The rest of our series:
After years of assessment, planning, and testing business resiliency and IT security plans, financial institutions across the country now face a real-world test of their IT program’s maturity. With social distancing and even sheltering in place the new normal in many places, COVID-19 is changing how millions work and, in some cases, bank.
As fewer staff and employees populate FI lobbies and buildings, more and more of people’s daily lives are moving online—increasing network traffic and operational risk, or the risk of financial loss when processes, people, or systems fail.
In this sixth and final blog in Ncontracts’ series breaking down key operational risk considerations department-by-department, we’re talking about IT.
Compared to other departments, IT should be particularly well prepared when it comes to pandemic planning due to its long-time focus on business continuity and operational resiliency.
Regulatory agencies have been emphasizing business continuity and cybersecurity for years through Federal Financial Institutions Examination Council (FFIEC) guidance including:
- IT Exam Handbook—Business Continuity Management
- Cybersecurity Assessment Tool (CAT)
- Interagency Statement on Pandemic Planning
There is also the National Credit Union Administration’s (NCUA) Automated Cybersecurity Examination Tool (ACE) for credit unions.
The goal of each of these is to assess operational and cyber risk is to increase—ensuring there are procedures to identify, assess, and mitigate reasonably foreseeable internal and external risks. They analyze shortfalls, proactively identify and close gaps between recovery time objectives (RTO) and actual recovery times (RTA), and safeguard against security breaches.
However, in light of the impact of COVID-19, it’s important for the IT department to have risk discussions to consider emerging issues.
Remote Access Capabilities
HR may be setting up work-from-home policies and dealing with employee concerns, but the IT department has to make sure the technology works.
- Do employees have remote access authority?
- Do they have the technology they need to work at home (laptops, internet access, MiFi cards, etc.)
- Can local/neighborhood networks handle extra capacity?
There are also the security considerations of a remote workforce. Data encryption, anti-malware, updated endpoint security, and two-factor or multi-factor authentication for remote access work devices and applications should be considered.
Issues to address include:
- Are unsecured devices accessing the network?
- Can employees use their own devices?
- Is it possible to install systems on those devices to protect the FI?
Increased network traffic
Between a remote workforce and increased online banking demands, it’s important to evaluate whether your FI’s network is built to handle the strain of extra use. In particular, consider your FI’s network:
How much traffic can your network handle?
- How do you ensure you are only letting good actors access your network?
IT needs to consider capacity on all technological channels it oversees, including telephone banking, call center services, ATMs, chatbots, etc. You don’t want to push customers and members to alternate channels if they can’t handle the demand.
Recall what happened to the trading platform Robin Hood when markets' volatility began. On the first day of rebounds, it’s systems couldn’t keep up with the demand for trading.
Back-Up Site Accessibility
Italy’s third-largest bank found a weakness in its business continuity plan after it turned out one of its “disaster recovery rooms” (which contain IT systems for running the bank) ended up close to the epicenter of the outbreak.
When thinking about back-up sites, consider unexpected challenges that may impact backup sites.
Third-Party Vendor Reliability
Vendors are experiencing the same increase in network demand that many FI’s are. They’re also dealing with teleworking, absenteeism, and myriad other challenges. In many cases, these vendors supply your FI with critical products and services—making a weakness in their pandemic planning and weakness in your FI’s pandemic planning.
Third-party risk has a hot button issue for regulators, and FIs with good vendor management programs should have the planning, due diligence, contracts, and monitoring to be assured that critical vendors have strong business resiliency and cybersecurity controls.
It’s still worthwhile for IT to check in on these vendors. Here are 10 Questions to Ask Your Vendors About Pandemic Preparedness.
If you’re unclear about a vendor’s preparation, take a look at its SSAE 18. This comprehensive external audit document provides assurances that the right controls are in place to protect data, maintain availability, protect privacy, and accurately process payments.
Emergencies bring out the best in some people and the worst in others. That includes cybercriminals. Earlier this month the Cybersecurity and Infrastructure Security Agency (CISA) released an alert reminding individuals to remain vigilant for scams related to COVID-19. Scammers are using the opportunity to send malware-infected attachments and steal data. Others are taking the opportunity to launch DoS attacks.
With more devices leaving company property and staff working away from the office, think about what can be done to increase security awareness and ensure protocols are followed.
It’s worthwhile to update cybersecurity assessments.
Taking an Enterprise-Wide Approach to COVID-19 Operational Risk
While IT oversees technology, make sure it’s not working alone when it comes to managing the operational risks of COVID-19. It should be coordinating in efforts with other departments, including human resources, operations/back office, frontline/branch management, compliance, risk, vendor management, and credit/lending, among others.
Risk management can’t work in a vacuum. We may be self-quarantining or sheltering in place, but when it comes to risk management, we all need to come together.
While every IT team will have its unique risks and controls, Ncontracts has created a Work-From-Home (WFH) Risk Assessment to serve as a great starting point for addressing known risks in the WFH environment.