Hot on the heels of the June 2015 Cybersecurity Assessment Tool, the Federal Financial Institutions Examination Council (FFIEC) has issued a revised Examination Handbook Management Booklet with updated Information Technology (IT) examination procedures. ((FFIEC Information Technology Examination Handbook. Federal Financial Institutions Examination Council (FFIEC). Management Section. November 2015.
https://www.ffiec.gov/press/PDF/FFIEC_IT_Examination_Handbook_Management_Booklet_2015Final.pdf)), ((FFIEC Cybersecurity Assessment Tool. Federal Financial Institutions Examination Council (FFIEC). June 2015. http://www.ffiec.gov/cyberassessmenttool.htm)) As might be expected, the new IT examination procedures incorporate substantial input from the last major handbook revision, which was focused on business continuity planning and testing (Appendix J). ((FFIEC Information Technology Examination Handbook. Appendix J: Strengthening the Resilience of Outsourced Technology Services. FFIEC. February 2015. http://ithandbook.ffiec.gov/it-booklets/business-continuity-planning/appendix-j-strengthening-the-resilience-of-outsourced-technology-services.aspx))
This new handbook should be required reading, not just for bankers, but for any other professional interested in emerging baseline IT risk management expectations. The Cybersecurity Tool and the Examination Handbook together have been viewed by some as two parts of the same effort by bank regulators to set very specific expectations about how a good risk management program should function. How the examination procedures will be used in the field, however, has been less than clear.
Examiners began using the revised FFIEC Information Technology Examination Handbook, which closely tracks the FFIEC Cybersecurity Assessment Tool, shortly after the revised IT Handbook’s November 2015 publication. ((FFIEC Information Technology Examination Handbook. FFIEC. November 2015. http://ithandbook.ffiec.gov/it-booklets/management.aspx)) By – in effect – using the Assessment Tool as substantial input to the FFIEC’s new examination guide, some financial service organizations have suggested that supervisory authorities took a device originally intended as a voluntary assessment aid and turned it into de facto regulation. (( See, for example: Kitten, T. Will FFIEC Revamp Cyber Assessment Tool? Bank Info Security News. January 13, 2016. http://www.bankinfosecurity.com/will-ffiec-revamp-cyber-assessment-tool-a-8800)) Others have noted that the Cybersecurity Assessment Tool and closely-related examination guidelines do not allow for compensating controls, do not precisely track the NIST Cybersecurity Framework and make many declarative statements that are subjective in nature. Partly as a result of industry feedback, the FFIEC opened a month-long comment period that ended in mid-January 2016. The organization committed itself to issuing Cybersecurity Assessment Tool FAQs and has agreed to develop a process to update the Tool on a periodic basis. ((Agency Information Collection Activities: Information Collection Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool. A Notice by the Office of the Comptroller of the Currency. December 16, 2015.
Recent OCC comments suggest that IT examination results based on the new Handbook will be used primarily to help inform the agency’s supervisory strategies and any future supervisory guidance on cybersecurity. ((Kitten, T. Will FFIEC Revamp Cyber Assessment Tool? Bank Info Security News. January 13, 2016. Beth Dugan, OCC Deputy Comptroller for Operational Risk, as quoted in: http://www.bankinfosecurity.com/will-ffiec-revamp-cyber-assessment-tool-a-8800)) Regardless of how the examination results are utilized, the Examination Handbook seeks to scrutinize financial institution risk mitigation processes at a level of detail that’s well beyond what we’ve seen before. The Handbook is comprehensive in scope.
Examinations based on the new FFIEC handbook seek to determine whether:
- There is satisfactory board and executive management oversight of an effective risk management structure.
- There are well defined IT risk management responsibilities and functions.
- There is adequate IT risk management planning and oversight, including planning for adequate resources and budget.
- The HR function is adequate to attract and retain a competent workforce.
- Management effectively reviews and oversees IT controls, including IT audit and compliance.
- The risk management program facilitates effective risk identification and measurement.
- The board effectively oversees and proactively mitigates operational risk.
- Management implements an IT risk management process that supports the enterprise-wide risk management process.
- The institution maintains a coordinated and consistent risk identification process across the enterprise.
- There are satisfactory risk mitigation practices.
- There are satisfactory measures for defining, monitoring and reporting metrics, performance benchmarks, service level agreements, policy compliance, control effectiveness and quality assurance.
Third Party Risk Management at the Board and Executive Management Levels
The Examination Handbook has a focus on third party risk management that starts at the top of the house. Examiners are specifically charged with reviewing a financial institution’s third party risk management program to ascertain the extent and effectiveness of the oversight by the board of directors and executive management. The FFIEC handbook defines tests to see if the board oversees and management considers third party relationships, including the third party’s current and future plans and any service or security issues that may affect the institution, when formulating a financial institution’s overall business strategy. The Handbook directs appraisers to make sure the board oversees a management process for third party providers that includes an assessment of the third party’s financial condition and IT security posture, including its cybersecurity program.
Exams based on the new Handbook test for appropriate board oversight and senior management implementation of enterprise-wide policies that govern the third-party management program. Regulatory appraisers look to see whether the board assures that evaluations of prospective third party providers are based on the scope and criticality of the third party’s services and that the financial institutions monitoring of third parties reflects the institution’s initial and ongoing risk assessment and the services provided by its vendors.
Third Party Risk Management Process Detail
The new Handbook mandates that examiners evaluate the effectiveness of the institution’s third party monitoring process to ascertain: whether the institution’s risk identification process includes the collection of information on the IT environment, including the third party management program; whether the institution’s risk measurement process is comprehensive and includes third party provider issues; whether IT management has developed adequate policies, standards and procedures to manage risk from technology (including third party risk management) and that they are current, documented and appropriately communicated; and determine whether the financial institution has formal service level agreements in place with all of its third party providers.
And examiners will engage directly (and it seems, routinely) with third parties as part of the financial institution evaluation process. As part of the examiner’s review of a financial institution’s third party providers, the assessor will analyze third party financial conditions, determine whether third party providers enable adequate financial institution client access, determine the adequacy of third party audit reports in terms of scope, independence, expertise, frequency and corrective action taken on identified issues and determine the quality of the financial institution’s management follow-up and resolution of consumer concerns and any other problems with its third party providers.
The Examination Handbook’s focus on finding evidence for proper process is just one indication of the seriousness with which regulators are viewing our current cybersecurity challenges (e.g., “Review the minutes of boards of directors and relevant committee meetings for evidence of board support and supervision of IT activities…” determines whether the board provides a credible challenge to management decisions.). ((FFIEC Information Technology Examination Handbook. FFIEC. Appendix A: Examination Procedures. Page 43. November 2015. https://www.ffiec.gov/press/PDF/FFIEC_IT_Examination_Handbook_Management_Booklet_2015Final.pdf)) An hour or two spent reviewing the Handbook will provide a good sense of how your organization’s current program measures up, no matter how examination results are ultimately used.
For more than 35 years, Gary Roboff, Senior Advisor, The Santa Fe Group,, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) board of directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its board.