verify that procedures support established objectives
Review and update the business continuity program to reflect the current environment and
Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
Does the BIA produce sufficient information to establish the following?
- Recovery point objectives (RPO)
- Recovery time objectives (RTO) for each business process (prioritized)
- Maximum tolerable (or allowable) downtime (MTD/MAD)
Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.

16 Apr 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

Building a Pandemic Response Plan

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources

19 Mar 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

5 Important Observations in FFIEC’s New Business Continuity Management Guidance

Since the FFIEC updated its BCM IT Examination Handbook last year and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM),” financial institutions are gaining a better understanding of what has changed and how it impacts their current business continuity planning efforts.

In a previous post, we outlined some of the major changes in the new business continuity management guidance and what financial institutions need to do to be prepared. However, there are some general observations that can have a significant impact on the way community banks and credit unions interpret this guidance. In this blog post, we’ll cover five key points to keep in mind when evaluating your BCM plan:

“Resilience”

Does the New Business Continuity Guidance Require a Whole New Plan? Watch Recorded Webinar

A reoccurring theme in the FFIEC’s new business continuity management handbook is the concept of resilience. In fact, the term “resilient” or “resilience” occurs 128 times in the document. Resilience is the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from those disruptions. This includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

Traditional BCP has been focused on the recovery ability, but the FFIEC is clearly wanting institutions to focus on this notion of being able to “withstand” a disruption. Regulators want to know what proactive measures financial institutions have in place to mitigate risks and minimize the impact of an outage by planning in advance for the absence of a critical service provider or other interdependency. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet these new regulatory expectations.

“Entities” vs. “Institutions”

In the new BCM guidance, the FFIEC took every instance of the word “institution” and replaced it with the word “entity”. The significance of this change is to now include bank holding companies and third-party service providers along with traditional financial institutions in the new expectations. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require you to have a detailed understanding of the resilience capabilities of your core/TSP providers, cloud providers and others moving forward.

“MAD” vs. “MTD”

Another update that stands out is the change from “Maximum Allowable Downtime (MAD)” to “Maximum Tolerable Downtime (MTD).” MTD represents “the total amount of time the system owner or authorizing official is willing to accept for business process disruption and includes all impact considerations.” To put it simply, MAD/MTD is the point at which recovery becomes impractical or impossible, or losses become unacceptable.

So, while the definitions have essentially stayed the same, and the handbook makes it clear that either term is acceptable, it is important to show examiners that the institution is familiar with the new guidance and any new terminology it includes. The examiner may want to test your knowledge and make sure the institution understands the nuances of the updated handbook.

“Exercises and Tests”

The new handbook makes an important distinction between these two concepts, defining an exercise as “…a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures.” For many institutions, the scenario-driven table-top tests where participants simulate a disaster event and walk through performing their duties in a simulated environment is best described as a training exercise.

On the other hand, a test is often performed “…to verify the quality, performance, or reliability of system resilience in an operational environment.” Typically, this involves the recovery of a critical asset or infrastructure component, such as backup and recovery options, supplementary power, or circuit fail-over. The handbook makes it clear that both exercises and tests are necessary to demonstrate resilience and recovery capabilities.

“Guidance” vs. “Requirements”

Finally, it is also interesting to note that the handbook states that “This booklet does not impose requirements on entities. Instead, this booklet describes practices that examiners may use to assess an entity’s BCM function.” Our belief is that semantics aside, any “guidance” that examiners use to assess an entity’s BCM program is indeed a “requirement”, meaning that if a financial institution deviates from the guidance, the examiner could find fault. However, according to FIL-49-2018, examiners cannot take enforcement action based on supervisory guidance.

To be clear, it is important for financial institutions to follow the guidance as outlined by the FFIEC if at all possible, but if you choose to deviate from guidance, you must have a very good reason to do so. If your institution has not strictly followed the guidelines but still believe you are following the best practices for you, you may be able to push back on an examiner or auditor whose interpretation of the guidance may not be realistic in the context of the entirety of your organization’s particular situation. However, the burden is on you to make your case convincingly.

The 2019 BCM guidance gives financial institutions a host of new items to evaluate and consider for inclusion in your business continuity program for this year. If you’d like to find out what other changes were made that will impact your financial institution, download our recorded webinar, “Does the New Business Continuity Guidance Require a Whole New Plan?”

Or, if you’re not sure if your institution is BCM ready, then request a complementary plan review to ensure that your business continuity plan is keeping up with changing regulations.

12 Mar 2020

Banks, Credit Unions Jamie Davis 0 comment

Pandemic Planning for Covid-19: What Community Banks and Credit Unions Need to Know

Pandemic Planning for Covid-19

With COVID-19 (Corona) Virus in the news, community banks and credit unions are evaluating how best to respond. In any business where face-to-face contact with the general population is expected, easy answers are not always available. According to the Federal Financial Institution Examination Council (FFIEC), pandemic planning, in advance of imminent risk to particular institutions, helps minimize the disruptions to services to consumers, businesses, and communities when such contingencies occur. To unpack how a community financial institution can prepare for a pandemic, let’s break the key issues into smaller pieces.

Ensuring Distance and Limiting Contact

How can a financial institution protect its employees? Working remotely is a great option for employees who do not need face-to-face interactions with customers or members. If you plan to have employees work remotely, how will they be able to securely connect to the network? There are many questions you’ll need to answer to ensure your institution can support employees and keep the institution safe:

Do you have a dedicated VPN device?
Do you have a firewall to allow this connection?
Can the firewall/device handle the number of devices actively connecting remotely at one time?
Do you have enough licenses (if needed) for each user to connect remotely?
Do your employees have enough bandwidth at home?

Take these points into consideration when building out your plans to have employees working outside of the physical branch or office location. These tools can help support a strong connection and protect the institution from outside security threats.

While working remotely is an option for some, it is not the case for all. So how can everyone limit the chance of person-to-person transmission of the disease? The Center for Disease Control (CDC) recommends maintaining a 6-foot distance between individuals. To manage this in an institution, moving customer-facing employees to the drive-through only for interactions with your teller line is an option. To limit the virus being transferred from paper, pens, etc., have the employees wear disposable gloves. In theory, an employee is much less likely to touch their face if they are wearing gloves, so it is important to stock your drive-through with boxes of disposable gloves and hand sanitizer. To show your customers or members that you care for their safety, buying individual packaged wet wipes and sending those with each transaction is a nice touch and shows your commitment to protecting everyone.

In addition, make sure the institution is keeping up with the CDC recommendations for Covid-19 and pass these along to your employees. Put posters up in your bathroom reminding people to wash their hands regularly with soap and warm water for at least 20 seconds. There are several studies available online that shows that soap and 20 seconds of scrubbing makes a significant difference in lowering your risk of transferring germs. And while it may seem draconian, institutions may need to impose a “no handshake and hugging” policy to set the expectation that you are keeping everyone’s health in mind.

Be sure that high traffic areas are cleaned regularly with chemicals that are proven to kill viruses. If the cleaning crew comes once a day, be sure they are wiping down all surfaces with the appropriate chemicals. If the cleaning crew comes less often, consider increasing their visits or assigning someone the job to wipe down all surfaces where employees work on at least a daily basis to decrease the likelihood of spreading the virus.

Developing New Methods to Serve Customers Effectively

Keep in mind that the teller line isn’t the only place where customers and members interact with staff, as Customer Service Representatives and lending officers can attest. Break down the steps required for each process and define when face-to-face contact is truly required. Maybe it is to obtain a driver’s license, create a signature card, or sign off on a loan.

How much of this can be done from a distance without creating awkward moments?
What does the law require?
What options does your institution have?
Which of these can you gather through the drive-through?
Which could be obtained via fax, email, digital uploads, eSignature-type software, etc.?

Your institution will need to review all critical processes to identify each step required to provide services while limiting contact as much as possible. Implement as many of these options as you can and follow up by testing each option and determining what works best for your institution’s unique needs.

In speaking with an institution recently, they stated they were having each department work from home on different days to test out their abilities in case they have to implement their pandemic plan. This approach has many great advantages. One, they are preparing their employees and their technology to ensure everything works. Two, they are performing a pandemic test, so as long as they document the results, they can provide their auditors and examiners proof of their preparedness at their next audit or exam.

