Information Technology Video

Information Technology Video

Show Video

(Speaker 1) Welcome to this video  on information technology, or IT,   for bank directors and trustees. In this  video, we’ll highlight how banking operations   and technology are interconnected, along with  the challenges this may present. We’ll discuss   a bank’s information security program, or ISP,  which is designed to address those challenges   and is an important element in support of a  bank’s management of IT risks. From there,  

we’ll discuss director responsibilities for  overseeing the bank’s IT environment. Finally,   we’ll talk about the FDIC’s evaluation of these  areas during IT examinations. (Speaker 2) So,   let’s get started. Today, we know more than ever  that technology is essential to successful banking   operations. We also know that competition and  consumer demand drive technology innovations and  

product offerings. These innovations create more  contact points with customers and third parties.   And these additional contacts in a dynamic cyber  threat environment can introduce challenges and   complexities in managing risk effectively.  (Speaker 1) Cyber-attacks like phishing,   ransomware, and distributed denial of service,  commonly known as DDoS, can introduce financial,   operational, legal, and reputational risks.  Third-party failures can inject similar risks   through reduced availability or functionality.  (Speaker 2) To protect customer information,   banks maintain dynamic information security  programs or ISPs. Appendix B to Part 364 of  

the FDIC’s Rules and Regulations, Interagency  Guidelines Establishing Information Security   Standards, which we’ll refer to in this video  as Appendix B, defines an ISP’s requirements.   Appendix B requires that banks implement a  written ISP that includes administrative,   technical, and physical safeguards appropriate for  a bank’s size and complexity as well as the nature   and scope of its activities. Safeguards include  policies, procedures, controls, and assurance   reviews designed to protect a bank’s information  assets. Information assets are the data, systems,   and physical locations that a bank uses to  house information. Importantly, information  

assets also include customer information.  The ISP integrates the process of assessing,   managing, controlling, and reporting risks  to protect the confidentiality, integrity,   and availability of information. (Speaker 1)  Let’s first talk a little about assessing risks.   A bank assesses risk by analyzing threats and  vulnerabilities, while considering mitigating   controls. A threat is any circumstance or event  with the potential to adversely impact operations,   assets, or individuals through unauthorized  access, destruction, disclosure, modification   of information, and/or denial of service.  Vulnerabilities are weaknesses in systems,   security procedures, internal controls, or  implementation that could be exploited by   a threat. Inherent risk is the level of risk  present, as determined by assessing identified  

threats and vulnerabilities, before any mitigating  actions. Once management determines the level of   inherent risk, they assess the sufficiency of  existing controls that mitigate the inherent risk   in order to measure residual risk or the risk that  remains. Inherent risks can be lessened with the   right security controls. Residual risks cannot  be prevented entirely, no matter what measures   are taken and will continue to exist regardless of  the controls in place. If residual risk exceeds a   bank’s risk appetite, additional controls or risk  transfer activities may be necessary. This could  

include security measures such as access controls  on information systems, or access restrictions   for physical locations. It may also include  other measures such as dual control procedures,   segregation of duties, or cyber insurance.  (Speaker 2) In addition to a control structure,   an ISP includes processes for staff training,  control testing, threat intelligence, incident   response, and third-party oversight. Further, an  effective ISP will address changes in technology,   customer information sensitivity, threats,  business arrangements, and customer information   systems. Finally, at least annually, a bank  should report to its board or a designated   board committee on the status of the bank’s  ISP and conformance with Appendix B. Now,   let’s take this introduction to an ISP a step  further. A bank’s ISP is designed to not only  

outline how information will be protected, but  also to support the bank’s management of IT risks,   which in turn supports the bank’s risk management  framework. So now, let’s talk more about IT risks   and how they are managed. (Speaker 1) The  IT risk management process supports a bank’s   overall risk management framework through  risk identification, measurement, mitigation,   and monitoring and reporting. We’ll explore each  of these steps, beginning with identification.   All activities within a bank pose some level of  risk. As we mentioned, the level of risk present   prior to the bank taking any mitigating  actions is called inherent risk. Effective   management begins the process of identifying  inherent risk by completing an asset inventory,   which would include a bank’s hardware, software,  and information assets. Management then identifies  

events that could potentially occur, such as a  natural disaster, a cyber-attack, or any other   reasonably foreseeable threat, and evaluates the  potential impact on the bank’s assets. Finally,   management identifies existing controls that may  mitigate risk. Comprehensive risk identification   includes cybersecurity risks, as well as those  identified in any other information security   risk assessments. (Speaker 2) Once risks  are identified, risk measurement helps a   bank estimate the probability of an adverse event  and its potential impact across the institution.  

