Recent updates to the FFIEC Management booklet contained within the IT Handbook contain several significant changes that, while easily overlooked, speak to the evolving nature of the IT best practice for financial institutions. While most of the changes are no surprise to institutions who in many cases implemented these changes years ago, these changes provide further validation.

Note that this booklet was last updated in 2004. It was a different world: Lehman Brothers was a top investment management firm. TJ Maxx was just a discount clothier, not a cybersecurity cautionary tale.

The latest revision, in November 2015, refocuses IT governance in a few specific and important ways:

IT Governance = Corporate Governance

No longer is it acceptable to have separate plans for IT and the rest of the institution. Just as the Board of Directors is now expected to approve (and understand) the IT strategic plan and information security program, IT is expected to "generate business value for the institution." Management must be engaged with IT, and IT must support the business and business objectives as defined by Management. A siloed approach, if still in place, is no longer acceptable.

CIO (Chief INFORMATION Officer) does not equal CISO (Chief Information SECURITY Officer)

Most of us understand and practice this delineation, but the new booklet makes clear the expectation that the CISO:

  • Not be a member of IT
  • Report to the Board or Senior Management (keeping with an enterprise-level focus)
  • Drive Information Security initiatives, including training and awareness.

Interconnectivity and Cybersecurity

The biggest difference between the operational environments of 2004 and today is the degree of interdependence between financial institutions and service providers. These interfaces present points of failure, as well as sources of risk to be identified, evaluated, and managed. Financial institutions must now consider cyber risks and the maturity of their cybersecurity controls. Are service providers incorporated into the business continuity planning and risk assessment? Are procedures in place to effectively manage these service providers, be they cloud services, outsourced call centers, or hosted core systems? What is your cyber-risk appetite?

Overall, expectations on financial institutions have increased to both implement strong IT controls and use them effectively. Further, IT governance must engage all levels of institution management, including the board of directors. Investing in top-dollar systems is meaningless without a commitment to use systems as intended, and with focus on improving the risk posture and bottom line of the Bank.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.