Many community financial institutions pride themselves on the personal touch of face-to-face meetings and building business through face-to-face relationships. It is important to remember that having technology options available as backups for times of need doesn’t mean your institution is abandoning its roots long-term. It means you are taking the necessary precautions to minimize disruptions to service and protect both your employees and the public at large.

13 Feb 2020

Banks, Credit Unions Jamie Davis 0 comment

Reevaluating Business Continuity: New FFIEC Guidance Equals Major Plan Overhaul for Banks and Credit Unions

Reevaluating Business Continuity

The FFIEC updated its BCP IT Examination Handbook in November 2019. In fact, the handbook is no longer called BCP (Business Continuity Planning) but is now called BCM (Business Continuity Management). This represents the first major update since 2015 and many community banks and credit unions may now be wondering what this means for their institution today, and what changes they’ll need to make to maintain compliance in the future.

Safe Systems compliance experts, Tom Hinkel and Jackie Marshall, held a webinar last month covering the new BCM guidelines and how auditors and examiners will assess plans going forward. The new guidance calls for community banks and credit unions to rethink their approach to business continuity and be prepared to make appropriate plan revisions, up to and including a complete overhaul. In this blog, we’ll cover a few of the key points from the webinar.

Strong Focus on Resilience

With the title change from business continuity planning to business continuity management, the business continuity plan is now just a subset of the overall BCM process, one in which a financial institution must proactively plan for resiliency to adverse events and recovery from those events. The BCM places a heavy focus on “resilience.”

Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The terms “withstand” and “recover” are the two keys for understanding resiliency, with an emphasis on withstanding adverse events. While traditional BCP has been focused more on recovery, the FFIEC has shifted its attention toward resiliency.

The FFIEC wants community banks and credit unions to take an enterprise-wide, process-oriented approach to business continuity, meaning institutions should go beyond planning to recover and focus on the overall resilience of operations. The ultimate goal is for financial institutions to be more proactive and in doing so, avoid or minimize having to implement traditional recovery measures down the road.

Business Continuity vs. Disaster Recovery

With this new emphasis on resilience, it is critical to understand the differences between business continuity and disaster recovery. The business continuity plan focuses on critical functions, while the DR plan focuses on the recovery of technology solutions specifically. In the previous guidance, business continuity and disaster recovery were closely tied together, but now the FFIEC has separated these two concepts completely.

The guidance now states that “The business strategy, not technology solutions, should drive resilience.” Financial institutions cannot rely on technology alone to ensure resilience. Often, alternative procedures have nothing to do with technology. In fact, although technology can help provide resilience, in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology, and often that could mean using manual processes and procedures to accomplish this.

Ensuring critical functions are available and operating normally is essential to assure there isn’t a negative impact on the institution’s reputation after the event, and that’s a key part of the business strategy.

Key Process Changes for Developing the Plan

When thinking about the development of the plan, it’s important to note some key changes the FFIEC put in place. In the 2015 guidance, the FFIEC advocated a cyclical, process-oriented approach to business continuity planning. The four steps in this process included:

Business Impact Analysis – What you do
Risk Assessment – Negative things that can happen to what you do
Risk Management – How you recover if the negative things identified in Step 2 happen
Risk Monitoring and Testing – Reviewing, testing, and repeating the process

The Previous 4 Steps of Business Continuity Planning

BCP 4 Steps

While this approach is reflected in four steps, the business continuity planning process actually represents a continuous cycle.

The FFIEC has made significant changes to better reflect this in the 2019 guidance. Now, instead of four steps, there are 10 steps financial institutions need to complete to develop the plan. This is a bit more complicated than the process has been in the past and will require more time for plan preparation and maintenance.

The Current 10 Steps of Business Continuity Management

BCM 10 Steps

The new 2019 BCM guidance gives financial institutions a host of new items to evaluate and prepare for this year. If you’d like to find out what other changes were made that will impact your financial institution, download our recorded webinar, “Does the New Business Continuity Guidance Require a Whole New Plan?”

Or, if you’re not sure if your institution is BCM ready, then request a complimentary plan review to ensure that your business continuity plan is keeping up with changing regulations.

12 Sep 2019

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Is Your Financial Institution Ready to Weather a Storm? How to Be Prepared for the Upcoming Fall Storm Season

Is Your Financial Institution Ready to Weather a Storm

While natural disasters can strike at any time, September and October have historically produced some of the worst storms we have seen. Just last week Hurricane Dorian wreaked havoc on the Bahamas and the Eastern Seaboard of the U.S, disrupting thousands of businesses and organizations, and impacting millions of lives. While hurricane season is top of mind today, tornados, earthquakes, severe thunderstorms, wildfires, etc. all can have a negative impact on area businesses and communities.

As a result, September has been declared National Preparedness Month, designed to encourage and remind everyone to be prepared for disasters or emergencies in their homes, businesses, and communities.

In the spirit of National Preparedness Month, we thought it was important to review the critical steps all banks and credit unions should have in place to ensure they are prepared for a disaster – no matter what time of year it is.

Preparing for Disasters

How Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

The potential damage that storms can inflict underscores the importance of Business Continuity Planning (BCP) and Disaster Recovery (DR) plans. In addition, regulators require financial institutions to prepare for disasters and have plans in place that ensure key products and services remain available to customers and members after a crisis. In addition to having an updated and tested BCP and DR plan, there are several additional steps your institution can take to adequately prepare for storms, natural disasters, and any other business outages. These steps include:

Monitor success of backups and/or replication services to DR site;
Utilize Uninterruptable Power Supplies (UPS) for short-term outages;
Preemptively shut down servers and all IT equipment in anticipation of an extended outage;
Confirm that the server room is locked and secure;
Verify that all equipment and sensitive documentation is secure;
Ensure all ATMs are stocked as customers may require access to cash;
Validate the institution’s Business Continuity Plan through appropriate annual testing;
Confirm technology infrastructure will work in a disaster through annual DR test;
Make sure that employees and vendors are aware of the proper communication protocols and actions items outlined in your BCP plan to ensure a successful recovery of an event; and
Keep the safety and security of employees top of mind. Confirm that key employees have someone to step in should they be unavailable during or after the disaster.

While storms and natural disasters cannot be prevented, proactively knowing what critical functions must be restored first provides confidence to bank executives and staff when responding to a disaster. Developing, implementing, and regularly testing your BCP and DR plans is crucial in today’s banking environment and can make the difference between satisfied customers in the event of a disaster and loss of customer trust when they may need their bank most.

06 Jun 2019

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

SKIP AHEAD:

Regulatory Requirements
How to Develop a BCMP
Pandemic Planning and Business Continuity Strategy
The Importance of Integrating Vendor Management into the BCMP
Importance of Exercises and Tests When Updating the BCMP
Automating the Planning Process
Conclusion

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

By Tom Hinkel

In November 2019, the Federal Financial Institution Examination Council (FFIEC) updated its BCP IT Examination Handbook and expanded its focus from Business Continuity Planning (BCP) to Business Continuity Management (BCM). The change makes sense, because “planning” is only one part of the business continuity process. Business continuity management encompasses the entire process by integrating resilience, incident response, crisis management, third-party integration, disaster recovery, and business process continuity.

In the financial industry, community banks and credit unions are required to develop compliant business continuity plans that identify business processes along with their interdependencies that provide resilience to, and recovery from, all potential threats to the financial institution. BCM is designed to help organizations, regardless of their size, location or activity, minimize the impact of disruptions of any kind, natural or man-made, including cyber.

The new BCM guidance represents the first major update since 2015 and calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations. Entities are defined as depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. The use of this term is significant, as it essentially pulls all interdependencies into the planning process.

With so much at stake, it is important for financial institutions to understand the BCM process and the key requirements to develop the business continuity plan:

Regulatory requirements relevant to a compliant BCM Program
How to develop the business continuity management plan (BCMP)
Pandemic planning and business continuity strategy
The importance of integrating vendor management into the BCMP
Steps to effectively update and test the plan
The benefits of automating the BCM process

Regulatory Requirements

To comply with regulatory expectations, financial institutions are required to focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. Regulations make it clear that institutions need to plan to perform their critical business functions, even if technology may be impaired or unavailable.