IT risk measurement is an important component of  risk management since an event can impact multiple   areas or functions of a bank. Risk measurement may  be qualitative, relying on experience, judgment,   and intuition; quantitative, based on numerical  data; or a combination of qualitative and   quantitative measurements. Typically, a combined  approach to measuring risk provides a more   comprehensive analysis. Regardless of the approach  used, a bank should estimate the likelihood of an   event occurring and the severity of its impact.  After measuring risk, management determines how  

to mitigate it. Risk mitigation reduces risks  through specific controls or risk transfers   such as: IT policies, standards, and procedures;  internal controls; business continuity plans;   third-party management programs; and insurance  for IT operations. To monitor risk, management   will review the effectiveness of risk mitigation  activity and changing threat conditions. This   monitoring of risk includes ensuring that controls  are effective and quality assurance and control   practices function as intended. Risk monitoring  supports the bank’s IT risk reporting process,   which we’ll talk a little more about in a few  minutes. (Speaker 1) Bank management typically   handles the IT risk management process that we  just discussed. Let’s talk a little more about  

bank management responsibilities. Typically, bank  management is responsible for administering the   day-to-day IT operations of the bank, implementing  IT governance and effective processes for IT risk   management, reviewing and annually approving  processes for IT risk management, assessing the   bank’s inherent IT risks across all departments,  providing regular reports to the board on IT   risks, IT strategies, and IT changes, coordinating  priorities between the IT department and lines of   business, establishing a formal process to  obtain, analyze, and respond to information   on threats and vulnerabilities, and ensuring  that hiring and training practices are governed   by appropriate policies to maintain competent  and trained staff. (Speaker 2) For directors,   their responsibilities include overseeing IT  risk management development, implementation,   and maintenance that is performed by bank  management Let’s talk more about the oversight   role of directors. First, the board approves  a bank’s IT strategic plan. An IT strategic   plan should align with a bank’s overall business  strategy, and consider both human and financial   resources. IT strategic plans vary based on the  size and structure of an organization. However,   in all cases, new initiatives pertaining to IT  should be considered in light of a bank’s overall   strategy. If this consideration doesn’t occur,  it could result in poor performance or unplanned  

costs. For example, consider the consequences  that could result from deploying a mobile banking   product without evaluating whether the bank  has the proper infrastructure to administer the   product or provide good customer service. (Speaker  1) Directors also oversee outsourced relationships   with third-party providers. A third-party risk  management program generally involves several key   elements: planning, due diligence and third-party  selection, contract negotiation, ongoing   monitoring, and termination. The depth of the  work performed under each element depends on how   critical the third-party arrangements are to the  bank. The board would be responsible for ensuring  

that management’s efforts are commensurate  with the criticality of each third-party   provider. For example, expectations for a network  security-monitoring firm would likely be higher   than for an office cleaning service. (Speaker  2) Directors are also responsible for ensuring   the bank has effective business continuity plans  that describe the preparation for and resiliency   to risks. Continuity plans would define the steps  that bank personnel and third parties will take   to maintain or recover the bank’s staffing,  core business processes, and data. Further,   plans would outline procedures for incident  resolution, escalation, and reporting to the   board and applicable government agencies. To  fulfill their responsibility, a board should  

expect to receive reports that consider factors  such as financial impact, operational downtime,   system breach, or loss of infrastructure. (Speaker  1) Directors also approve policies that guide a   bank’s IT functions. Policies need periodic  reviews to ensure that they remain compatible   with a bank’s strategic plans and with applicable  rules and regulations. Effective policies clearly  

communicate objectives for system requirements  as well as risk tolerances. To be most effective,   policies should be appropriate for the size  and complexity of operations, products,   and risks. Directors will want to ensure that they  have qualified personnel managing the IT function.   Of note, Appendix B requires the board to assign  specific responsibility for implementing the ISP.   Depending on the size and complexity of the bank,  the board may decide to assign other key roles   and responsibilities to positions such as a chief  information officer or chief information security   officer. Many banks have a need to supplement  staffing with third-party expertise. When third   parties perform critical operations, the board  should ensure that management defines expectations   within the contract and service-level agreements.  (Speaker 2) Along with retaining qualified staff,   directors will want to ensure there is  comprehensive IT training. To be effective,  

all staff, including board members, need security  and cyber awareness training tailored to their   position. Improving staff expertise through  training can enhance their ability to perform   and support objectives set forth in a bank’s  strategic plan. Additionally, comprehensive IT   training supports succession planning for IT  functions, which helps to provide continuity   in operations and security in the absence of key  staff. (Speaker 1) Another board responsibility  

