Aligning Bank Technology Policy and Practice

Aligning Policy and Practice is key to surviving IT, Cyber and Info Security Audits and Exams by the various regulatory bodies in the banking industry.  It starts with having the right policies given your bank’s use of technology and associated service providers, the bank’s risk profile, risk tolerance and alignment with FFIEC guidance that drives regulatory expectation and the exam process.

Do you have the right policies in place?

The first major question your bank should be asking is “Do you have the right policies in place?” Are they current, up-to-date and relevant for your business and associated risk appetite?  Do they align with the current FFIEC guidance?  Associated with each policy are the necessary procedures to carry out the policy.  Are they accurate, effective and consistently followed? Do they include the necessary documentation to easily support audit and exam readiness? 

Given current technology and service provider trends, policy focus should include Cybersecurity, Cloud Computing and Technology Vendor Management. This is especially true if you are using outsourced technology service providers for your Core banking platform or Software as a Service (SaaS) application providers.

What Do Regulators Want?

Regulators are heavily focused on knowing where your data is housed, how it’s accessed, how it’s protected, and how it can be recovered should circumstances require such. This includes the latest major update to what was previously known as Business Continuity Planning (BCP), which has evolved into Business Continuity Management (BCM) based on the November 2019 guidance update just prior to the start of the pandemic.

BCM now places a much heavier emphasis on technology systems and data recoverability vis-à-vis your outsourced vendor relationships and the ability to manage and exercise those recovery capabilities on a regular basis for preparedness.  The new BCM guidance will require banks to revisit and revamp policy accordingly.

The regulatory agencies typically have themes and priorities for their exams based on current hot topics of concern by the regulators in addition to the bank’s prior exam results, findings, and documentation.  Preparation and readiness for upcoming exams should take all of these factors into consideration.

So, What’s Going on with Cybersecurity?

From a safety and soundness perspective, Cybersecurity is consistently one of the top priorities of Bank Regulators and IT Auditors.  Especially given the increased risks of the last several years including the increased remote workforce (unprepared for the new security challenges at a minimum), and now most recently, the heightened cybersecurity spawned by the Russian aggression in Ukraine.  Accordingly, cyber attacks and activity are now publicized at a higher level for both businesses and consumers.

Banks are consistently one of the top targets of cyberattacks and compromises. This shouldn’t be a big surprise considering banks house sensitive information about their clients and assets. That’s a big responsibility in an ever-changing technology world and is vastly influenced at a geo-political level.

Accordingly, does the bank have a “reset button” if your technology systems and data are compromised by a ransomware hack? Ransomware attacks have become one of the most likely recovery scenarios for modern financial institutions. When considering your cyber risks and capabilities, it makes sense to start with the worst-case scenario in mind and ensure that the bank has a safe, effective, and documented recovery approach should the firm find itself in a compromised situation. 

There are many factors to be considered when aligning your policies and practices to ensure you are effectively protecting client data and privacy in an ever changing technology world. It’s always best to start with an understanding of the bank’s current environment, associated risks, and then develop a sustainable plan and supporting roadmap to address gaps and risks.  Regulators look for these as evidence of a healthy and sufficient technology risk management process to guide the bank’s efforts, and demonstrate management’s commitment to governance and oversight.

For more information on how you can protect the assets and reputation of your financial institution, reach out to Finovative Solutions for industry leading guidance from our experienced team by visiting www.finovative-solutions.com or giving us a call at (216)-770-7909.