Auditors and examiners are also scrutinizing business continuity plans to verify that the institution’s methodology and plan structure closely adhere to the 2019 regulatory guidance. A key change in the guidance is the increased focus on resilience. Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. Two keys for understanding resiliency are the terms “withstand” and “recover”, with an emphasis on withstanding adverse events. In the past, business continuity planning has been focused more on recovery, but now the FFIEC has placed a heavy focus on resiliency. The ultimate goal is for financial institutions to be more proactive and minimize having to implement traditional recovery measures down the road. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet regulatory expectations.

How to Develop a BCMP – What to Include in the Plan

It’s safe to say that most banks and credit unions have some sort of a BCMP in place, yet many struggle with determining what to include in the plan to ensure it is both recoverable and compliant. With the new changes to the guidance, many community banks and credit unions may also be wondering what specific changes they’ll need to make to meet these new expectations.

While each financial institution has a unique operating model based on its services, demographic profile, organizational processes, and technologies, the first step when drafting or updating the BCMP is to have a thorough understanding of all the functions and processes that make up those operations. This process, which we refer to as Enterprise Modeling, involves identifying all departments or functional units, with all associated processes and functions (including all internal and external interdependencies), and determining the team owners and members responsible for each department. Having representatives from each department take an active role in the planning process ensures the technologies and responsibilities for each area are accurately represented. This also helps the financial institution develop a more accurate assessment of its recovery time objectives and actual recovery capabilities. It is not realistic to have a single individual with all the knowledge and unique skill set required to put together a comprehensive BCMP.

A plan should consist of all the steps required to ensure key products and services remain available to customers or members. The BCMP consists of five phases including risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting.

Furthermore, the BCMP should be a “live” document that keeps pace with any changes in infrastructure, strategy, technology, and human resources. As soon as a plan is board approved, it should be tested, and a new draft plan should be initiated. At any point in time you should have both an approved plan, as well as a live draft to accommodate changes.

Pandemic Planning and Business Continuity Strategy

In the past, financial institutions were required to have a separate pandemic plan, but the new FFIEC guidance instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters. This means the BCM plan is the pandemic plan, and financial institutions must analyze the impact a pandemic can have on the organization; determine recovery time objectives (RTOs); and build out a recovery plan.

As we’ve all learned, pandemic planning is very different from natural disasters, technical disasters, malicious acts, or terrorist events because the impact of a pandemic is much more difficult to determine due to the differences in scale and duration. Pandemics also directly impact financial institution and third-party employees rather than targeting infrastructure or technology-based interdependencies. Cross training and succession planning should be a key part of the pandemic planning process to ensure operations can continue even if key individuals are unavailable.

FFIEC guidance states that the financial institution’s BCMP should include five key elements to address the unique challenges posed by a pandemic event:

A preventive program including monitoring of potential outbreaks; educating employees; communicating and coordinating with critical service providers and suppliers; and providing appropriate hygiene training and tools to employees
A documented strategy that provides for scaling the institution’s pandemic efforts to align with the current six-stage CDC framework
A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods
A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue
An oversight program to ensure ongoing review and updates to the pandemic plan

The Importance of Integrating Vendor Management into the BCMP

The vast majority of banks and credit unions today rely on third-party service providers, or vendors, to conduct business on a day-to-day basis. When financial institutions outsource key functions to a service provider, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations within pre-defined recovery time objectives in the event of a disruption. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require financial institutions to have a detailed understanding of the resilience capabilities of their core/technology service providers, cloud providers and others moving forward. When creating a BCMP, financial institutions have to account for all interdependent third-party relationships and identify the potential consequences a third-party disruption might have on its operations.

The criticality of the product or service the vendor provides is directly related to the criticality of the dependent process it supports, as identified by the business impact analysis. Some questions financial institutions should consider include:

How important is this vendor to what we do?
If they fail, how many of our dependent services would be negatively impacted?
How challenging would it be to replace this vendor?

Vendor criticality is expressed in terms of Recovery Time Objectives (RTOs), and each bank or credit union determines and assigns the same RTOs to the third-party vendor as they have to the underlying process they support. In other words, if you’ve identified a two-day recovery time objective for a particular process, any underlying vendors will also inherit that same two-day RTO. In the event that the vendor cannot match your RTO (validated by testing), you must have a contingency plan in place such as alternative procedures or providers to compensate for the gap.

Successfully integrating vendor management and business continuity planning is essential for financial institutions to truly understand their actual recovery capabilities by validating whether or not their third-party providers “have sufficient recovery capabilities” to meet your recovery objectives.

Importance of Exercises and Tests When Updating the BCMP

Exercises and tests are important parts of the process, and in fact, the BCMP is not complete until the plan has been thoroughly tested. The new handbook makes an important distinction between exercises and tests in the BCMP process, defining an exercise as “a task or activity involving people and processes that is designed to validate one or more aspects of the BCMP or related procedures.” On the other hand, a test is often performed “to verify the quality, performance, or reliability of system resilience in an operational environment.” The handbook emphasizes the importance of both exercises and tests to demonstrate resilience and recovery capabilities.

Exercises and testing verify the effectiveness of the plan by validating all recovery time objectives; helps train the team on what to do in a real-life scenario; and identifies areas where the plan needs to be strengthened. In addition, examiners are also verifying that a BCMP has been tested, and the financial institution is able to execute the plan if and when the need arises. Because the financial industry is considered part of the nation’s critical infrastructure, testing, exercises, and training will continue to be a focus going forward.

Every test should start with a realistic scenario drawn from the top threats as identified by the risk management phase of the planning process. Top threats are those determined to have both high impact and high probability ratings. While initial testing of a plan can be relatively straightforward, a bank or credit union should strive to extend the scope and severity of the exercise with each consecutive test by making the tests consecutively more complex and including different individuals. Conducting the very same test with the same participants every year will not satisfy examiners nor will it give your management the assurance they need.

In addition to the senior management and information security roles defined in a plan, the testing team should include key department heads with detailed knowledge of the processes and functions impacted by the scenario. Tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. In addition, all departmental specialists should be included in the exercise and testing program. There are two reasons for that, the first is so they are familiar with alternate procedures in emergency scenarios, the second is to make sure you have backups, or successors, to your primary recovery resources. Succession planning is another hot button item with examiners now because of the pandemic.

While regulators require proof of exercises and testing annually, more frequent testing is indicated whenever a previous test uncovered significant gaps in the plan, or if there are significant internal changes to processes or infrastructure or personnel.

Automating the Planning Process

To help streamline this time-consuming process, banks and credit unions can automate repetitive portions of business continuity planning. Automating these activities eliminates the need to update cumbersome spreadsheets and manually copy/paste information from various reports and previous assessments. The 2019 guidance requires a number of changes to your existing plan, some subtle and some significant.

An automated BCP solution will also help guide banks and credit unions through the entire BCMP process, assuring that all required elements are included as they are necessitated by regulatory guidance changes. Automating the planning process makes it easier and much less time-consuming to perform annual plan updates by allowing static portions of the plan to carry forward, while incorporating changes wherever necessary. Any automated solution should also allow you to identify all material plan changes from year-to-year, so management and board approval is easier.

Conclusion

Business Continuity Management is a critical process for banks and credit unions regardless of size and location, and the plan is central to that effort. To streamline the planning process, financial institutions should integrate business continuity into all business decisions; conduct periodic reviews of the plan; and perform regular testing. Everyone in the organization — from the tellers to the Board — should understand the importance of business continuity planning and how his or her unique role fits into the financial institution’s overall business continuity strategy.

24 Jan 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Automating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.

28 Nov 2018

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2019

As 2018 winds down, banks and credit unions are thinking ahead to 2019. They are determining the new solutions, products, and enhancements needed to meet their strategic plans in 2019 and beyond. In addition, they are evaluating what needs to be updated or upgraded and the processes that can be improved upon.

