Information Technology Video
(Speaker 1) Welcome to this video on information technology, or IT, for bank directors and trustees. In this video, we’ll highlight how banking operations and technology are interconnected, along with the challenges this may present. We’ll discuss a bank’s information security program, or ISP, which is designed to address those challenges and is an important element in support of a bank’s management of IT risks. From there,
we’ll discuss director responsibilities for overseeing the bank’s IT environment. Finally, we’ll talk about the FDIC’s evaluation of these areas during IT examinations. (Speaker 2) So, let’s get started. Today, we know more than ever that technology is essential to successful banking operations. We also know that competition and consumer demand drive technology innovations and
product offerings. These innovations create more contact points with customers and third parties. And these additional contacts in a dynamic cyber threat environment can introduce challenges and complexities in managing risk effectively. (Speaker 1) Cyber-attacks like phishing, ransomware, and distributed denial of service, commonly known as DDoS, can introduce financial, operational, legal, and reputational risks. Third-party failures can inject similar risks through reduced availability or functionality. (Speaker 2) To protect customer information, banks maintain dynamic information security programs or ISPs. Appendix B to Part 364 of
the FDIC’s Rules and Regulations, Interagency Guidelines Establishing Information Security Standards, which we’ll refer to in this video as Appendix B, defines an ISP’s requirements. Appendix B requires that banks implement a written ISP that includes administrative, technical, and physical safeguards appropriate for a bank’s size and complexity as well as the nature and scope of its activities. Safeguards include policies, procedures, controls, and assurance reviews designed to protect a bank’s information assets. Information assets are the data, systems, and physical locations that a bank uses to house information. Importantly, information
assets also include customer information. The ISP integrates the process of assessing, managing, controlling, and reporting risks to protect the confidentiality, integrity, and availability of information. (Speaker 1) Let’s first talk a little about assessing risks. A bank assesses risk by analyzing threats and vulnerabilities, while considering mitigating controls. A threat is any circumstance or event with the potential to adversely impact operations, assets, or individuals through unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Vulnerabilities are weaknesses in systems, security procedures, internal controls, or implementation that could be exploited by a threat. Inherent risk is the level of risk present, as determined by assessing identified
threats and vulnerabilities, before any mitigating actions. Once management determines the level of inherent risk, they assess the sufficiency of existing controls that mitigate the inherent risk in order to measure residual risk or the risk that remains. Inherent risks can be lessened with the right security controls. Residual risks cannot be prevented entirely, no matter what measures are taken and will continue to exist regardless of the controls in place. If residual risk exceeds a bank’s risk appetite, additional controls or risk transfer activities may be necessary. This could
include security measures such as access controls on information systems, or access restrictions for physical locations. It may also include other measures such as dual control procedures, segregation of duties, or cyber insurance. (Speaker 2) In addition to a control structure, an ISP includes processes for staff training, control testing, threat intelligence, incident response, and third-party oversight. Further, an effective ISP will address changes in technology, customer information sensitivity, threats, business arrangements, and customer information systems. Finally, at least annually, a bank should report to its board or a designated board committee on the status of the bank’s ISP and conformance with Appendix B. Now, let’s take this introduction to an ISP a step further. A bank’s ISP is designed to not only
outline how information will be protected, but also to support the bank’s management of IT risks, which in turn supports the bank’s risk management framework. So now, let’s talk more about IT risks and how they are managed. (Speaker 1) The IT risk management process supports a bank’s overall risk management framework through risk identification, measurement, mitigation, and monitoring and reporting. We’ll explore each of these steps, beginning with identification. All activities within a bank pose some level of risk. As we mentioned, the level of risk present prior to the bank taking any mitigating actions is called inherent risk. Effective management begins the process of identifying inherent risk by completing an asset inventory, which would include a bank’s hardware, software, and information assets. Management then identifies
events that could potentially occur, such as a natural disaster, a cyber-attack, or any other reasonably foreseeable threat, and evaluates the potential impact on the bank’s assets. Finally, management identifies existing controls that may mitigate risk. Comprehensive risk identification includes cybersecurity risks, as well as those identified in any other information security risk assessments. (Speaker 2) Once risks are identified, risk measurement helps a bank estimate the probability of an adverse event and its potential impact across the institution.
