Compliance Archives - Page 2 of 2

14 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

According to the Federal Financial Institution Examination Council’s (FFIEC) Information Technology Examination Handbook, “ISOs are responsible for responding to security events by coordinating actions to protect the institution and its customers from imminent loss of information, managing the negative effects on the confidentiality, integrity, availability, or value of information, and minimizing the disruption or degradation of critical services.”

When faced with an operational crisis such as the current Covid-19 Pandemic, potential disruption of critical services is the primary concern. Since the information security officer (ISO) acts as the “quarterback” over the many different departments and functions within the institution, they must make sure all routine tasks are still being completed, in addition to ensuring that the institution has adapted to the unique circumstances of the crisis.

The FFIEC Management Handbook lists 8 broad categories of responsibilities for ISO’s. We’ve identified a few of those areas that should be of particular focus during a crisis:

Working With The IT Steering Committee

During any crisis, the ISO must work closely with the IT Steering Committee to ensure that the institution minimizes the risks to the security and confidentiality of non-public information and financial transactions. As difficult as this is during normal operations, it may be even more of a challenge during a crisis. Key considerations include:

The IT Steering Committee should still perform their normal duties and maintain a normal schedule. Phone /video conferences can suffice if in-person meetings are not an option.

Attention to on-going and planned IT project road map/initiatives. Timelines and all supporting activities must still be tracked, project plans updated, and all stakeholders informed.

Review the Remote Access Policy and the Remote User / Acceptable Use Acknowledgement with IT and HR as your current situation may include unique risks that have not been previously addressed. For example, some employees may have to use their personal devices to access the FI’s network to do their job. Take particular note of the Remote Access and Use of Remote Devices sections of the FFIEC Information Security Handbook and any other related best practices and/or guidance initiatives. Trusted third parties can also be an important resource for this effort.

Document all actions taken and lessons learned during the crisis so far. Then, incorporate them into your next round of policy updates.

Continue to report the status of all IT and information security activities to the Board.

Managing Incident Response, BCP/IRP, and Cyber Responsibilities during an Adverse Event

The ISO is typically the Incident Response Team Coordinator and may determine whether or not to activate the formal Incident Response Plan (IRP). The declaration of a pandemic or other adverse operational event does not in itself require the IRP to be invoked, however, any disruption of normal business services may create vulnerabilities that a cyber attacker could take advantage of.

The ISO will also likely be involved with general business continuity planning and recovery efforts. The criteria for activating the Business Continuity Plan will vary by institution, but the ISO is typically one of the few key individuals tasked with evaluating whether the event is likely to negatively impact the institution’s ability to provide business products and services to customers beyond recovery time objectives (RTOs).

In adverse situations, cyber awareness should be heightened. For example:

The institution could have key personnel out, and alternate personnel may not be adequately trained or have the same level of cyber awareness as the primary staff members.

The institution may be implementing workarounds for new software or devices when trying to accommodate customers affected by the event. In the interest of expediency for customers, the institution may take shortcuts that it normally wouldn’t or otherwise fail to follow normal procedures.

The institution could run into issues with the critical vendors that perform or support its perimeter security, compromising real-time alerting for the organization. This is known as “cascading impact”, where a product or service provided by a third-party is degraded, which in turn affects you.

The institution could experience secondary disruptions where hackers may attempt a cyber-attack against perceived weakened defenses.

The ISO must anticipate all of these risks and should communicate with critical third parties to ensure they have a plan in place to keep the NPI and financial transactions secure and provide critical operational services at acceptable levels of risk.

Addressing Auditor and Examiner Expectations

Although a pandemic, as a crisis event, was de-emphasized in the 2019 BCM Handbook, financial institutions should expect regulators to issue additional joint statements in the post-pandemic phase due to the shear impact and duration of this event. ISOs should expect examiners to ask about the specific actions the institution has taken in response to COVID-19, including:

Succession plans – ISOs should be prepared to share the institution’s succession plans, how these plans were implemented during the pandemic, and any key updates to the plan post-pandemic.

Cross-training efforts – the ISO (if also the BCP Coordinator) should explain the institution’s plans for cross-training and how these plans were implemented during the pandemic.

Remote access controls – the ISO should address all of FFIEC requirements for remote access and document any updates or changes that occur.

Third-party/supply chain issues – the ISO should communicate with all critical vendors to ensure there are no interruptions to critical services, and he or she should have contingency plans in place if a third-party provider can no longer provide adequate service.

Information security officers ultimately must be able to show auditors and examiners exactly how the institution withstood the pandemic, maintained compliance, kept all non-public information secure, and kept all stakeholders informed, all of which is no small task during normal operations!

For more information on responding to crisis events, view our pandemic resources.

02 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

Business Impact Analysis

Risk Assessment

Risk Management (essentially, recovery procedures), and

Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

Risk Management (Business Impact Analysis, Risk/Threat Assessment)

Continuity Strategies (Interdependency Resilience, Continuity and Recovery)

Training & Testing (aka Exercises)

Maintenance & Improvement

Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

Oversee and implement resilience, continuity and response capabilities

Align business continuity management elements with strategic goals and objectives

Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts

Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions

Develop effective strategies to meet resilience and recovery objectives

Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management

Implement a business continuity training program for personnel and other stakeholders

Conduct exercises and tests to verify that procedures support established objectives

Review and update the business continuity program to reflect the current environment and

Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?

Does the BIA produce sufficient information to establish the following?

Recovery point objectives (RPO)

Recovery time objectives (RTO) for each business process (prioritized)

Maximum tolerable (or allowable) downtime (MTD/MAD)

Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?

Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?

Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)

Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.

25 Jun 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

What is My Bank or Credit Union’s Cybersecurity Posture Compared to My Peers?

It is important to understand your institution’s cybersecurity posture to find out where you stand in regard to cyber threats and what you need to do to create a more secure environment. It’s a delicate balance because being behind on your cybersecurity posture means your institution is less secure than it should be but being ahead likely means that you are investing in resources that you may not need. Unfortunately, it’s almost impossible to do a true peer-to-peer comparison because there are just too many variables between even similarly sized financial institutions to obtain a useful analysis. Here’s why:

Every Institution Has a Unique Model

When we implement information security or business continuity programs for banks and credit unions, we start with a process called “Enterprise Modeling” where we identify the departments, the processes, and the functions that make up each individual financial institution. What this process typically reveals is that if you model out two financial institutions that look identical in terms of geographic area, demographic customer or member base, size and complexity, the results will almost always be significantly different since each institution has a unique operating model based on their specific services, organization, processes, and technologies.

Cyber Risk Appetite Is a Key Variable

Cyber risk appetite is another factor that often differentiates your institution from your peers. Safe Systems’ Compliance Guru defines risk appetite as “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” For example, let’s say we have two financial institutions that seem equivalent in outward appearance. Based on their strategic plan, one institution has decided to take a more aggressive cybersecurity posture to electronic banking products and the other has decided to take a more conservative approach. Because the level of risk varies by the approach, you simply cannot accurately compare the two institutions.

The Best Way to Evaluate Cybersecurity Posture

At Safe Systems, we recommend allowing your bank or credit union’s information to stand on its own. To truly improve your cybersecurity posture, you must examine where you are based on where you need to be — not where a peer may be in the process. Carefully evaluate your risks (including areas of elevated risk), and the controls you have in place that offset those risks. Then, examine the best control groups to apply against those areas of elevated risk and develop an action plan to take your institution from where you are now, to where you need to be. Then, when you conduct this process again next year, you can demonstrate steady progress to both examiners and your Board.