There are three key areas banks and credit unions should focus on during budgeting season – technology, security and compliance. While lines that separate technology, security, and compliance are blurry at best, 2019 budgeting items for operations fall largely into these three buckets.

Compliance

Managing Risk with Truly Secure Vendor Management Program Get a Copy

While the focus of many examiners has shifted back to financial aspects of institutions, the top three findings our customers report relate to:

Vendor Management – Typically the current vendor management solution (if it exists at all) is deemed inadequate or insufficient. Often the solution doesn’t cover all vendors or provide a way to adequately assess these vendors.
Business Continuity Planning (BCP) – In the mid to late 2000’s many banks and credit unions updated their Business Continuity Plan. However, for many institutions, these plans have remained relatively unchanged for a decade now. Technology and business processes on the other hand, have changed rapidly over the last decade. The Federal Financial Institutions Examination Council (FFIEC) has also updated their guidance to address the current challenges of BCP. If the institution’s plan has not been thoroughly updated in a while, the institution may be at risk of a finding on a future exam.
With both of these findings there may be an additional finding of inadequate management or board oversight. Often these findings happen on the same exam and are followed with a concern with oversight. Many of the calls Safe Systems gets after an exam relate to these issues.

Avoid finding yourself under a Memorandum of Understanding or a Matters Require Attention by budgeting to ensure your compliance processes are up to date.

Vendor Management solutions can run from $2,500 to more than $6,000 per year. Business Continuity Plans can range more significantly from a couple of thousand to more than seven thousand dollars per year. Do some research and find some solutions that would meet your institution’s needs and identify their year one cost and annual cost thereafter.

Security

With attacks on the rise and businesses continually falling victim to cybercrime, security needs to be an institution’s priority. There are innovative solutions coming to market every day to help address security risks. These solutions can help mitigate the risks that your institution faces, but they can also cause confusion on where you should focus your attention. For the next several years, it is in the institution’s best interest to continually focus on the impending security landscape and verify that your budget reflects your strategy.

One place to start is to review your current solutions. Verify that your current investments are still applicable for your ever-changing environment. Upon investigation, you might find features that are available as an add-on to your current solution to help mitigate risk. You may also find holes in your current strategy that may need to be rectified.

Moving Beyond Traditional Firewall Protection to Develop an Integrated Security Ecosystem Get a Copy

As of October 2018, 90% of web traffic accessed through Chrome, the most popular web browser, was encrypted. These numbers have been increasing rapidly over the last few years. Many firewalls can only inspect unencrypted web traffic. This was a small risk when encrypted websites were less common. With the sudden rise of encrypted web traffic, many firewalls are NOT equipped to scan this data. It is possible to scan encrypted web traffic, but for many institutions this will require changes and additional investment. The risk of not scanning this encrypted web traffic significantly increases the chances of your institution becoming a victim of a malware outbreak or a data breach. Examiners in some regions have started to pick up on this security hole, and they are encouraging institutions to address this issue.

Another area of concern for institutions is new and emerging threats. Attackers are continually innovating and improving their attack methods, and basic security solutions may not be enough to detect and prevent these advanced attacks. Newer solutions specifically designed to analyze the growing attack techniques have been developed. The use of sandbox technology and machine learning are being tasked to make it more difficult for attackers to be successful. In many instances, these solutions can be imbedded within your perimeter firewall solution. These types of defenses can vastly increase the effectiveness of your security landscape.

Even though your firewall is viewed as a technical security device, it is also the device that grants users access to the internet. The internet has quickly become a business-critical service. When strategizing about upcoming budget aspects, the institution should consider the business risks involved when an internet device causes downtime. There are ways to mitigate internet downtime using high availability solutions. High availability involves having two firewall devices configured in a cluster. If one device fails, the second device seamlessly takes over responsibility so that downtime is avoided.

Additional devices and licensing will also affect the budget. These changes can be small or very large depending on the scope and goals of your strategy. Going forward, have a plan and strategy to deal with the ever-changing security landscape.

Technology

The biggest move in technology over the last half decade has been the move to the cloud. This will continue to be the case in 2019. The cloud offers benefits such as low maintenance, high availability and rapid disaster recovery that can’t be easily or affordably addressed with in-house solutions. The future likely means more servers and business functions moving to the cloud. This likely is where technology spend will move over the next 5 years. Another term for this is Infrastructure as a Service (IaaS). There are three likely situations that will lead to this move and determine how your institution makes the transition.

Your institution desperately needs high availability and/or disaster recovery and is willing to incur the cost of moving from a hardware-based solution to a cloud-based solution.
Your institution’s hardware infrastructure is reaching the end of its life and it is time to purchase all new hardware or move in a new direction. This can be a good time to evaluate your current setup and what is best for the future.
Your institution has some regular hardware turnover scheduled for next year and wants to evaluate slowly moving to the cloud. Instead of buying a new server, it may be time to evaluate what the future of your infrastructure will look like and if the cloud is a long-term solution.

Everything You Need to Know About the Cloud Get a Copy

Some vendors pitch the move to IaaS as a cost savings move. There are cost savings involved. No more hardware to buy and maintain; no more electricity to run the devices; no more cooling to keep hardware cool; and the ability to achieve high availability is easier and more efficient. However, the move to IaaS is typically not a cost savings, but a feature advantage. Most institutions will be lucky if they break even with moving to an IaaS model, but they will gain great redundancy, uptime, reliability, and disaster recovery capabilities.

Generic cost estimates are impossible due to the fact that everyone has different infrastructure, needs, wants, etc. But if flexibility and added freedom is something your institution wants or needs, start investigating what IaaS might cost for your institution. This technology has matured greatly over the last few years and continues to evolve, making it viable now and likely the wave of the future.

In moving into 2019, focus on two things. Are my current processes and products adequate? Not have they passed exams this year, but are they mitigating the current risks to the institution? Too often measuring by exams leaves the institution open to a false sense of security and potential exam issues in the future. For compliance, ensure the institution’s processes are thorough, up to date, and adequate to meet the needs of the institution. For technology, consider what the long-term goals of the institution are and start working on a plan to implement these changes. Security is going to need new investments each year for the foreseeable future. The historical solutions for security problems have been successful which has forced criminals to find ways around them. It’s time to realize that the threats have changed, and it is time to address the new threat landscape.

13 Jun 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

BCP vs. DR: Key Differences Every Financial Institution Needs to Know

In the wake of a very active hurricane season last year and considering the current volcanic eruptions in Hawaii, financial institutions are well aware of the importance of disaster preparation and the need to be ready for the unexpected. If your financial institution were affected by a natural disaster and your systems went down, how long would it take to get your institution up and running again? Would your organization have the resources in place to restore critical systems quickly and efficiently?

Community banks and credit unions rely on their institution’s business continuity plans (BCP) to guide them through the strategies and protocols needed to minimize downtime and keep operations running smoothly. However, in times of crisis, it is equally important to have a comprehensive disaster recovery (DR) plan in place as well.

You might think, “I have a good Business Continuity Plan in place already, so why do I need a DR plan too?” Business continuity planning refers to strategies and protocols that enable a financial institution to operate during and immediately after a disaster. A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. This plan outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster.

On the other hand, disaster recovery refers to having the ability to restore critical data and applications that enable the financial institution to operate normally. The DR is designed to outline what needs to be done immediately after a disaster to begin to recover from the event.

Driving Compliance Through Technology Get a Copy

So practically speaking, a BCP informs your business with the steps to be taken to ensure key products and services remain available to customers and members, while a DR outlines the specific steps to be taken to recover the institution’s required technology needs after a disaster. Both are vital to have for any financial institution and are designed to work in tandem. Essentially, the DR plan is a part of the bigger BCP.

There are some differences in how each are structured as well. The BCP consists of a business impact analysis, risk assessment and an overall business continuity strategy; while the DR plan includes evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working. While the plans work together, they can be seen as two separate concepts.

BCP: A plan to continue business operations
DR: A plan for accessing required technology and infrastructure after a disaster.

