Tag: C-Vault

05 Sep 2019
Disaster Recovery Planning What You Do Not Know Can Hurt You

Disaster Recovery Planning: What You Don’t Know Can Hurt You

Disaster Recovery Planning What You Do Not Know Can Hurt You

Disaster recovery is a crucial business continuity area that all financial institutions must prepare for, no matter the size of the organization or location. Each year, the U.S. gets hit with multiple tornadoes, hurricanes and other storms that produce damaging winds, rain and flooding. As of July 9th, there were already six weather and climate disaster events with losses exceeding $1 billion each across the United States, according to the National Center for Environmental Information (NCEI). The costs of these events varied, including physical damage to commercial buildings; time element losses like business interruption; and disaster restoration expenses. In addition, many areas of the Southeast are currently preparing for Hurricane Dorian as we speak!

The overall impact of adverse weather can be particularly detrimental to community banks and credit unions that may have fewer disaster recovery resources at their disposal. This highlights the need for all financial institutions to be prepared for potential disasters—whether natural or manmade—so they can implement a smooth recovery. Here are some important aspects about disaster recovery planning that community banks and credit unions should consider:

  1. Implement Effective Strategies and Tactics
  2. The disaster recovery plan provides detailed instructions to ensure all mission-critical functions can recover in the event of a business interruption. To facilitate effective disaster recovery, bank and credit union personnel must be able to implement specific activities that can restore an institution’s vital support systems after a disaster strikes. These include ensuring all back-ups are up to date and working; implementing uninterruptable power supplies for short-term outages; making sure the server room is secure and all sensitive documentation is protected; and ensuring all employees, vendors, and customers are aware of the proper communication protocols. Without these steps, the institution will not have the resources required to meet its operational needs, which could have a devastating effect on the entire organization.

  3. Prepare for All Disaster Situations
  4. Get My CopyHow Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

    Disaster recovery often focuses on the prospect of restoring technology and communications after a hurricane, tornado, or other storm. However, disaster preparedness must extend beyond storms, earthquakes, fires, floods, and other natural calamities. Events like electric power outages, hardware failures, security breaches, and human error can also be catastrophic. There are also mundane reasons for needing disaster recovery: A backhoe inadvertently wipes out the internet connection or a water line leak knocks out the server. Not planning broadly enough can cause institutions to miss covering all the bases when the time comes to implement the disaster recovery plan.

  5. Know What’s at Stake
  6. Disaster recovery planning goes well beyond minimizing the loss of hardware, applications or data. It’s a matter of losing time, money, clients and, in some cases, losing business opportunities or reputation. To minimize downtime and ensure critical business functions recover quickly, it is important to determine the specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for both the financial institution and all third-party vendors the institution relies on for critical business functions. The RTO is the amount of time an application can afford to be down without causing significant damage to the business, and the RPO is the allowable data loss. The longer a financial institution’s system is down the more it will suffer, so defining the RTOs and RPOs is an important step to ensure the institution can be up and running in a timely manner.

  7. Test the Plan
  8. Having a plan on paper is one thing; having a plan that works is another. Financial institutions must test their disaster recovery plan to determine what could go wrong and adjust accordingly. Not knowing if a plan works—until an actual disaster occurs—can be extremely risky. If the plan proves to be insufficient during a real-life scenario, the institution could experience undue damage and expense. Hence, the need for regular testing. The frequency of testing will depend on the size and type of financial institution. Smaller banks and credit unions should test at least once a year; larger institutions or those with a more fluid environment should test more often.

  9. Update the Plan as Needed
  10. As a part of the overall business continuity planning process, it’s essential for institutions to review and revise their disaster recovery plan to make sure it supports their current technological environment, business needs, and objectives. Updates to the plan should be done whenever an important element (internal or external) in the institution changes. To streamline this process, disaster recovery should be integrated into all business decisions and responsibility should be clearly outlined for each update and area. The importance of the disaster recovery plan should be communicated to the entire organization, which includes the board, senior management, and other stakeholders. The more frequently a disaster recovery plan is updated and the better educated the entire organization is on the plan, the more reliable and useful it will be when a problem arises.

It’s important to stay on top of all disaster recovery processes to make sure the entire financial institution is well-equipped to respond in the event of a disaster. The good news is community banks and credit unions do not have to be knowledgeable about every facet of disaster recovery planning to do this successfully. Instead of worrying about what they don’t know, they can capitalize on third-party recovery services that ensure they have the proper technology and support to recover quickly. Safe Systems, for example, offers a fully managed site recovery solution to support financial institutions of all sizes. Safe Systems’ experts can assist with disaster recovery planning, testing, and execution to safeguard institutions against the impact of a natural disaster and other threats.

