Tag: Risk Assessment

29 Jul 2021
2021 Hot Topics in Compliance

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

02 Jul 2020
Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

  1. Business Impact Analysis
  2. Risk Assessment
  3. Risk Management (essentially, recovery procedures), and
  4. Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

  1. Risk Management (Business Impact Analysis, Risk/Threat Assessment)
  2. Continuity Strategies (Interdependency Resilience, Continuity and Recovery)
  3. Training & Testing (aka Exercises)
  4. Maintenance & Improvement
  5. Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

  1. Oversee and implement resilience, continuity and response capabilities
  2. Align business continuity management elements with strategic goals and objectives
  3. Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts
  4. Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions
  5. Develop effective strategies to meet resilience and recovery objectives
  6. Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management
  7. Implement a business continuity training program for personnel and other stakeholders
  8. Conduct exercises and tests to verify that procedures support established objectives
  9. Review and update the business continuity program to reflect the current environment and
  10. Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTO) for each business process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?
  4. Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?
  5. Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)
  6. Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.