Once the plans are complete, organizations must test to verify the effectiveness, train staff on what to do in a real-life scenario, and identify areas where the plans need to be improved. These plans are different enough that they are often tested separately. A BCP test is often a “table-top test” where a potential disaster and outcome are used to ensure all employees know where to go and what to do. A DR test is usually a more hands on process, where all servers and communications are made unavailable, and the backup technologies are implemented to confirm the institution will be able to function as needed and expected in the correct amount of time or Recovery Time Objective (RTO). The plans should be tested at least once a year; the results of the tests should be thoroughly evaluated; and the plans should be revised based on the results. These are not static documents– the disaster recovery plan and BCP should be updated to meet changes in regulatory expectations as they occur to ensure compliance.

We understand that disaster recovery and business continuity planning are challenging for smaller community banks and credit unions that often lack the staff and resources of larger institutions. At Safe Systems, we have been working with banks and credit unions for more than 25 years to provide the services and assistance necessary to help our customers weather the storm. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.

16 May 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Common Roadblocks Financial Institutions Face When Developing a Business Continuity Plan

A bank’s Business Continuity Plan (BCP) is the crucial blueprint for guiding it through the recovery from a business outage and is instrumental in ensuring that people, process, and technology elements are all properly coordinated and restored. These plans have evolved from early plans that were one-or two-page outlines for banks to follow in times of disaster to a large, step-by-step detailed instruction manual for everyone in the financial institution to follow should a disaster strike. For the past several years, examiners have been closely looking at these plans not only to verify that banks have a compliant plan in place, but to also ensure that they are able to successfully execute it.

While most institutions have some sort of BCP in place, many community banks and credit unions find it challenging to produce a current and comprehensive BCP that meets examiner expectations. Some of the challenges institutions face when producing a current and compliant BCP include:

Understanding Plan Deficiencies

Today, most financial institutions have some sort of BCP in place and are not drafting a plan from scratch. Yet many struggle with understanding the difference between where their plan is now and where they need to be to have a compliant and comprehensive plan. Understanding the plan’s deficiencies can be challenging if it hasn’t been routinely updated and if the financial institution does not truly understand the FFIEC guidance on BCP. The BCP should be a living, functional document that keeps pace with any changes in infrastructure, strategy, technology and human resources. Financial institutions that do not regularly update their plans or keep up with FFIEC regulations might not pass exams in the future.

Determining What to Include in the BCP

Each organization has a unique operating model based on its specific services, organization, processes, and technologies. The first step to creating a comprehensive BCP is to have a thorough understanding of all the functions and processes that make up those operations, which involves breaking the institution into departments and determining the team members responsible for each of these areas. Having representatives from each department contribute to the BCP ensures the technologies and responsibilities for each area are accurately represented. It is difficult for a single individual to have all of the knowledge required to put together the BCP.

Properly Testing the BCP

The BCP process is not complete until the plan is thoroughly tested. Testing verifies the effectiveness of the plan, helps train the team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Testing exercises help identify errant assumptions and gaps in the plan to make sure what is on paper matches the most likely threat scenarios. While regulators require proof of testing annually, more frequent testing may be necessary if a previous test uncovered significant gaps in the plan or if there are significant internal changes to processes or infrastructure.

Revising the BCP Based on Test Results

Simulated testing scenarios are helpful in determining what adjustments and changes need to be made to the plan to enhance recoverability of the bank’s processes and functions. However, many financial institutions do not take the time to make necessary revisions. It is important to review and update the full plan on a regular basis, especially when new services and technologies are implemented and as regulatory guidance and best practices change.

Overcoming Challenges

To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing. The importance of the BCP should be communicated to the entire organization and everyone should understand his or her unique role and responsibility. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.

In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.

At Safe Systems, we have been working with community financial institutions to manage their business continuity planning process for more than 25 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements. Our hope is that it isn’t needed, but should a disaster strike, we want our customers to be prepared and recover quickly.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

29 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

Roadmap to Recovery: Cyber Resilience is More Than Just a Business Continuity Plan

Cyber Resilience

With the increasing frequency of cyber-attacks in the financial industry, community banks need an effective strategy to measure and control these risks, and a program of cyber resilience may just fit the bill. The concept of cyber resilience provides a different way of thinking about an institution’s information security processes. Rather than simply focusing only on preventive controls, cyber resilience also focuses on corrective controls, such as having solutions in place to continue business operations should an attack occur. Cyber resiliency ultimately refers to the preparations that an organization makes in regard to preventing threats and vulnerabilities (the defenses that have been developed and deployed), the responsive controls available for mitigating a security failure once it occurs, and its post-attack recovery capabilities (or corrective controls).

More than a BCP

While the Business Continuity Plan (BCP) has become a de facto framework for guiding an institution through the process of recovery from any unplanned event, including a cyber-attack (the word “cyber” is mentioned 49 times in the FFIEC BCP Handbook), cyber resiliency is far more than just developing and executing your bank’s BCP. Business recovery plans are often ill prepared to address non-traditional disasters. For example, continuity plans often rely on the geographic separation of production and backup facilities in the event of a natural disaster. Cyber attacks, however, are not geographically specific and can (and will) affect facilities and operations located anywhere in the world. Attacks can target both the financial institution directly as well as its backup facility, located elsewhere; or a financial institution along with its third-party service providers (TSP) simultaneously. All of these situations require special consideration and preparations that go well beyond traditional BCP planning.

Common Cyber Risks

The cyber risk and threat landscape is broad and continually changing. Some of the most common cyber risks financial institutions should be prepared for include:

Malware
Insider Threats
Data or Systems Destruction and Corruption
Communication Infrastructure Disruption, and
Simultaneous Attack on Financial Institution and Third-Party Service Provider

Recommended Controls

Being truly cyber resilient is essential for community banks and their vendors. According to Appendix J of the FFIEC’s BCP Handbook, financial institutions should implement the following controls to successfully achieve cyber resiliency:

Data backup architectures and technology that minimize the potential for data
destruction and corruption
Data integrity controls
Independent, redundant alternative communications providers
Layered anti-malware strategy
Enhanced disaster recovery planning to include the possibility of simultaneous attacks
Increased awareness of potential insider threats
Enhanced incident response plans reflecting the current threat landscape, and
Prearranged third-party forensic and incident management services

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

The Keys to Cyber Resilience

Prevention and recovery are the keys to being truly cyber resilient! Cyber threats will continue to challenge financial institutions, but having the proper preventive and corrective controls in place can greatly minimize the impact. Cyber resilience requires banks to bring together all the areas of information security, business continuity, vendor management and incident response in a coordinated effort.

01 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

What is Cyber Resilience Anyway?

Cyber Resilience

As the role technology plays in today’s financial services environment has grown, this has also introduced a range of new risks and vulnerabilities that must be recognized and acknowledged, placing cybersecurity high on the agenda for financial services executives and IT staff. The new 2016 FFIEC Information Security Handbook states:

“…because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”

With financial institutions becoming more reliant on third-party service providers to help support important bank functions such as: loan servicing, collections, item processing, payments, and IT network management, to name just a few, regulators have expressed increased concern that these third-parties could present a weak link that cyber attackers can exploit. And the more third-parties the institution uses, the greater the risk. All institutions, but especially Community banks, ultimately bear this responsibility, and must be aware of – and successfully manage — their service providers’ cyber risks.

Cybersecurity vs. Cyber Resilience

Regulations define cybersecurity as:

“…the process of protecting consumer and bank information by preventing, detecting, and responding to attacks.”

Cyber resilience then, is:

“The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.”

While cybersecurity (or protecting from an attack) is vitally important, it is not the only thing that matters. In order to minimize the risks and vulnerabilities in the evolving digital landscape, cyber resilience (or bouncing back from an attack) must be taken into consideration as well. Cyber resilience is an evolving perspective that essentially brings the areas of information security, business continuity and organizational resilience together. Ultimately it refers to the preparations that an organization makes in regard to threats and vulnerabilities, the defenses that have been developed and deployed, the resources available for mitigating a security failure once it occurs, and their post-attack recovery capabilities.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

One of the primary differences between the two is that although both cybersecurity and cyber resilience require effective third-party management, resilience requires an even greater focus on outsourced technology providers. This is particularly challenging because you must be prepared to recover from an event you couldn’t foresee, could not prevent, and cannot control. The initial stages of a cyber incident require a rapid assessment of the impact of the incident as soon as possible after detection. When the incident occurs at a third-party, you are relying on the vendor to notify you, which means your reaction time (and recovery capability) is entirely dependent on when (or if) you are notified. A recent report by the FDIC Office of the Inspector General found that most institutions have not fully considered and assessed the potential impact that third-parties may have on the bank’s ability to manage its own business continuity planning and incident response.