06 Jun 2019
The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

By Tom Hinkel

In November 2019, the Federal Financial Institution Examination Council (FFIEC) updated its BCP IT Examination Handbook and expanded its focus from Business Continuity Planning (BCP) to Business Continuity Management (BCM). The change makes sense, because “planning” is only one part of the business continuity process. Business continuity management encompasses the entire process by integrating resilience, incident response, crisis management, third-party integration, disaster recovery, and business process continuity.

In the financial industry, community banks and credit unions are required to develop compliant business continuity plans that identify business processes along with their interdependencies that provide resilience to, and recovery from, all potential threats to the financial institution. BCM is designed to help organizations, regardless of their size, location or activity, minimize the impact of disruptions of any kind, natural or man-made, including cyber.

The new BCM guidance represents the first major update since 2015 and calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations. Entities are defined as depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. The use of this term is significant, as it essentially pulls all interdependencies into the planning process.

With so much at stake, it is important for financial institutions to understand the BCM process and the key requirements to develop the business continuity plan:

  • Regulatory requirements relevant to a compliant BCM Program
  • How to develop the business continuity management plan (BCMP)
  • Pandemic planning and business continuity strategy
  • The importance of integrating vendor management into the BCMP
  • Steps to effectively update and test the plan
  • The benefits of automating the BCM process

Regulatory Requirements

 
To comply with regulatory expectations, financial institutions are required to focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. Regulations make it clear that institutions need to plan to perform their critical business functions, even if technology may be impaired or unavailable.

Auditors and examiners are also scrutinizing business continuity plans to verify that the institution’s methodology and plan structure closely adhere to the 2019 regulatory guidance. A key change in the guidance is the increased focus on resilience. Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. Two keys for understanding resiliency are the terms “withstand” and “recover”, with an emphasis on withstanding adverse events. In the past, business continuity planning has been focused more on recovery, but now the FFIEC has placed a heavy focus on resiliency. The ultimate goal is for financial institutions to be more proactive and minimize having to implement traditional recovery measures down the road. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet regulatory expectations.

How to Develop a BCMP – What to Include in the Plan

 
It’s safe to say that most banks and credit unions have some sort of a BCMP in place, yet many struggle with determining what to include in the plan to ensure it is both recoverable and compliant. With the new changes to the guidance, many community banks and credit unions may also be wondering what specific changes they’ll need to make to meet these new expectations.

While each financial institution has a unique operating model based on its services, demographic profile, organizational processes, and technologies, the first step when drafting or updating the BCMP is to have a thorough understanding of all the functions and processes that make up those operations. This process, which we refer to as Enterprise Modeling, involves identifying all departments or functional units, with all associated processes and functions (including all internal and external interdependencies), and determining the team owners and members responsible for each department. Having representatives from each department take an active role in the planning process ensures the technologies and responsibilities for each area are accurately represented. This also helps the financial institution develop a more accurate assessment of its recovery time objectives and actual recovery capabilities. It is not realistic to have a single individual with all the knowledge and unique skill set required to put together a comprehensive BCMP.

A plan should consist of all the steps required to ensure key products and services remain available to customers or members. The BCMP consists of five phases including risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting.

Furthermore, the BCMP should be a “live” document that keeps pace with any changes in infrastructure, strategy, technology, and human resources. As soon as a plan is board approved, it should be tested, and a new draft plan should be initiated. At any point in time you should have both an approved plan, as well as a live draft to accommodate changes.

Pandemic Planning and Business Continuity Strategy

 
In the past, financial institutions were required to have a separate pandemic plan, but the new FFIEC guidance instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters. This means the BCM plan is the pandemic plan, and financial institutions must analyze the impact a pandemic can have on the organization; determine recovery time objectives (RTOs); and build out a recovery plan.

As we’ve all learned, pandemic planning is very different from natural disasters, technical disasters, malicious acts, or terrorist events because the impact of a pandemic is much more difficult to determine due to the differences in scale and duration. Pandemics also directly impact financial institution and third-party employees rather than targeting infrastructure or technology-based interdependencies. Cross training and succession planning should be a key part of the pandemic planning process to ensure operations can continue even if key individuals are unavailable.

