The members of the Federal Financial Institutions Examination Council (“FFIEC”) have released an update to the Management section of the Information Technology Examination Handbook (the “Handbook”).1While the Handbook is written for examiners at the U.S. federal banking agencies and for the financial institutions subject to examination, it contains helpful guidance for other entities establishing governance structures and managing information technology (“IT”) risk across their enterprises.
The Management section of the Handbook was last updated in 2004. These revisions reflect the development and incorporation of cybersecurity concepts as part of information security. Because of the significant changes in IT and the increased focus on IT risk management, extensive revisions were necessary.
The Management section addresses three general topics across two parts. The first part (i) outlines principles for sound IT governance and (ii) explains how IT risk management (“ITRM”) relates to enterprise-wide risk management and governance. The second part describes the examination procedures that examiners will follow to determine the quality and effectiveness of the institution’s management of its IT. The FFIEC’s expectations for IT governance structures and processes, and IT risk management, as well as the examination procedures it describes, are each discussed below in more detail.
Governance Structures and Processes
The Management section emphasizes the FFIEC’s view that appropriate IT governance structures and processes are essential to a financial institution. Under this view, governance begins at an institution’s board of directors, which “sets the tone and direction for an institution’s use of IT. The board should approve the IT strategic plan, information security program, and other IT-related policies.” The board should also oversee and monitor the implementation and operation of the institution’s IT activities and hold management accountable for its role in the IT governance process.
The FFIEC also emphasizes its view of the financial institution’s senior management’s responsibility for the performance of the institution’s IT efforts and the administration of the day-to-day operation of the institution’s IT activities. The FFIEC explains that, typically, the chief executive officer and the chief operating officer will work with the chief information officer or chief technology officer to develop and implement the IT strategy that the board has approved. The CEO and CFO will also work with the chief information security officer to oversee the management and mitigation of information security risks across the institution.
The revised Management section also would ensure that responsibility for IT management extends down to IT line managers and business unit managers, who are expected to coordinate the daily IT activities of the institution, comply with the IT procedures and controls developed by senior managers, and communicate with other parts of the organization on IT-related issues.
Under the Handbook’s approach, all participants in an organization’s governance structure are expected to work with, and within, the appropriate sub-structures and processes, including to help implement:
- Effective ITRM processes;
- A comprehensive information security program;
- A formal project management process;
- Enterprise-wide business continuity planning; and
- Accurate and timely processes for information systems reporting.
IT Risk Management
The Handbook states the FFIEC’s view that a financial institution’s management should develop an effective ITRM process that supports the institution’s broader risk management program. It describes an effective ITRM process as supporting the enterprise-wide risk management framework through four activities: (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) risk monitoring and reporting.
- Risk identification: Financial institutions should inventory their assets, event classes and existing controls to identify IT risks. Comprehensive IT risk identification should include the identification of cybersecurity risks, as well as the completion of the information security risk assessments required under the Gramm-Leach-Bliley Act’s implementing regulations. Financial institutions should participate in an information-sharing forum, such as the FS-ISAC, as a component of their risk identification process.
- Risk measurement: Financial institutions should estimate the likelihood that a particular risk or group of risks will cause an adverse event and assess the potential impact of such an adverse event across the institution. These measurements may be qualitative, quantitative or a hybrid of both. Risk measurement processes should recognize that there are interdependencies among risks that require an integrated approach to risk management. Also, once risks have been initially assessed, they should be prioritized for mitigation efforts and tagged for reassessment when changes occur.
- Risk mitigation: Financial institutions should implement specific controls to reduce, avoid or transfer the risks it measures. It may not be possible to completely eliminate all risks, and an institution’s risk appetite is the amount of risk it is prepared to accept when trying to achieve its objective. Appropriate controls include: written policies, standards, and procedures; personnel screening; written information security programs; business continuity programs; validation tests; insurance; and third-party vendor management programs. Institutions should also address cybersecurity risk through the implementation of cybersecurity controls, threat intelligence and collection, cyber risk and incident management processes and external dependency management.
- Risk monitoring and reporting: Financial institutions should monitor the effectiveness of their risk mitigation activities and should address changing threat conditions. Monitoring may be accomplished through reporting of specific metrics related to IT activities and the performance of periodic review of the institution’s IT functions. When IT activities involve affiliates or third-party providers, service level agreements may be used to establish mutual expectations and set the baseline for measuring IT performance.
The examination procedures in the Management section provide examiners with the procedures to measure the adequacy of an institution’s ITRM process. While there are dozens of examination procedures listed, institutions should expect examiners to customize the examination program, and should view the list of procedures as a checklist for a regulatory examination Examiners must, however, select those procedures most relevant to an institution’s size, complexity, and business.
The examination procedures generally seek to verify if an institution is meeting the regulators’ expectations that are described in the first part of the Management section and in other regulatory guidance. Notably, many of the exam procedures include evaluation of the (i) institution’s cybersecurity risk and remediation activities and (ii) board’s and executive management’s involvement in IT activities and risk management.
Nothing in the Management section will surprise those professionals involved in IT governance and risk management. The revisions, however, highlight the regulators’ expectation that all financial institutions comply with best practices and incorporate meaningful cybersecurity protections into their operations.