Compliance Expectations

Regulators expect financial institutions to be not just cyber-secure, but cyber resilient, and that requires close cooperation with all their critical third-parties. Assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions regardless of where they may occur, requires financial institutions to have proven plans in place to meet regulatory expectations. The FFIEC has issued specific guidance on how it expects organizations to manage this process. The FFIEC IT Examination Handbook’s “Outsourcing Technology Services Booklet“, as well as the Information Security and the Business Continuity Booklets address expectations for managing due diligence, incident response, business continuity and the ongoing monitoring of outsourced third-party relationships.

Community banks should remain vigilant in the monitoring of emerging cyber threats or scenarios and consider their potential impact to operational resilience. The good news is that financial institutions can and should simulate and test their response to a cyber event just as they do for natural disasters. They should also make a point to include any significant third-parties in their testing. The financial industry is investing significant amounts of time and resources to defend against cyber-attacks and strengthen resiliency, and there are many resources available today that can help streamline and automate the entire process of cybersecurity and resilience planning, testing and execution.

25 Jan 2017

Banks, Compliance Tom Hinkel 0 comment

Is Your Business Continuity Plan Really Recoverable?

Is Your BCP Recoverable?

For many community banks, developing a business continuity plan can be a time-consuming process that requires careful evaluation of the institution’s critical processes, functions, and the interdependencies that support them. Even after you determine the strategic direction of your recovery plan, establish Recovery Time Objectives, define recovery priority, detail key recovery procedures, and Board approve the document, your BCP process is not complete until you thoroughly test your plan. Testing verifies the effectiveness of your plan, helps train your team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Examiners are reviewing business continuity plans more closely to verify that banks not only have a well-crafted, compliant plan in place, but are also able to successfully execute it. Without proper testing, how will you know if your team can successfully follow these strategies for recovery?

Test Your Business Continuity Plan

Every test should start with a realistic scenario designed to simulate your institution’s top threats. From there, the FFIEC suggests 4 different test methods of increasing intensity from a Tabletop Exercise/Structured Walk-Through Test through a Full-Interruption/Full-Scale Test. While initial testing of a plan can be relatively small-scale and straightforward, the institution should strive to extend the scope/severity of the exercise with each subsequent test. Running the very same test every year will not satisfy examiners.

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities in 2018

Business Continuity is much bigger than simply the IT department. The FFIEC guidance states that:

“The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.”

It is important to make sure that all functional areas of the institution are involved in testing. This means that in addition to the Senior Management and Information Security roles defined in your plan, the team should also consist of key department heads with detailed operating knowledge of the processes and functions impacted by your scenario. These individuals must be aware of how to quickly recover and adequately support customer needs, regardless of whether normal operating procedures are available. Therefore, tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. Although technology is important, the disaster response must not hinge on waiting for technology glitches to be resolved. Your departmental specialists know how to do their job under normal circumstances, but including them in testing allows them to gain familiarity with their alternate procedures in a specific emergency scenario.

One of the primary objectives of testing is to validate that the recovery time objectives for each process are achievable. Testing exercises help identify errant assumptions and gaps in the plan to make sure what you have on paper matches your most likely threat scenarios. According to the 2017 Community Bank Information Technology Outlook Study, a survey conducted by Safe Systems in Q4 2016, 78% of respondents reported formally testing their BCP plan every 12 months. While regulators require proof of testing annually, more frequent testing may be indicated if a previous test uncovered significant gaps in your plan or if there are significate internal changes to your processes or infrastructure.

Finally, don’t forget to include significant third-parties in your testing. The guidance states:

“Third parties provide important services to many financial institutions and as such should be included within the financial institution’s enterprise-wide business continuity testing program.”

Stay Current: Review and Update the Plan

While simulated testing scenarios are helpful in adjusting your plan to enhance recoverability of your bank’s processes and functions, it is also important to review and update the full plan on a regular basis. The BCP must be regularly updated as new services and technologies are implemented internally and as regulatory guidance and best practices change. According to the Safe Systems study, 75% of survey respondents indicated they are already in the habit of reviewing and updating their Business Continuity Plan every 12 months, but only 12% are taking the extra step to update their Business Continuity Plan whenever a new vendor, application or process is added.

To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing and third-party reviews. The importance of the BCP should be communicated to the entire organization. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.

Meet Examiner Expectations and Ensure Recoverability

In the current regulatory climate, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply test restoring the same key systems annually; instead, you must test that the entire BCP plan is actionable and realistic. A comprehensive Business Continuity Plan limits the impact a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what disaster may strike.

Your BCP should provide specific instructions for employees to follow, and testing makes sure those instructions can actually be followed. At Safe Systems, we have been working with community banks to manage their business continuity planning process for more than 20 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements.

18 Jan 2017

Banks, Compliance Chuck Copland 0 comment

What is a Business Impact Analysis?

What is a BIA?

What is a Business Impact Analysis (BIA)?

A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. Examiners are reviewing these plans more closely looking for proof that banks not only have a well-crafted plan in place, but are also able to successfully execute it. Banks must thoroughly understand and evaluate their critical processes, functions, and the interdependencies that support them in order to develop a solid plan the institution can implement effectively in the event that a disruption occurs.

One of the first steps in the BCP process is completing a Business Impact Analysis (BIA). The BIA is designed to help banks determine and evaluate the potential effects of any interruption to critical business operations as a result of a disaster, accident, or emergency. However, there has been some confusion among financial institutions regarding exactly what a BIA is and why it is important to the overall plan. Some financial institutions may confuse conducting a BIA with completing a Risk Assessment (RA). While the two go hand-in-hand and are both important steps in the continuity planning process, it is important to note that they are two completely different exercises.

The Difference Between Risk Assessment and Business Impact Analysis

Simply put, conducting a risk assessment will outline different threat scenarios the bank could face that would negatively impact normal operations. This includes both natural and man-made disasters listed in Appendix C of the FFIEC’s Business Continuity Planning booklet – think flooding, fire, pandemic illness, looting, vandalism, loss of communications, hardware failure, etc. As part of the RA, risks are assessed on their probability and impact to the institution. The Risk Assessment should result in a list of top threats to the institution, its customers, and the financial market it serves. This list can then be used to inform testing priorities.

On the other hand, a BIA focuses on the different processes within the bank rather than the threats to them. How badly will the inability to complete a process harm your institution, regardless of why that process was interrupted? Completing a BIA includes performing a workflow analysis of all business functions and processes that must be recovered. The BIA will help rank the criticality of your different processes, determine how quickly you need to recover the different areas of your bank, and ultimately result in a ranked list of recovery priorities. This analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services.

BIA Defense

How to Complete a Business Impact Analysis for Your Bank

To conduct the BIA, financial institutions should review each individual business process and function that goes into completing that process. Participants evaluate the risks associated with the loss of each process due to a non-specific outage event.

There are four main categories of enterprise risk that should be evaluated for each process to determine an accurate assessment of the total business impact:

Regulatory/legal risk
Reputation risk
Strategic risk
Operational risk

Evaluating these categories allows the BCP team to prioritize and sequence time-sensitive or critical business processes, functions, and the interdependencies that support them. These interdependencies include technology components, personnel, and outsourced relationships. The BIA helps the bank make sense of all these moving parts, and which are more crucial than others. The end result of the BIA is a consensus list of processes, the Maximum Allowable Downtime (MAD) and Recovery Time Objectives (RTO) for each, the amount of data that must be restored (Recovery Point Objective, or RPO), and an order in which those functions should be recovered (recovery priority). This information provides the strategic direction of the recovery plan, and should be referenced when defining recovery procedures.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Why the Business Impact Analysis is a Crucial Part of Your Bank’s BCP

Completing the BIA enables the financial institution to really define and understand what it is they do and how important those processes are to their operation. While the findings are different for each bank, there are some similarities. For example, most retail banks have a teller system that must be operational, as well as an ATM system and core processing network. However, the MADs and RTOs assigned to each function are often different for each financial institution. It is not uncommon today for regulators to demand that all RTOs be based on a methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value. Financial institutions need to be able to show how and why they have assigned rankings to each function. It is crucial to have representatives from all areas of the financial institution involved in the BIA process. Not doing so, or not completing the BIA at all, could lead to a misallocation of resources at minimum, or possibly violation of regulatory requirements (and a lower exam score), and potential reputational damage in worst case scenarios.

