Exam Council sets recovery expectations

Financial institutions should be able to demonstrate the ability to recover critical IT systems and resume normal business operations regardless of whether the process is supported in-house or at a technology service provider, says a new appendix to the FFIEC Information Technology Examination Handbook.

This applies to all types of adverse events, including natural disasters, infrastructure failures, technology failures, availability of staff, or cyber attacks.

“Specifically, a financial institution should ensure that its third-party service providers do not negatively affect its ability to appropriately recover IT systems and return critical functions to normal operations in a timely manner,” according to the release of the Federal Financial Institutions Examination Council.

Bouncing back more important than ever

The new appendix comes just as Beth Dugan, deputy comptroller for market risk said separately, in a speech to The Clearing House’s First Operational Risk Colloquium:

“Financial institutions’ exposure to cyber threats and vulnerabilities has increased as a result of every third party and customer link into their systems. Risk grows with the competitive pressure to make those systems even more open and responsive in response to the demand for connectivity and integration, and the complexity and interconnections of the infrastructure on which these linkages depend. It’s for this reason that resiliency is taking on a new importance.”

Appendix J, now available online at the Federal Financial Institutions Examination Council’s website, repeatedly emphasizes that it is the financial institution’s board and senior leadership that are responsible for ensuring adequate preparedness for all adverse events.

Dugan, in her speech, noted that shifts in resiliency often require changes to the board and senior management’s approach to strategic planning and organizational culture.

“In this new environment, with its different and rapidly evolving risks, strategic planning cannot just be an exercise in projecting loan growth and profitability,” said Dugan. “New products and distribution channels, new technology platforms and applications, and changing use and connectivity with third parties all have an impact on the risk-reward equation.

Dugan added that both the board and management should have strong processes in place.

The goal, according to Dugan, is “to ensure that the risks of business model change, new products or services, and new utilization of third-party relationships—individually and collectively—are assessed and clearly understood; that internal control and mitigation strategies are identified, implemented, and sustainable; and that the resulting risk level is consistent with the organization’s risk appetite.”

More about Exam Council’s expectation

Appendix J discusses four key elements of business continuity planning: Third-party management, third-party capacity, testing with third-party technology service providers, and cyber resilience.

The appendix outlines the strategic considerations of each of these points, excerpts of which follow:

• Third-party management—Financial institution management should ensure business resilience considerations are embedded within their third-party risk management life cycle. This includes addressing business continuity elements within the due diligence process, contract negotiations, ongoing monitoring processes, and processes for the termination of the contract.

The financial institution should ensure that each technology service provider has a robust third-party management program that includes a review of each subcontractor’s business continuity plan.

• Third-party capacity—A financial institution should ensure that its technology service providers have adequate planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption.

There are certain steps a financial institution can take with their technology service providers to plan for the possible failure of critical services. First, the parties can discuss scenarios of significant disruptions that may necessitate transitioning critical services to alternate technology service providers. Second, the parties can assess their immediate or short-term space, systems, and personnel capacity to absorb, assume, or transfer failed operations. Last, the parties can identify the most plausible range of recovery options and develop business continuity plans that address restoration of key services.

• Testing with third-party technology service providers—A financial institution needs assurance that its third-party service providers have the necessary capacity to restore critical services in the event of a widespread disruption or outage. This assurance includes adequate infrastructure and personnel to restore services to financial institution clients and support typical business volumes. Clients gain assurance through an effective business continuity plan testing program.

Service providers should share test results and reports, remediation action plans and status reports on their completion, and related analysis/modeling.

Following testing, the financial institution should evaluate the results and understand any gaps that may exist between the service provider and the institution. A plan should be developed to ensure these gaps are addressed as appropriate.

• Cyber resilience—The financial institution should consider the following mitigating controls:

1. Data backup architectures and technology that minimize the potential for data destruction and corruption.

2. Data integrity controls, such as check sums.

3. Independent, redundant alternative communications providers.

4. Layered anti-malware strategy.

5. Enhanced disaster recovery planning to include the possibility of simultaneous attacks.

6. Increased awareness of potential insider threats.

7. Enhanced incident response plans reflecting the current threat landscape.

8. Prearranged third-party forensic and incident management services.

Financial institutions and technology service providers should remain aware of emerging cyber threats and scenarios and consider their potential impact to operational resilience. Because the impact of each type of cyber event will vary, preparedness is the key to preventing or mitigating the effects of such an event.