Since the FDIC released updates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015, there have been many changes to requirements and expectations from regulators.
And while some of the changes to FFIEC compliance are subtle, other changes are more significant. Here are some of the key highlights that bankers should be aware of as they review the changes.
Cybersecurity is Officially on the Radar
Bank regulators are focusing on cybersecurity in institutions of all sizes. In fact, the revised handbook contains more than 50 references—the original handbook contained only one. And with the introduction of the FFIEC’s Cybersecurity Assessment Tool in 2015, identifying risks and weaknesses in cybersecurity preparedness programs is officially on the radar.
With that in mind, the Cybersecurity Assessment Tool is expected to be used by most regulators as part of the IT examination process in 2016, and documentation will likely be requested for review by third-party auditors as part of IT controls audits. Many experts indicate that new cybersecurity expectations will be included in all future FFIEC IT guidance.
New Obligations for the IT Management Team
Your board and IT steering committee are still responsible for overall IT management, but they now have some new obligations:
- IT Management Demands
The board is now required to provide “credible challenges” to management. There is no more rubber stamping of IT management, which means the board needs proper cybersecurity training and access to accurate, timely and relevant information. This may present a challenge to financial institutions with boards whose members are not well versed in IT considerations and cybersecurity risk assessment.
- IT Management Structure Updates
FFIEC guidance is now more granular and recommends the following structure for IT Management teams, which includes broadening the team with two new participants:
- Board of Directors/Steering Committee
- Executive Management (NEW)
- Chief Information Officer/Chief Technology Officer
- Chief Information Security Officer (NEW)
- IT LineManagement
- Business Unit Management
Examination Guidance is More Stringent than Ever
New examination guidance has been expanded and almost completely re-written to better outline the principles of risk identification, measurement, mitigation, monitoring and reporting, specifically concerning:
- Examination Procedures (Appendix A)
Several of the new objectives deal with internal governance and oversight, including the enterprisewide nature of IT management. For example, Objective 12 (IT controls and risk mitigation) consists of 18 separate examination elements with 63 discrete items that examiners must now check.
A Higher Standard for IT Management
Updates to the FFIEC Handbook represent a significant evolution in the breadth and depth of IT management requirements. These updates set a higher standard for IT management best practices for both examiners and financial institutions, and the handbook is recommended reading for board members, CEOs, CIOs, ISOs and network administrators.
Make sure your financial institution properly assesses and manages IT risks. The key to success will be incorporating the new guidance from the FFIEC Management Booklet into your strategic planning processes.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With more than a decade of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations in other vertical markets. He frequently speaks at conferences and seminars and is often cited in industry publications.