At Safe Systems, we understand that conducting a BIA has become a very time consuming yet necessary part of operating a compliant, resilient, and recoverable financial institution. Therefore, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the process by automating processes that have previously been done manually, eliminating the need for cumbersome spreadsheets, and time consuming data gathering and reporting activities. The careful evaluation of individual business process and support functions enables the bank to better understand objectives regarding continuity of operations.

For more information download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.

26 Oct 2016

Banks, Compliance Tom Hinkel 0 comment

The Importance of Integrating Vendor Management and Business Continuity Planning for Community Banks

In today’s banking environment, most financial institutions rely on third party service providers (or vendors) to conduct business on a day to day basis. In fact, without the help of third party service providers, a bank’s ability to provide products and services to customers would be severely impacted. When banks choose to outsource key bank functions to a service provider, however, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations in a desired timeframe in the event of a disruption.

When creating a business continuity plan, financial institutions have to be able to account for all interdependencies within the institution and evaluate the risks. Interdependencies can be classified into assets, or things you own, and vendors, or things you outsource. The FFIEC recently issued new BCP Guidance in the form of an addendum to the IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers. The guidance requires institutions to have certain controls in place to mitigate these risks and discusses a few key points regarding the management of third party providers:

“Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”
“Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.”
“Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”

Why Does VM Come into Play When Talking About BCP?

As banks evaluate vendors, they are assessing several key elements, but mainly, the criticality of the product or service the vendor provides. In doing so, bankers should be asking: How important is this vendor to what we do? If they fail, how many of our services fail? Criticality is expressed in terms of Recovery Time Objectives (RTOs). Each bank must determine their own unique RTOs for their institution, and must also assign the same RTO to the third-party vendor. Banks then assign the criticality rating to the vendor based on the criticality of the service that the provider supports. This helps ensure the vendor is equipped to adequately perform their agreed upon task so the bank can conduct business as usual. If the provider is not up and running, then the bank can’t be up and operating either, at least not without work-arounds in place.

When doing BCP planning, the financial institution must look at all areas of the bank and the services and products provided – teller services, lending services, ATMs, accounting, etc. and identify all of the interdependencies or third parties necessary to make these services happen. BCP also looks at RTOs for the entire process. So, if the bank assigns an RTO of one day to the teller process on the BCP side then everything that process requires, including a third party provider, also now inherits that same RTO on the vendor side. There must be a tight cohesion between the vendor management process and the BCP.

Successfully integrating vendor management and business continuity planning is critical for financial institutions, especially when adhering to the FFIEC regulations and guidance. While this can be a tough assignment for bankers, it is a necessary process that has a direct impact on the health of the institution.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

14 Oct 2016

Banks, Compliance Safe Systems 0 comment

When Disaster Strikes – BCP and Disaster Recovery Lessons in The Wake of Hurricane Matthew

Hurricane Matthew

Last week, we all watched as Hurricane Matthew unleashed its fury on the Eastern Seaboard of the US, disrupting thousands of businesses and organizations, and impacting millions of people’s lives. The damage that the storm inflicted underscores the importance of disaster planning and preparation – time and again, we see a stark difference in the reaction from businesses who have a disaster plan in place and those that don’t. The same applies to financial institutions, especially community banks and credit unions. The lack of proper planning and preparation could be particularly devastating for a bank in terms of disaster recovery, and is even more challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

When disasters like Hurricane Matthew strike, it is imperative that financial institutions implement their Business Continuity Plans and Disaster Recovery plans, as required by FFIEC guidelines. These plans are instrumental in outlining the specific steps and processes the institution must take to be prepared and efficiently recover from disasters or business interruptions.

Preparing for Natural Disasters and Similar Events

First and foremost, community banks and credit unions should have an existing plan in place and execute that plan when conditions dictate it. Beyond this, there are several additional steps we at Safe Systems recommend each financial institution take to adequately prepare for natural disasters and similar events, including:

Double check all backups and ensure offsite copies are up to date and working. If using an on premise backup solution, make sure all hardware and backups are moved offsite to a safe location.
Uninterruptable Power Supplies (UPS) are designed for short term outages in power. If expecting longer power loss, preemptively shut down servers and all IT equipment. If equipment is not properly shut down, it can result in failures and malfunctions.
Ensure the security of the server room. Make sure the server room is locked with separate key access and all equipment is secure.
Ensure everyone is following the procedures in the BCP and DR plans and is aware of the proper communication protocols and contacts.

Common Issues

Many banks today try to manage their own technology solutions, including backups, email systems and server management. Some outsource these responsibilities to local providers who may not be experts in the financial services industry. Some issues financial institutions may run into when working with a local provider include:

Email Outages

Working with a local provider who hosts the email server locally means the server might be down due to possible power outages. This is also true if the bank hosts email internally.
Backups

If backups are stored with a local provider, that provider is likely also affected by the storm, meaning they might also be suffering from damage and loss that they need to recover before being able to help their customers. Furthermore, if using an on premise backup solution, it brings into question whether backup media will be accessible and/or if it is damaged in the storm.
Evacuation

As we saw last week, some communities may be forced to fully evacuate, which includes bank IT staff, and the staff of the local service provider. The true damage and loss won’t be known until they are allowed to return and start attempting to power back up.

Options for Outsourcing

These issues can be avoided when working with an IT service provider. Safe Systems is the leader in providing compliance-centric IT and security solutions exclusively to community banks and credit unions, and as such, we understand the unique needs each financial institution has when preparing for — and recovering from — a natural disaster. Financial institutions working with Safe Systems benefit from:

Remote and Secure Back-ups and Data Recovery Practices

Our backups are in two redundant remote facilities making sure your data is always protected. In addition, our NetComply One solution provides proactive alerting when a backup has failed or has issues, allowing time to rectify the situation and ensure all information is stored appropriately. Also, we annually test our customers’ disaster recovery plans and the integrity of backups to ensure customers can recover files and networks as documented in their BCP.
Available Staff and Engineers

No evacuated IT personnel! All IT personnel are able to handle situations remotely and our team is available to help 24 hours a day/7 days a week. In addition, during Hurricane Matthew, for any customers that may have been impacted, Safe Systems ensured additional engineers were available to help immediately.
Guidance

With our unique CRM software, we were able to target our customers who might be affected by the storm. We contacted them to guide them through the preparation process and are on standby to help when and if issues arise. Also, this included verifying our customers had current backups by performing a thorough review of all protected systems.
Offsite Hosted Email

SafeSysMail, powered by Microsoft Office 365™ email, eliminates the burden of running Microsoft Exchange™ internally; meaning email is not disrupted in the case of a natural disaster. As a vital part of your institution, your email solution needs to function smoothly and consistently in order to support your business functions, even during a disaster. Working with Safe Systems gives you access to an email solution that, while powered by Microsoft’s cloud email solution, is designed exclusively for financial institutions and includes extra layers of protection.
Continuum

With our disaster recovery solution, Continuum, we can restore a bank’s technical environment remotely, giving them the ability to remotely access their network. Our colocation becomes the actual environment for clients, enabling them to run all their solutions from a remote location, our colocation facility.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

You simply cannot prevent or anticipate every disaster, but proactively knowing where to go, who to contact and what critical functions need to be backed up and restored can provide confidence to you and your employees when responding to a disaster. Developing, implementing, and regularly testing disaster recovery and business continuity plans is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions to manage their disaster recovery process for more than 20 years. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.

