Last week the Risk Advisory Services Team attended the Community Banking Technology Forum hosted by the Federal Reserve in Richmond. Nearly all the regulatory agencies in the Fed’s 5th District were represented including the Federal Reserve, FDIC, Office of the Comptroller of the Currency, Virginia Bureau of Financial Institutions, West Virginia Division of Financial Institutions, and North Carolina Office of the Commissioner of Banks.
With so many regulatory powerhouses in one place, I wanted to highlight some of the ideas that stuck with me. Nothing new or groundbreaking here, but it’s good to hear what’s on the mind of those looking over your shoulder. Full Disclosure: I attended day 1 of the event, and Laura attended day 2, so be on the lookout for her update as well in the near future.
- When conducting a Vendor Risk Assessment, consider all areas of bank risk including, but not limited to, Compliance Risk, Strategic Risk, Reputation Risk, Operational Risk, etc.
- Differentiate between Critical and High Risk vendors. Doing so allows the most important business partners to boil to the top and receive the most attention. A critical vendor keeps your bank’s doors open. We’re thinking about the Fiserv, FIS, JHA’s of the world. Whereas a High Risk Vendor is important, but could be quickly replaceable.
- When engaging a new vendor, begin with the end in mind (apologies to Stephen Covey) by designing an exit strategy. That is when the contract truly matters.
- In most organizations, the most logical way to approach vendor management is through a centralized oversight with input from business line owners.
- No surprises here. It’s a big deal.
- Governance of Cybersecurity is incredibly important, all the way up to the Board of Directors. It was recommended that even Board members receive training around Cybersecurity.
Incident Response Plan
- Incident Response Plan testing is becoming more important in the current environment.
Management and IT Audit
- Governance of the IT Function overall (in addition to Cybersecurity mentioned above) continues to be an important area for examiners. For example, training for IT personnel based on their job responsibilities, and determining where IT fits within the organization. If the IT function does not have a seat at the table for budgeting and strategic direction of the bank, you can expect scrutiny from the examiners.
- Examiners will be looking at the independence and separation of the IT Audit function within the bank. For example, if IT Audit is completing the information security risk assessment, and also conducting audit procedures around the risk assessment, a conflict exists. It’s worth clarifying that “independence” here is speaking specifically to verifying auditors are not auditing their own work. The IT examiners are not expected to assess independence from the accounting/AICPA independence perspective.
- Patching continues to be a problem. If your bank does not have a robust, measurable and accountable patching program, you can expect some comments in your upcoming exam. If your bank draws technical examiners in the field, this could include network hardware and firmware versions. Running a WAN on outdated or unsupported firmware exposes your bank to additional risks and vulnerabilities.
- The panel of examiners also noted that although it is not incumbent on community banks to resolve the problems caused by the Equifax breach, banks do have a responsibility to point customers to Equifax’s breach resolution web page for information.
- Because of the amount of data lost during the Equifax Breach, the ID Theft Program will likely come under increased scrutiny.
Many thanks to the folks at the Federal Reserve for the invitation to participate, and to all the examiners for their candid and transparent remarks. Protecting customer information and information assets ultimately provides a safe, sound, efficient and secure banking system. That’s something everyone can agree on.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
Bryan is a Manager at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.