FFEIC IT Handbook Updates

On November 14, 2019, the Federal Financial Institutions Examination Council (FFIEC) has made changes to their IT Handbook. This resource is what regulators use to audit banks like yours, and so, it’s important that you understand any changes made to it.

The updates made specifically concern Business Continuity Management. This is a revision of the update to the Business Continuity Management handbook, released back in February 2015.

What Changes Have Been Made To The FFEIC IT Handbook?

The updates made to the Business Continuity portion of the FFEIC IT Handbook fall into two distinct categories:

Clarity And Language

The first category of updates is just a matter of the FFEIC updating the language they use in the booklet. This is done to reflect the changing nature of both IT and the financial industry and to improve the way this booklet acts as a resource for bank regulators.

In many cases, this simply means clarifying the language used, eliminating redundancies, and updating any inaccurate or dated terminology. Updates include:

  • Changed name to Business Continuity Management to reflect an increased focus on ongoing, enterprise-wide business continuity and resilience.
  • Replaced the term “financial institutions” with the term “entities.”
  • Made clearer references back to NIST, FEMA, and other authoritative sources.
  • Clarified the linkage between enterprise risk management and Business Continuity Management.
  • Clarified the distinction between exercises and tests.
  • Aligned definitions and terminology with authoritative standards organizations (e.g., NIST and ISO), where appropriate.
  • Eliminated the redundant pandemic planning section.

Re-Evaluation Of Priorities In Business Continuity

The following are clear examples of the principle-based approach underlying these updates. The FFEIC wanted to develop a resource that would remain applicable for many years. That’s why they’re avoiding being too specific about different technologies which will likely change over time. Instead, they describe the principles of Business Continuity Management, in regard to business processes.

  • Supply-chain risk with respect to single points of failure.
    It’s important for entities subject to the FFEIC standards to understand that any single vulnerability present in their supply chain poses a risk to their business continuity. That’s why those managing your business continuity need to do their due diligence in identifying where you are connected to third-parties and make sure your business continuity risk is mitigated as much as possible.
  • Elevated maintenance and improvement as an important component of the BCM lifecycle.
    Business continuity isn’t just about what happens in the event of a disaster. While response is certainly a key priority in business continuity, these updates reflect the fact that ongoing maintenance and improvement is just as vital. You need to be maintaining your business continuity, testing its effectivity, and making improvements to processes where applicable.
  • Integrated “Outsourced Technology Services” content from original Appendix J into the body of the booklet.
    What used to be an appendix is now a core part of the handbook. This change underscores how important outsourced IT services are to an entity’s business continuity. Just as any connected third party constitutes a part of your supply chain, your outsourced IT services are a key part of it.

As you should with any changes that affect your business, you need to stay up to date. Business continuity is an extremely important part of your business processes, and so, any changes made to FFEIC guidelines need to be understand by you and other management personnel at your institution.

Are you working with an Outsourced Technology Services company that understands the ins and outs of banking technology and the FFIEC controls that need to be in place? KTG has Certified Community Bank Technology Officer resources on staff and our services are audited annually under the MSP Verify Program. We are here to help your institution, give us a call today.

Like this article? Check out the following blogs to learn more:

The Need for Cybersecurity Expertise at the Board Level for Banking

The new Health Industry Cybersecurity Practices (HICP)

NIST’s Small Business Cybersecurity Corner