12 Oct 2016

Banks, Compliance Chuck Copland 0 comment

Simplify Business Continuity Planning for Your Bank with a Structured and Repeatable Approach

A bank’s Business Continuity Plan (BCP) has evolved to become the crucial blueprint for guiding an institution through the process of recovering from a business outage. Examiners are looking at these plans closely to verify that banks not only have the right plan in place, but are also able to successfully execute it. Many banks choose to keep continuity planning in-house and manually develop their plans. With increased levels of regulatory scrutiny, innovative bankers are embracing technology to make BCP a more efficient and streamlined process.

Many institutions take a qualitative approach to continuity planning, and this requires coordinating meetings between various stakeholders to come to consensus decisions. To create a more efficient BCP process, bankers should be looking to implement an application that will help their financial institution follow the FFIEC-prescribed process and facilitate the collaborative elements of BCP. The end result should include a complete and comprehensive plan that meets regulators’ expectations and equips the financial institution to handle and recover from possible disasters in a timely and efficient manner.   

Enterprise Modeling – The First Step to a Successful Business Continuity Plan

Each bank has a unique operating model based on its specific services, organization, processes, and technologies. Before an institution can figure out how to sustain or recover operations, it must first have a thorough understanding of all the functions and processes that make up those operations. At Safe Systems, we refer to this information gathering step as Enterprise Modeling. This involves breaking the institution into departments (aka Functional Units) and determining the team members responsible for each of these areas. Each department is responsible for one or more business processes, and each of those processes is comprised of multiple functions.

Enterprise modeling can streamline the BCP process and give bankers the ability to assign those most knowledgeable with their department’s operations the task of developing the recovery plan. It is difficult (if not impossible) for a single individual to have all of the knowledge required to recover operations for every department and process. Involving additional people, if not managed properly, can create an even more complex process. By starting with an Enterprise Modeling step, the institution will directly map required functions to those individuals responsible for accomplishing those functions. Organizing the process in this manner will simplify the gathering of business recovery information from each department head, ensure that all processes are addressed, and help institutions develop a more accurate assessment of their risks.

Automating Your Bank’s Manual BCP Processes

Business Continuity Planning is cyclical and assessments should be revisited regularly. Automating repetitive portions of BCP process eliminates the need to update cumbersome spreadsheets, and can carry over information from time-consuming data gathering and reporting activities completed in previous assessments. An automated BCP solution will help guide financial institutions through the entire process of BCP — from assigning department heads, documenting key activities, services, and applications, assessing critical recovery times, testing procedures, and staying on top of key updates related to the plan.  
 
It is crucial to ensure the BCP will meet regulatory scrutiny while providing an efficient and simplified process for the institution. Community banks, in particular, should have a business continuity plan that is easy to understand, easy to use, and developed specifically for their institution. An automated application should provide the necessary structure to keep banks on track, but should also allow for customization as each institution sees fit.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes. For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks, by clicking the image above.

28 Sep 2016

Banks, Compliance Chuck Copland 0 comment

New IT Examination Procedures Impact Banks – Business Continuity Planning Becoming More Important Than Ever!

New IT Examination Procedures Impact Banks - Business Continuity Planning Becoming More Important Than Ever!

Over the coming months, FDIC-examined institutions will phase in new IT examination procedures, the first major overhaul since December 2007. The new format is called the InTREx program (Information Technology Risk Examination), and is designed to provide a more uniform and less subjective examination experience. The new format has cut the pre-examination questions nearly in half. Don’t be fooled though, this will not make for an easier exam, as these questions are more open-ended than a simply “Yes” or “No.” What the InTREx doesn’t cover in the pre-exam phase, it more than makes up for in the on-site examination.

This new process is a much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank. Proper documentation will often make the difference between a satisfactory and a less than satisfactory assessment. This means institutions must be adequately prepared for a more thorough and time consuming examination. One area the new IT examination procedures heavily reference is business continuity planning (BCP).

Business continuity planning has become a very important aspect of a bank and credit union’s successful IT exam and compliance rating. Business Continuity Planning is the process of creating systems and processes that provide resilience to, and recovery from, potential non-specific threats to a financial institution. Such events that could negatively impact normal operations include all man-made and natural disasters, such as failure of equipment, loss of or damage to critical infrastructure, and malicious cyber activity. Auditors and examiners are scrutinizing BCP processes more closely, specifically looking to verify that the institution’s methodology and plan structure closely adhere to the regulatory guidance.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

In addition to the new FDIC procedures, the FFIEC has also made some significant guidance changes, specifically updating the Business Continuity Planning Handbook. The FFIEC has increased its focus on cybersecurity resilience and recovery as well as important interdependencies such as third-party providers.

There is also significant overlap between the elements in the InTREx program and the FFIEC’s Cybersecurity Assessment Tool (CAT), which means that actions taken to strengthen cybersecurity control maturity will also strengthen overall IT controls. The CAT dedicates an entire section to cyber resilience, a concept which encompasses elements from both BCP and incident response. These new examination requirements prove that business continuity planning has become a crucial element of a financial institution’s cyber resilience strategy and overall information security program.

Events of the past 10 years have significantly increased the need for attention to emergency preparedness within financial institutions. In the last decade, we have seen an increased dependence on technology and third party vendors, business disasters such as power outages and connectivity issues, as well as severe natural disasters like hurricanes, tornadoes, and floods. Community banks must have a comprehensive business continuity plan in place to successfully face these unique and unexpected challenges and ensure the institution can recover business operations quickly and efficiently.

For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.

1. Regulatory Expectations

2. Key Lessons Learned

3. Strategic Planning

1. Likelihood and Impact

2. Resilience

3. Inherent vs. Residual Impact

The previous handbook encouraged institutions to adopt a four-step approach:

The new guidance recommends a slightly different approach:

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

Pandemic Planning

Pandemic Response

What Regulators Expect

Next Steps: Lessons Learned

“Resilience”

“Entities” vs. “Institutions”

“MAD” vs. “MTD”

“Exercises and Tests”

“Guidance” vs. “Requirements”

Ensuring Distance and Limiting Contact

Developing New Methods to Serve Customers Effectively

Strong Focus on Resilience

Business Continuity vs. Disaster Recovery

Key Process Changes for Developing the Plan

The Previous 4 Steps of Business Continuity Planning

The Current 10 Steps of Business Continuity Management

Preparing for Disasters

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

By Tom Hinkel

Regulatory Requirements

How to Develop a BCMP – What to Include in the Plan

Pandemic Planning and Business Continuity Strategy

The Importance of Integrating Vendor Management into the BCMP

Importance of Exercises and Tests When Updating the BCMP

Automating the Planning Process

Conclusion

The community banking and credit union industries

Financial services technology

Regulatory compliance requirements

Compliance

Security

Technology

Understanding Plan Deficiencies

Determining What to Include in the BCP

Properly Testing the BCP

Revising the BCP Based on Test Results

Overcoming Challenges

Driving Compliance Through Technology

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Honey Pots: $2,500+

Robust Vendor Management Solution: $2,500 – $5,000

New and Replacement Technology: $500 – $10,000

Training: $500 – $1,500

Vendor and User Conferences: $1,000 – $1,800

More than a BCP

Common Cyber Risks

Recommended Controls

Driving Compliance Through Technology

The Keys to Cyber Resilience

Cybersecurity vs. Cyber Resilience

Driving Compliance Through Technology

Compliance Expectations

Test Your Business Continuity Plan

2018 Community Bank Information Technology Outlook

Business Continuity is much bigger than simply the IT department. The FFIEC guidance states that:

Finally, don’t forget to include significant third-parties in your testing. The guidance states:

Stay Current: Review and Update the Plan

Meet Examiner Expectations and Ensure Recoverability

What is a Business Impact Analysis (BIA)?

The Difference Between Risk Assessment and Business Impact Analysis

How to Complete a Business Impact Analysis for Your Bank

Driving Compliance Through Technology

Why the Business Impact Analysis is a Crucial Part of Your Bank’s BCP

Why Does VM Come into Play When Talking About BCP?

Taking Business Continuity Planning to the Next Level:A Better Way for Banks

Preparing for Natural Disasters and Similar Events

Common Issues

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks