Tag: regulatory IT

25 Feb 2021
Key Areas of Focus for Your Regulatory IT Exam

Five Key Areas of Focus for Your Regulatory IT Exam

Key Areas of Focus for Your Regulatory IT Exam

We’re back with part two of our IT Exam Prep blog series.

Picking up where we left off, there are five key areas where we expect you’ll likely be scrutinized closely at your next exam cycle:

  • Cybersecurity
  • Business continuity management
  • Outsourcing and third-party vendors
  • Governance and management engagement
  • Strategic planning

Of these, the most challenging, and most important, for smaller institutions might be governance and management engagement; the CAMELS “M”. This is true because often smaller institutions may have a more informal reporting structure.

For example, relevant issues may be discussed in committees and may even be reported upstream—but they may not be sufficiently documented. The issue is not just a matter of how you engage and report to senior management and the board, but rather, how you document that the necessary practices are in place. This is important when discussing day-to-day operational matters, but even more important when addressing issues of long-term strategic significance.

Although documenting management engagement can be particularly challenging, institutions must focus on all areas when prepping for an exam. You may not have time to rigorously prepare for every aspect, but you cannot afford to be lax in any one area, as examiners expect all areas of information security to be addressed. However, even if you are not where you need (or want) to be in any particular area, knowing where you are will often buy you additional time.

Our experience is that examiners will often give you additional time to address an issue if they know A) you are aware of it, and B) you have a plan in place (including a timeline) to address it. In short, if you haven’t had the opportunity to conduct a BCM exercise in the past 12 months, at least acknowledge it and have one on the calendar for the near future.

Ransomware on The Rise

As we discussed here and here, both the pandemic and cybersecurity will continue to dominate the infosec landscape for the foreseeable future, and because of that, are sure to receive special consideration during your next exam cycle. In particular, ransomware is a hot-button issue for examiners as attacks have been accelerating and cybercriminals capitalize on the security vulnerabilities and disruption caused by more employees working from home.

These malicious destructive malware attacks are becoming more targeted, more sophisticated and more costly, according to the FBI. Even more disconcerting is the fact that modern ransomware variants can not only lock data in place so that it’s no longer available to the institution but also exfiltrate data, making a secondary data disclosure attack much more likely. Another recent variant locks your data and initiates a distributed denial of service (DDoS) attack against your website if you don’t respond.

Resiliency

One common denominator between all five areas of focus is the concept of “resiliency”, which is the ability to withstand and recover from unplanned and unanticipated events. Examiners increasingly want to see a proactive approach to resilience, and when institutions implement the proper measures ahead of time, this can reduce their risk of operational downtime during a cyberattack, pandemic, natural disaster or another event.

Simply put, once ingrained into your practices and procedures, the reactive measures taken today become the proactive measures of tomorrow. Also, don’t forget to build resiliency into all future initiatives. If the initiative is important enough to implement and maintain, it’s important enough to protect from downtime.

Today, banks and credit unions are taking advantage of a host of resources to mitigate ransomware and other IT security issues, including the Cybersecurity Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and the Ransomware Self-Assessment Tool (R-SAT). In addition, consulting with a third-party IT expert can help institutions better prepare for assessments and respond to difficult questions from examiners.

The bottom line is that regardless of the format regulators require for an examination, you can expect them to address a wide variety of areas. So, focus on the areas outlined here and in part one of this series, but be prepared to discuss all the relevant actions your institution is undertaking.

23 Feb 2021
Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

While sometimes the IT examination is separate, most of the time it’s incorporated into the Safety & Soundness exam. Regulatory examinations like Safety & Soundness are designed to assess the financial health and risk management practices of a financial institution, and the results are expressed as a number “grade” from 1 (highest) to 5 (lowest). An information technology (IT) exam is narrower in scope and utilizes four components to assess information management maturity: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).

With the twin challenges of the Pandemic and cybersecurity continuing into 2021, on top of an already full plate of regulatory expectations, it’s critical for institutions to be prepared to address all IT issues to meet regulator expectations and ensure their safety and soundness.

So exactly what should financial institutions expect at their next IT regulatory exam? We’ll break it down in a two-part IT Exam Prep blog series.

The Pre-examination Questionnaire

On one hand, anticipating the exam elements is relatively straightforward, as the examiner will provide a pre-exam questionnaire. This is somewhat akin to an open-book test where the questions are provided ahead of time.

However, there is no single standardized questionnaire that all regulators adopt—and there likely won’t be in the foreseeable future. (The InTREx was an attempt by the FDIC a couple of years ago to standardize the process, but it is not yet caught on universally.) So, when the examiner sends his or her pre-exam questionnaire, that essentially provides the framework you should follow to prepare for your examination.

Nevertheless, bankers should expect a certain amount of the unexpected. While you should expect examiners to closely adhere to the pre-examination questionnaire, there will most likely be “curveball(s)” included. Curveballs are deviations from the questionnaire that could trip you up if you’ve followed it too strictly.

But if you’ve done your job correctly and addressed all infosec matters adequately since your last exam, you are better positioned to pivot when you need to during the exam. In other words, treat the pre-exam questionnaire more as a starting point than a checklist. And if you find yourself presented with a difficult question, do not respond with anything you are not 100 percent sure of, and that you know you can document. It is perfectly acceptable – and advisable — to wait and answer the question later when you have the appropriate information available.

One final point about examiner interaction: we strongly advise that your ISO be the primary point-person for the exam.

In most institutions, the ISO has the broadest and deepest knowledge of your information security procedures and practices. The ISO can bring in others as needed (network admin, internal audit, external providers, etc.), but they should still stay very close to the conversation. We’ve seen many situations where someone other than the ISO is interviewed by the examiner, and because of the person’s comparative lack of knowledge, it has resulted in exam findings that otherwise could have been avoided.

To ensure your financial institution’s next regulatory IT exam is a success, stay tuned for part two of our IT Exam Prep blog series, where we will dive into the key areas of focus you can expect to be evaluated on.