Our Viewpoints

Our Viewpoint

Checklist to Evaluate IT Compliance Programs For Today's Security Threats & Regulatory Climate

May 27, 2014

One of the most challenging aspects of maintaining an effective IT compliance program is the degree to which today’s regulations, security threats and technology are rapidly changing. For example, in the past month, we have seen more than a half dozen new financial institution letters issued by the FDIC on the topic of IT compliance and emerging security threats. This brisk pace of change will continue. Call it the “Target effect” resulting from the increased sensitivity and acute awareness of how much fear and cost an unforeseen breach can cause – or attribute it to the increased regulatory environment of Dodd-Frank – either way, financial institutions should hunker down for additional IT-related regulatory requirements, increased focus on enforcement of existing guidance, and a dizzying array of threat vectors aimed at financial institutions both large and small.

One key change we saw in the last year was the shift from threats that seemed to single out the largest of financial institutions to new ones that were equal opportunity threats. Following a year that began with Distributed Denial of Service (DDoS) attacks that were designed to disrupt the nation’s largest financial institutions, we then saw malware such as Crypto Locker effectively wreak havoc on smaller financial institutions that had never previously been impacted by a virus outbreak. In a recent issuance from the OCC, in fact, the agency warned that the security threats to ATM networks and the like are no longer ones that can be viewed as “big bank” only threats – and that smaller community institutions should take notice, and perform their risk assessments accordingly. Community financial institutions cannot, any longer, hide their heads in the proverbial sand and claim “it will never happen to us.”

So the question becomes how. How do community financial institutions that lack the resources of larger institutions, but are still experiencing increased IT regulatory scrutiny – and are the targets of increasingly challenging and continually morphing IT security threats meet this growing challenge, and do so without literally and figuratively breaking the bank? One answer lies in the strategies that community institutions have effectively used for years to level the playing field. Outsource and automate.

There are an emerging number of IT compliance solutions aimed specifically at community banks that address both the emerging IT regulatory and IT security threat landscape. Some solutions address a specific component of IT compliance – like vendor management or business continuity – handling a particularly challenging element of the IT compliance stack. Others offer a more integrated approach – addressing not only vendor management and business continuity, but also risk management, policies and audit findings tracking and remediation in a coherent, comprehensive manner. Regardless of which approach financial institutions might favor, a key trait of these solutions is the promise that as changes occur in IT regulations and as new security threats are introduced into the cyber-landscape, these systems will be updated, and communication of the changes will be proactively delivered. Some even go one step further to meet ongoing IT compliance challenges by fully outsourcing the IT compliance function to an expert third-party whose resources are dedicated to this very specialized function. Such programs and services allow smaller community institutions to address the need in a cost-effective manner, while freeing them up to focus on their core competency—delivering high value financial services to businesses and consumers.

Regardless of which path a financial institution elects to take, here are several key questions that should be addressed in order to properly evaluate whether or not the institution’s IT compliance programs are prepared to address today’s threats and meet emerging regulatory requirements.

Who has the responsibility of staying current with IT regulatory changes?

How do emerging threats and changing regulatory requirements get incorporated into your institution’s risk assessments?

How do measures to mitigate emerging threats and to conform to regulatory changes get incorporated into your institution’s IT policies?

What additional control strengthening decisions need to be made and how do they get appropriately evaluated?  And by whom?

What new risk acceptance decisions need to be made and how do they get appropriately evaluated?  And by whom?

How do resultant changes in the IT compliance program(s) get properly communicated to the Board in a way that is not overly technical, but nonetheless effectively captures the risk to the business?

How are other institutions addressing the IT compliance challenge or security threat?

If you don’t have answers to the above questions, take heart. There are solutions and service providers that have the expertise, reputation and competence to offer excellent solutions that will address your IT and compliance needs.  D+H’s risk and compliance experts can evaluate your situation and recommend the most appropriate risk mitigation strategies to your institution with advice on how to select and deploy the best solutions, services, policies and procedures. Additionally, D+H offers Compushare Risk Director®, an all-in-one risk management tool that allows financial institutions to develop, maintain, and report on business continuity, information security, vendor management, audit, and other risk management activities while meeting increasingly stringent regulatory requirements.

Regardless of which solutions you choose, and which service providers you call on for help, the key is to ask and answer the right questions.


Michael Barrack
Director, IT Security & Compliance

As a director of IT Security and Compliance for D+H, Michael Barrack provides IT security, and risk and compliance consulting services for community financial institutions nationwide. With more than 20 years of serving community banks and credit unions, Michael brings a keen understanding of how our clients use technology to support the business and what the regulators expect as it relates to IT-related compliance.