Holding Steady May Cause You to Fall Behind

In addition, just because your inherent risk profile isn’t increasing from one assessment to the next, this doesn’t necessarily mean your control maturity levels shouldn’t increase. The risk environment is constantly evolving, so holding steady on your controls may actually mean your cybersecurity resilience is decreasing. Making incremental increases in your control maturity levels will help keep you ahead of the latest threats.

For more information about improving your cybersecurity posture, watch the full “Banking Bits and Bytes Super Duper CEO Series,” below.

18 Jun 2020

Banks, Compliance, Credit Unions Darren Bridges 0 comment

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

Review all guidance and issues related to their institution and become familiar with any changes that might impact them

Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments

Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

Analyzing potential threats

Assessing the technology required

Managing access controls and security

Conducting regular data recovery test

Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

12 Jun 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The “Inherited” Risk – Assessing and Reporting on Vendor Risk

Vendors are the largest source of non-preventable risk for a financial institution, so it is critical that banks and credit unions carefully evaluate, monitor, and manage all vendor relationships to remain compliant and reduce risk. Additionally, institutions must be able to accurately assess risk, implement adequate controls, and provide all stakeholders (including regulators, management, and the Board) with appropriate reporting to convey the overall status of the vendor management program at any point in time.

Assessing Vendor Risk

The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified in order to achieve a level of residual risk that is within your risk appetite.

Depending on the information you get from the risk assessment, you can clearly map out the level of inherent risk based on the vendor’s access to data and systems and the level of criticality for each vendor. These results will provide the information you need to control the risks, and ultimately report the overall results of your vendor management program to your key stakeholders.

When conducting a risk assessment you want to include all vendors but focus particularly on your critical vendors. A critical vendor is defined as one that either provides a product or service that is a key interdependency of one or more of your products or services, or one that stores, processes, or transmits non-public customer or confidential information.

Once you’ve established the initial or inherent risk level, you can identify one or more controls to off-set the risks. Typically, you want the vendor’s third-party audit report or SOC report; audited financials; insurance binders; a copy of their incident response and disaster recovery plans; and any testing the vendor has done on these plans. If you can’t obtain a SOC report, you’ll need compensating controls to determine their network security. Ask if they have an information security program and if they’ve conducted any vulnerability and penetration testing. You should also request a report of examination (ROE) from your primary federal regulator on your core provider.

Reporting to Stakeholders

When reporting to the various stakeholders within your institution, many of the reports are relatively similar, but the level of detail will be slightly different for each stakeholder group.

Board

The primary stakeholder that financial institutions must report to is the Board. When presenting to the Board, reporting does not generally need to be highly detailed and should provide a brief, high-level summary of the overall program.

Additionally, it is not necessary for the Board to see this report every time they meet. The requirement is to present an annual update, but we recommend reporting more often if the pace of internal change dictates (whether twice a year or quarterly) to show you are adequately managing vendor risk on an on-going basis. Here is an example of what a Board report should look like:

Management

The management committee (i.e. IT Steering) requires a bit more detailed information than the Board does, and unlike Board reporting frequency, IT should report to the management committee every time they meet. If your management committee meets on a monthly basis, you should produce a report each month as well and communicate this information to the committee. Management needs to know what you’re doing; what you’re not doing; what you’re behind on; and have a good understanding of your progress.

Regulators

Regulators typically review the same reports as your board and committee. However, auditors and examiners will tend to take a deeper dive into your vendor management program and want to review everything you have on your critical vendors. They are looking to see if you’ve done a risk assessment and if you have identified the reports from the vendor that will line up with, control, and offset the risks you identified in the risk assessment. The report you present to examiners and auditors may have more of a narrow but deeper focus, taking a more detailed view of your most critical vendors.

21 May 2020

Banks, Compliance, Credit Unions Jamie Davis 0 comment

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

Gaps Between IT Staff and ISO/Compliance Teams

In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

Oversight to Better Manage Controls

Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

Limited Access to Reports

Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

23 Apr 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

16 Apr 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources

← Previous 12