Pub. 5 2016 Issue 1

The CommunityBanker 14 F E A T U R E Managing Technology is More Complicated than Ever n November of 2015, the FFIEC updated its IT Manage- ment Handbook to provide financial institutions with more prescriptive guidance regarding the management of technology and cybersecurity. This update closely follows a host of cybersecurity-related discussions and guidance from regulatory bodies, such as the FFIEC Cybersecurity Assessment Tool. Regulators are clearly trying to tell us that management of cybersecurity and technology from the top-down is of the utmost importance and will be regulated accordingly over the next few years. The problem is that everyone is struggling to keep up with the changing technology landscape in the banking in- dustry. Whether you are researching new technology-related products and services, protecting your networks from new cy- bersecurity threats, mitigating the damage from data breaches, or training your employees to identify attacks; it seems like an uphill battle just to get a handle on managing technology. This is why having a properly structured and repeatable IT management framework is so important. Let’s take a look at a few of the major updates and components of the FFIEC “IT Management Handbook” and how these changes can strength- en your institution’s IT management. Major Changes to the IT Management Handbook Right off the bat, the FFIEC is replacing the first two major sections of the 2004 FFIEC IT Management Handbook – “Risk Overview” and “Roles and Responsibilities” – with “Governance” and “Risk Management.” A great deal of focus is paid in the Governance section to how an institution should oversee IT management and ensure there is enough data to make good decisions. Another big introduction in this updated IT Management Handbook is the term “risk appetite.” Risk appetite refers to the levels of risk the institution is willing to accept as a part of doing business, with an emphasis on technology. It’s impor- tant to note that there is NO SUCH THING as ZERO RISK. There will always have to be some risk that is simply accepted (but monitored) at financial institutions. Knowing how much risk is acceptable or needs to be mitigated is the Board’s ulti- mate responsibility. IT Risk Management and Governance As you have undoubtedly read and heard in recent months, the FFIEC is putting heavy focus on the highest level of financial institutions, starting with the Board of Directors. In a well-structured IT management setting, IT management or the IT Steering Committee needs to provide timely informa- tion upstream to Senior Management and Board of Directors. The IT Management Handbook update also describes some changes in IT management roles and responsibilities. The changes in structure are as follows: • Board of Directors – The Board is ultimately respon- sible for holding management accountable, and the updated Handbook states specifically that the Board must “provide a credible challenge” to management regarding the oversight of IT activities. Additionally, the Board must be “actively engaged, asking thought- ful questions and exercising independent judgment.” The Board of Directors is responsible for setting the institution’s IT Risk Appetite, as well as approving the IT Strategic Plan. • Executive Management – Executive management, including the Chief Executive Officer (CEO), the Chief Operating Officer (COO), and often the Chief Informa- tion Officer (CIO), plays a significant role in IT man- agement at a financial institution. Executive manage- ment develops the IT Strategic Plans and objectives for the institution, as well as sets the budget for resources to achieve these objectives. Executive Management should understand the IT risks faced by the institution at a high level and ensure that those risks are included in the institution’s risk assessments. • Chief Information Security Officer – The Chief Infor- mation Security Officer (CISO) is responsible for over- seeing and reporting on the management and mitiga- tion of information security risks across the institution and should be held accountable for the results of this oversight and reporting. Often, the CISO is respon- sible for implementing an Information Security Pro- gram that satisfies the GLBA standards. While in the past the CISO was considered a technology function, the role has become a strategic and integral part of the FFIEC IT Management Handbook – What You Need to Know By Jon Waldman Partner: Security Banking Solutions, LLC; VP of Business Development – SBS Institute I