is to monitor the bank’s IT function, which is  typically done through management reporting.   Reports will usually provide periodic status  updates or include summaries pertaining to IT   management activities. Directors should  determine the frequency of reporting,   and clearly communicate the key performance  indicators or key metrics they want management   to include in reports. As a reminder, Appendix  B requires annual board reports that cover the   overall status of the ISP. These annual reports  may include information about risk assessments;  

results of disaster recovery and business  continuity planning and testing; and updates on   major projects, priorities, third-party reviews,  and cybersecurity incidents. Annual reports   to the board may also include any management  recommendations for changes to the ISP. Typically,   boards also receive summary reports on various IT  management activities, such as system patching or   third-party monitoring. The information garnered  from these types of summary reports will aid the   Board in its IT risk management governance  responsibilities. For example, a monitoring  

report may show that a server is operating close  to maximum capacity. From a strategic standpoint,   the Board will want to know what options  management has considered to address this issue,   which might include replacing the server or  outsourcing the server function. (Speaker 2) In   addition to day-to-day monitoring activities,  audits enable boards to confirm that controls are   effective. The board would ensure that independent  audits of the IT risk management process are   conducted. Audits typically test compliance with  laws and regulations, board-established policies,  

risk limits, and control practices. Internal  audit programs at community banks can take   different forms. Some banks have an internal audit  department while many outsource all or parts of   the audits, such as vulnerability assessments.  Regardless, a key point is to ensure that auditors   are independent and qualified. And, as with  all audits, attentive directors will evaluate   the findings and ensure that senior management  corrects the deficiencies. Effective boards will   also ensure that the audit program is reviewed  periodically and that it covers new product lines,   higher-risk activities, and emerging areas of  concern. (Speaker 1) The board of directors sets  

the tone and direction for a bank and effective  boards understand IT activities and risks. Now,   let’s discuss how the FDIC conducts an IT  examination. The FDIC evaluates IT risk   management during IT examinations and assesses  a bank’s program under the Uniform Rating System   for Information Technology, or URSIT. The rating  system has four components: Audit, Management,   Development and Acquisition, and Support  and Delivery. Cybersecurity and information   security risk management are inherent in all of  these components. (Speaker 2) When evaluating  

the Audit component, examiners consider the scope  and frequency of the audit program. Additionally,   examiners assess the audit program’s independence  and the auditor’s qualifications. Examiners also   ensure that management addresses audit  findings in a timely manner. Examiners   assess the Management component by evaluating  the bank’s IT risk management program, which   includes the board’s oversight. Additionally,  examiners review the bank’s ISP to understand   management’s risk assessments, control decisions,  and third-party management. Examiners also review   the bank’s various internal reports to evaluate  how well the board and management comply with laws   and regulations. To evaluate the Development and  Acquisition component, examiners assess the bank’s  

ability to develop or acquire and maintain  IT solutions that meet the bank’s business   and security needs. Examiners also evaluate  practices for project management, system changes,   and development activities. The final component,  Support and Delivery, considers how secure the   operating environment is. Examiners assess logical  and physical access controls, system monitoring,   and incident response procedures. This component  also includes the evaluation of the bank’s   resiliency, disaster recovery, and business  continuity plans and testing. In addition,   examiners review operational controls and  processes. (Speaker 1) Examiners assign  

ratings for all components and the composite  based on their findings, including the review   of cybersecurity and information security.  Generally speaking, a 1 rating indicates   strong performance with no supervisory concern,  a 2 rating indicates satisfactory performance,   with modest weaknesses correctable in the normal  course of business, a 3 rating indicates less than   satisfactory performance, with some degree  of supervisory concern, a 4 rating indicates   deficient performance, meaning that operations  may impair future viability of the bank and   close supervisory attention is necessary, and a 5  rating indicates critically deficient performance   in need of immediate remedial action and ongoing  supervisory attention. (Speaker 2) In summary,   technology is foundational to banking operations.  It impacts how the bank connects with customers   and facilitates transaction processing. A  bank’s ISP, or information security program,   is designed to address the challenges associated  with this environment and support a bank’s IT risk   management process. Directors are responsible  for overseeing their bank’s IT function. With  

the rapid pace of technological change, it is  important that directors devote adequate time   to learn about the bank’s use of technology and  its inherent risks. Maintaining an awareness of   changes in technology and the risk environment  will help the board effectively perform its   oversight responsibilities. (Speaker 1) As  we conclude, we’d like to remind you that the   FDIC has additional videos and resources  that can be found on the Banker Resource   Center at If you need additional  information or have questions or comments,  

please contact your bank’s Case Manager  or email the FDIC at   Thank you for viewing this video. We hope  you found it both useful and informative.

2023-12-06 09:43

Show Video

Other news