Each year at about this time, I’m asked to forecast the upcoming hot topics regarding bank IT auditors and examiners. While I can make an educated guess, in reality it’s a mystery until the auditor or examiner is onsite. However, we can prepare for those areas we know are a concern, and for 2015 there are three on which most financial institutions should direct their energies: vendor management, business continuity and cybersecurity.
The higher level of scrutiny on vendor management in recent audits and exams is overwhelming to many institutions. However, good vendor management is good business. According to OCC Bulletin 2013-29: “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.” So, to protect your institution and its customers, scrutinize vendors as you would your own activities.
For a solid vendor management program, start with your Accounts Payable and assess all vendors over the last 12 to 24 months to determine if you should further evaluate their controls. It’s not an easy task, but you’ll cover your bases.
I’m often amazed by how little attention is paid to business continuity. Many institutions believe they can handle whatever business disruption comes their way, without foreseeing communication challenges, absent key personnel or vendor disruptions. But the key to good business continuity is not necessarily found in the FFIEC’s Business Continuity Handbook, but rather in ensuring your financial institution is ready to address any situation, including natural disasters as well as understaffing, cybersecurity incidents, voice or data communication outages and vendor outages.
To implement a strong business continuity plan, start with a business impact analysis. This often is more effective when addressing such generalities as understaffing, rather than specifics like pandemic—for which you need a separate plan.
Finally, as expected, cybersecurity is an area of increased focus this year due to the recent frequency and severity of breaches. Depending on your federal regulator, you might see this addressed in a safety and soundness exam rather than an IT exam.
The FFIEC has released an introduction to its cybersecurity assessment, which denotes the key focus areas:
- risk management and oversight
- cybersecurity controls
- external dependency management
- cyber incident management and resilience
- threat intelligence and collaboration
While all are of equal importance, the first four should have long been addressed in a good Information Security Program. The last—threat intelligence and collaboration—is causing a stir in the industry, since it involves utilizing information from the attacks on institutions’ networks and servers to strengthen those of peers. Regulators will expect institutions to join an information-sharing network like the Financial Services Information Sharing and Analysis Center, or FS-ISAC, which is geared toward the financial services industry.
Your institution’s senior management and board of directors should be vigilant with their involvement in the above areas. Remember, evidence is key, so ensure such information as minutes, emails and agendas are retained to prove involvement.
So while predicting where auditors and examiners are going to focus is a hit-or-miss exercise, turn your attention to these top areas in 2015 and view each for what it is: a smart business practice that will help ensure your institution’s success. Steve Sanders is CSI’s vice president of Internal Audit.