IT risk measurement is an important component of risk management since an event can impact multiple areas or functions of a bank. Risk measurement may be qualitative, relying on experience, judgment, and intuition; quantitative, based on numerical data; or a combination of qualitative and quantitative measurements. Typically, a combined approach to measuring risk provides a more comprehensive analysis. Regardless of the approach used, a bank should estimate the likelihood of an event occurring and the severity of its impact. After measuring risk, management determines how
to mitigate it. Risk mitigation reduces risks through specific controls or risk transfers such as: IT policies, standards, and procedures; internal controls; business continuity plans; third-party management programs; and insurance for IT operations. To monitor risk, management will review the effectiveness of risk mitigation activity and changing threat conditions. This monitoring of risk includes ensuring that controls are effective and quality assurance and control practices function as intended. Risk monitoring supports the bank’s IT risk reporting process, which we’ll talk a little more about in a few minutes. (Speaker 1) Bank management typically handles the IT risk management process that we just discussed. Let’s talk a little more about
bank management responsibilities. Typically, bank management is responsible for administering the day-to-day IT operations of the bank, implementing IT governance and effective processes for IT risk management, reviewing and annually approving processes for IT risk management, assessing the bank’s inherent IT risks across all departments, providing regular reports to the board on IT risks, IT strategies, and IT changes, coordinating priorities between the IT department and lines of business, establishing a formal process to obtain, analyze, and respond to information on threats and vulnerabilities, and ensuring that hiring and training practices are governed by appropriate policies to maintain competent and trained staff. (Speaker 2) For directors, their responsibilities include overseeing IT risk management development, implementation, and maintenance that is performed by bank management Let’s talk more about the oversight role of directors. First, the board approves a bank’s IT strategic plan. An IT strategic plan should align with a bank’s overall business strategy, and consider both human and financial resources. IT strategic plans vary based on the size and structure of an organization. However, in all cases, new initiatives pertaining to IT should be considered in light of a bank’s overall strategy. If this consideration doesn’t occur, it could result in poor performance or unplanned
costs. For example, consider the consequences that could result from deploying a mobile banking product without evaluating whether the bank has the proper infrastructure to administer the product or provide good customer service. (Speaker 1) Directors also oversee outsourced relationships with third-party providers. A third-party risk management program generally involves several key elements: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The depth of the work performed under each element depends on how critical the third-party arrangements are to the bank. The board would be responsible for ensuring
that management’s efforts are commensurate with the criticality of each third-party provider. For example, expectations for a network security-monitoring firm would likely be higher than for an office cleaning service. (Speaker 2) Directors are also responsible for ensuring the bank has effective business continuity plans that describe the preparation for and resiliency to risks. Continuity plans would define the steps that bank personnel and third parties will take to maintain or recover the bank’s staffing, core business processes, and data. Further, plans would outline procedures for incident resolution, escalation, and reporting to the board and applicable government agencies. To fulfill their responsibility, a board should
expect to receive reports that consider factors such as financial impact, operational downtime, system breach, or loss of infrastructure. (Speaker 1) Directors also approve policies that guide a bank’s IT functions. Policies need periodic reviews to ensure that they remain compatible with a bank’s strategic plans and with applicable rules and regulations. Effective policies clearly
communicate objectives for system requirements as well as risk tolerances. To be most effective, policies should be appropriate for the size and complexity of operations, products, and risks. Directors will want to ensure that they have qualified personnel managing the IT function. Of note, Appendix B requires the board to assign specific responsibility for implementing the ISP. Depending on the size and complexity of the bank, the board may decide to assign other key roles and responsibilities to positions such as a chief information officer or chief information security officer. Many banks have a need to supplement staffing with third-party expertise. When third parties perform critical operations, the board should ensure that management defines expectations within the contract and service-level agreements. (Speaker 2) Along with retaining qualified staff, directors will want to ensure there is comprehensive IT training. To be effective,
all staff, including board members, need security and cyber awareness training tailored to their position. Improving staff expertise through training can enhance their ability to perform and support objectives set forth in a bank’s strategic plan. Additionally, comprehensive IT training supports succession planning for IT functions, which helps to provide continuity in operations and security in the absence of key staff. (Speaker 1) Another board responsibility
