Key Areas Bank IT Departments Should Mature Before Their Next Regulatory Exam

/ IT Maturity / By

In the rapidly evolving landscape of banking, technology plays a pivotal role in shaping operations, customer experiences, and regulatory compliance. As we delve into 2024, bank regulators are intensifying their scrutiny of various aspects of Information Technology within financial institutions. This scrutiny is occurring across the industry for banks and credit unions of all sizes although larger banks likely have many of these in place. Regardless of having these areas formalized and operational, it is important to continue to mature them and increase their effectiveness. Here are a few key areas that I have seen an increase in scrutiny over the past few years.

IT Policy Housekeeping

If you have not reviewed and approved your policies recently, now is the time. Even if they have not changed, you should be reviewing them at some interval and you should have a policy in place that defines the interval. It’s important to maintain a list of groups or committees that approve the policies and schedule them for review proactively.

Information Security & Risk Management

In the ever-evolving landscape of cybersecurity threats, you should show evidence that your Information Security Program (ISP) is evolving with the threat landscape.

Risk Assessments

The IT Risk Assessment is no longer a “check the box” exercise to show that you have one. You should continually review and assess your organization’s Risk profile. Your Risk Register should be methodical and encompassing. A great CISO once described the Risk Assessment to me as “as much art as it is science.”

Some key components of the Risk Assessment include:

  • Governance describing the purpose of the Risk Assessment, how it is used, who reviews it, how often it is reviewed, etc. – just to name a few.
  • A scoring methodology with instructions and clarity on how it is used.
  • A risk profile of “customer information systems” that are used to “access, collect, store, use, transmit, protect, or dispose of customer information.” (FFIEC IT Examination Handbook – 2016)
  • Periodic Executive review so that your Executive Leadership Team is informed of the risks and how they are being mitigated.

Separation of Duties between Security Governance and Security Operations

If you have not yet separated your Security Governance from your Security Operations, I suggest doing so as soon as possible. Governance and strategy should remain independent of the day-to-day security operations of the bank to mitigate any conflicts of interest. This may be a challenge for smaller banks, so an outsourced or fractional resource model may be a reasonable option. To keep security at the highest standards, Security Governance and Operations should have an aligned partnership and work with one another – not against one another.

Vulnerability and Patch Management

The Vulnerability and Patch Management program should show continued maturity over time. Incremental improvements are fine if there are measurements in place to show how the program is improving and how risks are prioritized and mitigated.

A few key components of the program include:

  • Governance (Policy) that defines:
    • Severities.
    • Scan frequency.
    • Patch testing and rollback requirements.
    • Scheduled patch windows.
  • Performance measurements and current baselines showing improvements over time.
  • Periodic Executive review so that your Executive Leadership Team is informed of the vulnerability risks and how they are being mitigated.

Identity and Access Management

Identity and Access Management (IAM) plays a pivotal role in regulatory compliance by enabling banks to enforce segregation of duties, audit user activities, and maintain comprehensive access logs to demonstrate compliance with regulatory requirements such as the Gramm-Leach-Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR). To ensure compliance, you should continue to mature your IAM program.

Some key components of the program include:

  • Access request workflows.
  • Access approval workflows.
  • Periodic Access and Permissions reviews.
  • Access removal workflows and procedures.
  • Privileged Access management and review.
  • Evidence that reviews are taking place and signed off on.

Security Training

Security Training is a critical component to your ISP. You should have governance developed to ensure regular training intervals including unannounced Security Awareness Training throughout the year. The threat landscape has never been as complex as it is now, and the threat actors are becoming increasingly more difficult to detect.  Training should be embedded in every employee as if their job depends on it – which it should. To ensure an effective training program, it is important to develop measurements and rewards/penalties. Reward employees that are following safe security practices and provide additional training or discipline those that fail to comply. Reporting on the program is important to show effectiveness and to elicit opportunities for improvement.

Executive Review of the ISP

As noted in some of the areas above, it is important to review the current state and strategy of the ISP to the Executive Leadership Team and the Board of Directors on a periodic basis. They should be informed on current IT risk and mitigation efforts as well as on the strategy of the ISP and the roadmap for continued maturity.

Vendor Management

As banks increasingly leverage vendor hosted services to drive innovation and scalability, regulators are closely monitoring the adoption of cloud technologies and third-party relationships. You should implement a robust third-party risk management framework to assess, monitor, and mitigate risks associated with outsourcing critical functions to cloud service providers. Regulators are scrutinizing banks’ due diligence processes, contractual arrangements, and security controls to ensure the integrity and resilience of cloud-based infrastructures. Developing policies and procedures are critical to ensuring that vendor due diligence is consistent and effective. It is not only important to have policies and procedures, but you should ensure that you are following them. For example, it is easy to forget about your non-critical vendors but if your policy states that non-critical vendors will be reviewed every other year, you should ensure that they are in fact reviewed at that frequency and be able to provide evidence as such.

End of Life / End of Support

Closely aligned with the Information Security Program, End-of-Life (EoL) and End-of-Support (EoS) governance is becoming an increasing focus as these assets can present risk to your IT environment. A formal policy should be established for both Hardware and Software to ensure a proactive and consistent approach for deploying and deprecating assets.

A few key components include:

  • Asset Lifecycle.
  • Replacement timeline.
  • Exception handling.
  • Disposal requirements.

Additionally, an asset inventory should be established and validated to ensure that all assets are captured. You should have thorough processes in place to ensure that all assets are accounted for, and none are falling through the cracks.

The inventory should include attributes such as:

  • Date placed into service.
  • EoL/EoS Date.
  • Targeted Replacement Date.
  • Version.

Business Continuity and Disaster Recovery

In light of recent disruptions such as the COVID-19 pandemic and cyber incidents, regulators are emphasizing the importance of operational resilience and business continuity planning. Banks are required to develop comprehensive contingency plans, conduct regular stress tests, and establish resilient IT infrastructures to ensure uninterrupted service delivery and mitigate operational risks. The time is now to review and update your plans as well as execute tests, rehearsals, or tabletop exercises to ensure that all business units throughout the organization understand how to respond in the event of a disruption. These exercises should increase in complexity over time to build repetition and understanding.

Project Management

As banks navigate complex regulatory environments, technological advancements, and evolving customer expectations, effective project management has become instrumental in driving strategic initiatives, managing risks, and ensuring regulatory compliance. If you have not formalized your Project Management Office (PMO), it is important that you do so as soon as possible to ensure that key components are being included throughout the project life cycle as well as a maintaining a consistent approach to project execution.

Key components of a PMO are:

  • Project Intake and prioritization.
  • A Project Portfolio in alignment with the strategic plan.
  • Governance and procedures.
  • Budget and Resource planning.
  • Risk management and evaluation.

Conclusion

In conclusion, the evolving landscape of IT in the banking sector presents both opportunities and challenges for banks. As technology continues to reshape the way banks operate and interact with customers, regulators are doubling down on efforts to ensure the integrity, resilience, and security of IT systems.

* Always consult or refer to your regulatory laws and handbooks for specific guidance.

Helping organizations navigate complex business landscapes and develop strategies for long-term success.

ADDRESS

102 Timber Ct
Prospect, PA 16052

© 2024 OPTINEV – All Rights Reserved

Linkedin