FFIEC guidance states that the financial institution’s BCMP should include five key elements to address the unique challenges posed by a pandemic event:

  1. A preventive program including monitoring of potential outbreaks; educating employees; communicating and coordinating with critical service providers and suppliers; and providing appropriate hygiene training and tools to employees
  2. A documented strategy that provides for scaling the institution’s pandemic efforts to align with the current six-stage CDC framework
  3. A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods
  4. A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue
  5. An oversight program to ensure ongoing review and updates to the pandemic plan

The Importance of Integrating Vendor Management into the BCMP

 

The vast majority of banks and credit unions today rely on third-party service providers, or vendors, to conduct business on a day-to-day basis. When financial institutions outsource key functions to a service provider, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations within pre-defined recovery time objectives in the event of a disruption. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require financial institutions to have a detailed understanding of the resilience capabilities of their core/technology service providers, cloud providers and others moving forward. When creating a BCMP, financial institutions have to account for all interdependent third-party relationships and identify the potential consequences a third-party disruption might have on its operations.

The criticality of the product or service the vendor provides is directly related to the criticality of the dependent process it supports, as identified by the business impact analysis. Some questions financial institutions should consider include:

  • How important is this vendor to what we do?
  • If they fail, how many of our dependent services would be negatively impacted?
  • How challenging would it be to replace this vendor?

Vendor criticality is expressed in terms of Recovery Time Objectives (RTOs), and each bank or credit union determines and assigns the same RTOs to the third-party vendor as they have to the underlying process they support. In other words, if you’ve identified a two-day recovery time objective for a particular process, any underlying vendors will also inherit that same two-day RTO. In the event that the vendor cannot match your RTO (validated by testing), you must have a contingency plan in place such as alternative procedures or providers to compensate for the gap.

Successfully integrating vendor management and business continuity planning is essential for financial institutions to truly understand their actual recovery capabilities by validating whether or not their third-party providers “have sufficient recovery capabilities” to meet your recovery objectives.

Importance of Exercises and Tests When Updating the BCMP

 
Exercises and tests are important parts of the process, and in fact, the BCMP is not complete until the plan has been thoroughly tested. The new handbook makes an important distinction between exercises and tests in the BCMP process, defining an exercise as “a task or activity involving people and processes that is designed to validate one or more aspects of the BCMP or related procedures.” On the other hand, a test is often performed “to verify the quality, performance, or reliability of system resilience in an operational environment.” The handbook emphasizes the importance of both exercises and tests to demonstrate resilience and recovery capabilities.

Exercises and testing verify the effectiveness of the plan by validating all recovery time objectives; helps train the team on what to do in a real-life scenario; and identifies areas where the plan needs to be strengthened. In addition, examiners are also verifying that a BCMP has been tested, and the financial institution is able to execute the plan if and when the need arises. Because the financial industry is considered part of the nation’s critical infrastructure, testing, exercises, and training will continue to be a focus going forward.

Every test should start with a realistic scenario drawn from the top threats as identified by the risk management phase of the planning process. Top threats are those determined to have both high impact and high probability ratings. While initial testing of a plan can be relatively straightforward, a bank or credit union should strive to extend the scope and severity of the exercise with each consecutive test by making the tests consecutively more complex and including different individuals. Conducting the very same test with the same participants every year will not satisfy examiners nor will it give your management the assurance they need.

In addition to the senior management and information security roles defined in a plan, the testing team should include key department heads with detailed knowledge of the processes and functions impacted by the scenario. Tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. In addition, all departmental specialists should be included in the exercise and testing program. There are two reasons for that, the first is so they are familiar with alternate procedures in emergency scenarios, the second is to make sure you have backups, or successors, to your primary recovery resources. Succession planning is another hot button item with examiners now because of the pandemic.

While regulators require proof of exercises and testing annually, more frequent testing is indicated whenever a previous test uncovered significant gaps in the plan, or if there are significant internal changes to processes or infrastructure or personnel.

Automating the Planning Process

 

To help streamline this time-consuming process, banks and credit unions can automate repetitive portions of business continuity planning. Automating these activities eliminates the need to update cumbersome spreadsheets and manually copy/paste information from various reports and previous assessments. The 2019 guidance requires a number of changes to your existing plan, some subtle and some significant.