is to monitor the bank’s IT function, which is typically done through management reporting. Reports will usually provide periodic status updates or include summaries pertaining to IT management activities. Directors should determine the frequency of reporting, and clearly communicate the key performance indicators or key metrics they want management to include in reports. As a reminder, Appendix B requires annual board reports that cover the overall status of the ISP. These annual reports may include information about risk assessments;
results of disaster recovery and business continuity planning and testing; and updates on major projects, priorities, third-party reviews, and cybersecurity incidents. Annual reports to the board may also include any management recommendations for changes to the ISP. Typically, boards also receive summary reports on various IT management activities, such as system patching or third-party monitoring. The information garnered from these types of summary reports will aid the Board in its IT risk management governance responsibilities. For example, a monitoring
report may show that a server is operating close to maximum capacity. From a strategic standpoint, the Board will want to know what options management has considered to address this issue, which might include replacing the server or outsourcing the server function. (Speaker 2) In addition to day-to-day monitoring activities, audits enable boards to confirm that controls are effective. The board would ensure that independent audits of the IT risk management process are conducted. Audits typically test compliance with laws and regulations, board-established policies,
risk limits, and control practices. Internal audit programs at community banks can take different forms. Some banks have an internal audit department while many outsource all or parts of the audits, such as vulnerability assessments. Regardless, a key point is to ensure that auditors are independent and qualified. And, as with all audits, attentive directors will evaluate the findings and ensure that senior management corrects the deficiencies. Effective boards will also ensure that the audit program is reviewed periodically and that it covers new product lines, higher-risk activities, and emerging areas of concern. (Speaker 1) The board of directors sets
the tone and direction for a bank and effective boards understand IT activities and risks. Now, let’s discuss how the FDIC conducts an IT examination. The FDIC evaluates IT risk management during IT examinations and assesses a bank’s program under the Uniform Rating System for Information Technology, or URSIT. The rating system has four components: Audit, Management, Development and Acquisition, and Support and Delivery. Cybersecurity and information security risk management are inherent in all of these components. (Speaker 2) When evaluating
the Audit component, examiners consider the scope and frequency of the audit program. Additionally, examiners assess the audit program’s independence and the auditor’s qualifications. Examiners also ensure that management addresses audit findings in a timely manner. Examiners assess the Management component by evaluating the bank’s IT risk management program, which includes the board’s oversight. Additionally, examiners review the bank’s ISP to understand management’s risk assessments, control decisions, and third-party management. Examiners also review the bank’s various internal reports to evaluate how well the board and management comply with laws and regulations. To evaluate the Development and Acquisition component, examiners assess the bank’s
ability to develop or acquire and maintain IT solutions that meet the bank’s business and security needs. Examiners also evaluate practices for project management, system changes, and development activities. The final component, Support and Delivery, considers how secure the operating environment is. Examiners assess logical and physical access controls, system monitoring, and incident response procedures. This component also includes the evaluation of the bank’s resiliency, disaster recovery, and business continuity plans and testing. In addition, examiners review operational controls and processes. (Speaker 1) Examiners assign
ratings for all components and the composite based on their findings, including the review of cybersecurity and information security. Generally speaking, a 1 rating indicates strong performance with no supervisory concern, a 2 rating indicates satisfactory performance, with modest weaknesses correctable in the normal course of business, a 3 rating indicates less than satisfactory performance, with some degree of supervisory concern, a 4 rating indicates deficient performance, meaning that operations may impair future viability of the bank and close supervisory attention is necessary, and a 5 rating indicates critically deficient performance in need of immediate remedial action and ongoing supervisory attention. (Speaker 2) In summary, technology is foundational to banking operations. It impacts how the bank connects with customers and facilitates transaction processing. A bank’s ISP, or information security program, is designed to address the challenges associated with this environment and support a bank’s IT risk management process. Directors are responsible for overseeing their bank’s IT function. With
the rapid pace of technological change, it is important that directors devote adequate time to learn about the bank’s use of technology and its inherent risks. Maintaining an awareness of changes in technology and the risk environment will help the board effectively perform its oversight responsibilities. (Speaker 1) As we conclude, we’d like to remind you that the FDIC has additional videos and resources that can be found on the Banker Resource Center at www.fdic.gov. If you need additional information or have questions or comments,
please contact your bank’s Case Manager or email the FDIC at supervision@fdic.gov. Thank you for viewing this video. We hope you found it both useful and informative.
2023-12-06 09:43
