While the FFIEC has released three major guidance updates since July 2019, the FDIC has not updated its examination program to include the newer guidance. This is one of the findings of the January 2023 audit of the FDIC Information Technology Risk Examination (a.k.a. “InTREX”) program performed by the Office of the Inspector General (OIG). Also noted was the fact that the program does not reflect updates to NIST standards, including those for supply chain threats, issued since 2014.
We have been noticing for some time that many of the regulatory agencies seem to be behind in enforcing updated guidance and standards. They have been experiencing the same pandemic and staffing turnover pressures that we all have, and the cracks are beginning to show. We do expect that this recent audit report will cause a flurry of activity to reverse this trend across all regulatory agencies, so institutions should start preparing now to ensure that they have updated their controls to meet the newer requirements before their next exam. This includes reviewing the following guidance published since 2019:
- The FFIEC “Business Continuity Management” booklet was updated in November 2019 to focus more on business resilience, to include content on supply chain risk, and to require a 10-step evolving management program to be in place instead of the previous 4-step program.
- The FFIEC “Architecture, Infrastructure, and Operations” booklet was published in June 2021 as a replacement for the 2004 “Operations” booklet. The new guidance includes topics such as Artificial Intelligence and Internet of Things (IoT) that were not on the radar in 2004, as well as new sections on governing the architecture and infrastructure of the institution.
- The FFIEC “Authentication and Access to Financial Services and Systems” was published in August 2021 as a replacement for the previous “Authentication in an Internet Banking Environment (2005)” and “Supplement to Authentication in an Internet Banking Environment (2011)” publications. While the old guidance focused on access by customers only, the new provides a framework for assessing authentication practices for employees, third parties, and customers to critical systems.
- While the interagency guidance first proposed in July 2021 on Third Party Relationships has not yet been officially published, we recommend that institutions still study it as it includes a lot of material on assessing supply chain risk, a focus of the OIG audit. Most notably, the proposed guidance expands the definition of a third party to include organizations (such as aggregators) with whom the institution may not have a formal relationship.
We enjoy working with institutions proactively to keep them ahead of the exam curve. If you believe that your institution needs help in sifting through the large volume of guidance, we can help! Reach out to us anytime at support@bedelsecurity.com.