The members of the Federal Financial Institutions Examination Council (“FFIEC”) have released an update to the Management section of the Information Technology Examination Handbook (the “Handbook”).1 While the Handbook is written for examiners at the U.S. federal banking agencies and for the financial institutions subject to examination, it contains helpful guidance for other entities establishing governance structures and managing information technology (“IT”) risk across their enterprises.
The Management section of the Handbook was last updated in 2004. These revisions reflect the development and incorporation of cybersecurity concepts as part of information security. Because of the significant changes in IT and the increased focus on IT risk management, extensive revisions were necessary.
The Management section addresses three general topics across two parts. The first part (i) outlines principles for sound IT governance and (ii) explains how IT risk management (“ITRM”) relates to enterprise-wide risk management and governance. The second part describes the examination procedures that examiners will follow to determine the quality and effectiveness of the institution’s management of its IT. The FFIEC’s expectations for IT governance structures and processes, and IT risk management, as well as the examination procedures it describes, are each discussed below in more detail.
Governance Structures and Processes
The Management section emphasizes the FFIEC’s view that appropriate IT governance structures and processes are essential to a financial institution. Under this view, governance begins at an institution’s board of directors, which “sets the tone and direction for an institution’s use of IT. The board should approve the IT strategic plan, information security program, and other IT-related policies.” The board should also oversee and monitor the implementation and operation of the institution’s IT activities and hold management accountable for its role in the IT governance process.
The FFIEC also emphasizes its view of the financial institution’s senior management’s responsibility for the performance of the institution’s IT efforts and the administration of the day-to-day operation of the institution’s IT activities. The FFIEC explains that, typically, the chief executive officer and the chief operating officer will work with the chief information officer or chief technology officer to develop and implement the IT strategy that the board has approved. The CEO and CFO will also work with the chief information security officer to oversee the management and mitigation of information security risks across the institution.
The revised Management section also would ensure that responsibility for IT management extends down to IT line managers and business unit managers, who are expected to coordinate the daily IT activities of the institution, comply with the IT procedures and controls developed by senior managers, and communicate with other parts of the organization on IT-related issues.
Under the Handbook’s approach, all participants in an organization’s governance structure are expected to work with, and within, the appropriate sub-structures and processes, including to help implement:
IT Risk Management
The Handbook states the FFIEC’s view that a financial institution’s management should develop an effective ITRM process that supports the institution’s broader risk management program. It describes an effective ITRM process as supporting the enterprise-wide risk management framework through four activities: (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) risk monitoring and reporting.
The examination procedures in the Management section provide examiners with the procedures to measure the adequacy of an institution’s ITRM process. While there are dozens of examination procedures listed, institutions should expect examiners to customize the examination program, and should view the list of procedures as a checklist for a regulatory examination Examiners must, however, select those procedures most relevant to an institution’s size, complexity, and business.
The examination procedures generally seek to verify if an institution is meeting the regulators’ expectations that are described in the first part of the Management section and in other regulatory guidance. Notably, many of the exam procedures include evaluation of the (i) institution’s cybersecurity risk and remediation activities and (ii) board’s and executive management’s involvement in IT activities and risk management.
Nothing in the Management section will surprise those professionals involved in IT governance and risk management. The revisions, however, highlight the regulators’ expectation that all financial institutions comply with best practices and incorporate meaningful cybersecurity protections into their operations.
1 FFIEC, Financial Regulators Release Revised Management Booklet (Nov. 10, 2015), available at http://www.ffiec.gov/press/pr111015.htm. The FFIEC is the interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the federal banking agencies and to make recommendations to promote uniformity in the supervision of financial institutions.
You have no pages selected. Please select pages to email then resubmit.