Our Viewpoints

Our Viewpoint

Checklist to Prepare for your Next IT Exam

January 01, 2013

In 2012, we witnessed the energized return of the IT regulatory examiner. Lower key since the financial meltdown of 2008, or rather immersed by the need to devote every available resource to safety and soundness, credit quality, and capital requirements, the IT examiner had been a much less prominent regulatory force in the recession than in this emerging recovery. This is our experience in serving hundreds of financial institutions across the country with little variance between regions or regulatory agencies. One of the little known details and unexpected results during the economic downturn was that many of the IT examiners were moved to focus on (and ultimately were promoted to) the safety and soundness side of things, resulting in a temporary “brain drain” for the regulatory agencies’ IT examining talent and a lessening of focus on the technology portion of examinations.

Since 2012, all that appears to have changed. Not only are the IT examiners regaining their footing, you might say that some are loaded for bear, disheartened that financial institutions have let their core IT risk management programs go neglected and stale, and committed to sending the message on the ongoing importance of GLBA, Business Continuity and the all-important IT risk assessment. In a conversation last year, one examiner remarked that while the restoration of financial health to the industry was necessary, the neglect to IT risk management is a concerning and regrettable outcome, and there are many institutions that are receiving significant findings or actually “failing” their IT exams as a result.

So how should banks and credit unions respond to this changing tide? 

  1. What steps should be taken?
  2. What questions should be asked and answered to determine whether your institution is prepared for a revitalized IT examiner? 
  3. How do you avoid an embarrassing IT exam, an URSIT score of 3 (or worse), and an uncomfortable visit to your next Board meeting? 
  4. How do you make sure you do not become another regulatory casualty? 

The first question you should ask yourself:

Are your IT risk management programs regularly reviewed and updated as a normal part of your institution’s ongoing practices?
The degree to which these programs are “internalized” makes a big difference. Alternatively, when your policies, risk assessments, vendor reviews and Business Continuity Plans are updated just before the IT examination, do not think that the examiners do not notice. Make no mistake – they do. The difference, called out in the IT examination handbooks, is the difference of an institution being proactive or reactive – a critical distinction made in the individual component or composite URSIT rating given. If your institution does not have IT Risk Management internalized with an ongoing IT compliance calendar you are following, then you probably are not ready for your next IT examiner’s visit. A financial institution client of ours said that his last FFIEC exam was the first in 11 years where significant criticisms were rendered.

A second critical question to ask is:

Do you have a clearly defined owner responsible for the coverage, maintenance, and development of the institution's IT risk programs?
One of the key elements the IT examiners are looking for is an effective system of IT governance consistent with the FFIEC IT handbook covering Management. As part of the overall accountability of the IT function, it is critically important that responsibility for the Information Security program be assigned to a designated, Board-approved Information Security Officer. Furthermore, a Business Continuity Coordinator, Vendor Management Program owner, and an IT Risk Management Program owner should be designated to demonstrate command and control over programs that are specialized, ongoing, and require qualified oversight and management. One of the concerns we see all too often is that ownership of the programs is a “shared” function of the operations and IT Managers, neither of whom has the specialized requisite knowledge that is needed. We’ve encountered numerous occasions where neither party is truly accountable to the ongoing program’s care and feeding. The result is a scramble just before the exam to bring policies and reports current yet, even when brought current, the examiners can plainly see that the organization’s commitment is weak and reactive with program ownership muddled.

The final question to test your institution's readiness for your next IT exam:

Does your institution's designate have the time, training, experience, and exposure to changing regulations and emerging trends to succeed in the role he or she has been assigned?
For many of our client institutions, the role of IT Risk Management is handled by the IT Manager with no background in risk management or by a compliance officer who is not at all technical. The distaste that the IT manager often feels for the necessary discipline is palpable, while the discomfort with the technical components of the non-technical compliance professional is equally evident. Beyond what is often a poor match between the responsibility and the person assigned it, there is the key challenge in keeping current with the new requirements of IT regulation (i.e., the requirement of multifactor authentication for Internet banking) or the new threat and vulnerability landscape represented by zero day viruses and advanced persistent threats.

The results can be highly static risk assessments, whose annual update may reflect an hour or two of work, and when reviewed by the examiner, are seen as static and ineffective. With the FFIEC IT examiners looking more and more closely at the coverage, depth, methodology and feeders from and to the IT Risk Assessment, this is often seen as being the “Achilles Heel” of the institution’s IT Risk Management program. Ask yourself how confident you are in the effectiveness of your IT Risk Assessment, and you will give yourself an idea on how prepared you are for your next IT exam. It is for these reasons that financial institutions choose to reach out to IT audit and consulting firms to help answer these questions in the affirmative. 

So what should you do if you have answered "no" to any or all of the above questions?  

There are several roads available to you depending upon your needs and gaps in your current programs. First, if you have an IT audit firm well-versed in FFIEC IT guidance, consider reaching out to them for suggestions on how their other clients are handling the IT compliance challenge and what appears to be working best. If they are working with a variety of institutions, they should be offering recommendations and sharing their experience on what works well and, if they are not already giving you such counsel, ask them to provide the necessary guidance needed.

If you don’t have an IT audit firm knowledgeable on FFIEC guidance, consider getting one. They can be an invaluable resource in ensuring that your institution has guidance on all the IT Risk Management program areas that should be integrated into your organization (based on the size and complexity of your institution) well before an IT examination from the FDIC, NCUA, OCC or State. Alternatively, you can reach out to organizations that specialize in financial institution IT risk management programs, and have them conduct an independent third-party assessment. Some will even help you remediate programs that are in disrepair or are in a very early stage of IT maturity. Over the last 12 months, D+H has had dozens of institutions reach out, knowing that they needed a specialist to help and that they were simply tasked with too many jobs, wearing too many hats to take it on themselves.

Finally, your organization should seriously consider how automation can help integrate IT Risk Management into a function that both prepares you to meet the regulators confidently, and enables your institution to competently manage the very real threats and vulnerabilities associated with technology. New products on the market integrate the information security, business continuity, vendor management, IT risk management and audit functions seamlessly and make the job simpler to internalize and make the process both content-rich and routine. Using a shared relational database, these automated solutions tie policy to risk mitigating control to audit objective end-to-end, ensuring that you are not missing anything and that your programs are consistent, coherent and regulator-ready. Automated IT Risk Management tools enable banks and credit unions to focus on control strengthening and risk management strategy, leaving the program mechanics to the system itself, and enabling financial institutions to ensure that their IT Risk Management programs stay current with minimized cost and maximized value. While it may never make the function or task at hand an institution’s favorite, it will give you the confidence that you will face IT regulations and IT risks with the confidence that you’ve got your act together.

Author

Michael Barrack
Director, IT Security & Compliance

As a director of IT Security and Compliance for D+H, Michael Barrack provides IT security, and risk and compliance consulting services for community financial institutions nationwide. With more than 20 years of serving community banks and credit unions, Michael brings a keen understanding of how our clients use technology to support the business and what the regulators expect as it relates to IT-related compliance.