An automated BCP solution will also help guide banks and credit unions through the entire BCMP process, assuring that all required elements are included as they are necessitated by regulatory guidance changes. Automating the planning process makes it easier and much less time-consuming to perform annual plan updates by allowing static portions of the plan to carry forward, while incorporating changes wherever necessary. Any automated solution should also allow you to identify all material plan changes from year-to-year, so management and board approval is easier.

Conclusion

 
Business Continuity Management is a critical process for banks and credit unions regardless of size and location, and the plan is central to that effort. To streamline the planning process, financial institutions should integrate business continuity into all business decisions; conduct periodic reviews of the plan; and perform regular testing. Everyone in the organization — from the tellers to the Board — should understand the importance of business continuity planning and how his or her unique role fits into the financial institution’s overall business continuity strategy.

24 Jan 2019
What Community Financial Institutions Should Look for in a Managed Services Provider

What Community Financial Institutions Should Look for in a Managed Services Provider

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Complimentary White PaperAutomating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.

17 Aug 2016

4 Steps for Moving Your Community Bank’s Server Workloads to the Cloud

More and more organizations are moving line of business and ancillary systems to the cloud including community banks and credit unions. Moving applications to the cloud is a way for financial institutions to control spending, ensure compliance with regulations, and enable employees to focus on revenue generating activities. Cloud outsourcing may start with specific IT functions or processes such as disaster recovery, backup and network servers.

Today, core banking services are almost exclusively hosted from the cloud. The in-house servers, or the servers running ancillary systems, consist of lending applications, Microsoft applications, internal accounting applications, and voice response systems, among others. There is a lot of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution.
While the cloud has proven to be beneficial for banks by enabling the limited in-house personnel to focus on core strategic initiatives instead of worrying about IT infrastructure, there are steps all financial institutions must follow. Here are four things to consider before moving your bank’s critical data to the cloud.

Support Your Bank’s Corporate Strategy

Each bank has a unique corporate strategy that is driven by its market situation, such as the desire to expand services offered, open new branches, merge with another institution or even to be acquired. This strategy will guide how and what should be moved to the cloud.

Catalog the Application Opportunities

Before moving to the cloud, your IT team must understand the requirements of the applications that are being used. Evaluate the IT infrastructure that must exist to provide each application and determine how to minimize the amount of IT assets that are needed internally. Then, the applications that can be moved to the cloud can be identified.

Determine the Best Cloud Service for your Bank

The idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be hosted inside your bank, as well as the associated work to manage each one. This enables your IT team to work on higher value, strategically critical projects.

There are three options to do this:

  • Simply move your servers to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers, but moves these critical assets out of the bank building to a highly available datacenter.
  • Move to an Infrastructure as a Service (IaaS) model, which means that instead of physically moving servers that you own, you pay a service provider to lease out the server capacity you need. You access the servers remotely to install, run, and maintain your applications. This can be a challenging option. It can be rather expensive, and the financial institution and IT personnel are still required to manage the process and technical specifications. IT personnel must reinstall all applications in a new environment and change all networking at the same time, which is a cumbersome and time consuming process to manage.
  • Rather than setting up additional infrastructure, banks are turning to the Software as a Service (SaaS) model, which is a software licensing fee and delivery model in which software is licensed on a subscription basis and is centrally hosted by the application software provider. This often enables financial institutions to run their applications from a browser, is supported by the developer and has no additional infrastructure to maintain.

Develop a Phased Approach

Long term, banks should consider moving all of their applications to the cloud, and most of the applications are ready to do so today. The migration should be completed in multiple phases, enabling a smoother transition. However, the applications that are not technically ready should not be forced to move as this can cause unnecessary complications and technical issues. Today, financial systems and even Microsoft solutions are cloud-based.

While the benefits of cloud computing — improved efficiency, scalability, cost, reliability, improved access, consistent security and compliance and compensation??? for limited in-house resources — are clear, making the leap to these services can be challenging and a daunting task for some community banks. Working with an outsourced service provider, such as Safe Systems, can help with the process, design and installation while ensuring the systems are compliant and meet all regulator expectations. Our cloud services are built specifically for community banks. With focus on regulatory guidance and compliance, we do extensive and rigorous vendor management vetting of all cloud providers before we offer or recommend a provider or service. We have more than 20 years’ experience offering products and services exclusively to community banks and credit unions. Safe Systems helps financial institutions to significantly decrease costs, increase performance, and improve their FFIEC compliance posture. Working with Safe Systems lets bankers go back to being bankers!




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



7 Reasons Why Small Community Banks Should Outsource IT Network Management