Why Banks Fail Their FFIEC Audit: The Mismatch between Your Cybersecurity Policy and Procedure

by

March 5, 2024

Eric Durbin headshotFor most community banks and credit unions, one time of year is the most anxiety-producing: their annual FFIEC Audit of their cybersecurity and IT systems. Most spend weeks preparing for their review by the Federal Financial Institutions Examination Council…conducting PEN tests, reviewing their cybersecurity tools, and even upping their cyber risk insurance in advance. Yet, when the findings come back after the review, it can feel like death by a thousand cuts. After all that investment, regulators still call out the “little things.”

Sound familiar?

When it comes to cybersecurity, it’s often the “little things” cyber thieves exploit to gain access to your system. It’s no mystery, then, why regulators often sweat the small stuff. When it comes to the “small stuff,” most of the smaller findings stem from failing to manage the intersection of cybersecurity policies and procedures. Turns out, a mismatch between these two things can cause cascading, unintentional impacts on your cybersecurity.

But before we get into the most common problems banks have when aligning their policies and procedures, let’s first discuss the difference between cybersecurity policies and procedures.

Cybersecurity Policies and Procedures for Banks: What’s the Difference, and Why It’s Important to your FFIEC Audit

 

 

In IT, everything you do must be written down. This is for your own protection, creating a chain of proof around remediation and patching. But it’s also important for the roadmaps your department follows.

When everything is in writing, it makes it easy for regulators to see what you’re doing and for your staff and MSPs to understand your organization’s work order. You must have both cybersecurity policies and procedures written for all your cybersecurity, data handling, recovery, and monitoring processes. In a fast-moving organization, it’s easy for this paper trail to get outdated. When your policies and procedures don’t align, the opportunities for bad findings go up exponentially.

What Does a Written Cybersecurity Policy Do for a Bank?

 

 

Put simply, a cybersecurity policy is the strategic compass for an organization’s cybersecurity efforts. It articulates your organization’s overarching IT goals, operating principles, and high-level expectations. It covers broad areas such as data protection, access control, incident response, and risk management. Ideally, a policy should be written that covers all your IT functions and tools.

Cybersecurity policies for banks are most often crafted by senior IT management, legal experts, and compliance officers. They ensure that IT goals are aligned with compliance efforts.

Some examples of a cybersecurity policy might include:

      • Password Protection Policy—defining rules for creating and managing strong passwords
      • Acceptable Use Policy—outlining acceptable behavior regarding technology resources
      • Data Classification Policy—describing how sensitive data should be categorized and handled

And so on. Most financial institutions have dozens of these.

What Do Cybersecurity Procedures Do for a Bank?

 

 

Cybersecurity procedures are your organization’s tactical playbook. They provide step-by-step instructions for all your processes, diving into the details of essential tasks,e like incident handling, vulnerability patching, and access request approvals. Some good examples of a cybersecurity procedure would include:

  • Incident Response Procedure—detailing the sequence of actions when a security incident occurs
  • Patch Management Procedure—specifying how software updates and security patches are applied
  • Access Control Procedure—explaining how user access requests are evaluated and granted

Developed by your staff and subject matter experts, these documents are critical for training and disaster recovery. They are constantly evolving,g too, as your technology changes.

Where community banks tend to trip up is in the interplay between their policies and procedures. They write a policy, for instance, and neglect to write the corresponding procedure that covers the execution of it. Or they update one without updating the other.

Let’s examine some of the common mistakes banks make regarding their written cybersecurity policies and procedures and how that affects their FFIEC Audit.

 

FFIEC Audits: Top Mistakes Made Around Bank Cybersecurity Policies and Procedures

 

What are the top ways cybersecurity policies and procedures clash in banks, and how can that be fixed? Here’s what we see most often.

#1—Change Control Policies Not Followed Procedurally

It’s common for financial institutions to have well-articulated change control policies that cover situations such as onboarding and offboarding and how to handle permissions during system tests.

In practice, however, their procedures don’t match up. Outside vendors will run system tests using temporary access privileges, for instance. Then, when the test is over, those admin credentials are not deleted, creating a vulnerability. There is no standard process for handling exceptions, cleaning up old credentials, or running tests properly. Each time, there is a different process. And that’s a sure-fire recipe for getting flagged by regulators.

#2—Creating New Control Procedures without Creating Corresponding Policies

This is the opposite of the problem we discussed above, and it happens when you add new tools or capabilities to your system. In this case, you’ve just added a new SaaS tool for your organization and have written a slew of procedures around administering that tool. But where is the policy that governs that tool? If you neglect to tie these new procedures back to policies, you can create a strategic misalignment in your organization. You can also make it challenging to locate those written procedures for people who may need to use them. This sort of oversight is easily made and easily observed by regulators.

#3—Updating Policies Too Infrequently

When you’re in the thick of your daily IT tasks, it’s easy to focus on your procedures and not worry about the rest. But the longer you wait to update your policies, the more likely you are to forget those updates need to be made. Many financial institutions will do a cursory check of their policies once a year. This isn’t nearly enough. To keep your documentation up to regulatory standards, we recommend you do a policy review at least every quarter. Policy updates should be a standard part of the onboarding procedures for any new tool or operation for your institution. It’s simply the best way to keep up.

#4—Over-reliance on Your MSP to Set and Maintain Documentation

Here at Integris, we help our financial sector clients with their daily cybersecurity documentation and FFIEC Audit preparation. We’re always happy to help. However, if you don’t have a solid grasp of what your cyber security policies and procedures cover, that’s a problem. Your internal IT department should know what gets created and when and understand where policies lie in your libraries.

 

If you rely on your MSP to answer all your questions and provide all your documentation, you may miss a great deal of required documentation.

Don’t let regulators enter the gaping holes you’ve left behind. Drive the discussion on what needs to be written, when it will be updated, and where it is stored.

Are You Ready for Your Next FFIEC Audit?

 

 

If you’re facing your next FFIEC audit, you don’t have to face it alone. Integris has numerous services to help you prepare, including third-party vendor audits and preparatory reviews. We can even coordinate a referral for PEN testing. Our national staff of virtual chief information security officers (vCISOs) can be hired to help whether you are a current client, or not.

 

We’d love to help. For more information, contact us.

Eric Durbin works at Integris as a vCIO and Strategic Account Executive in our Integris Financial Institution Division (FID). He's helped dozens of banks with all aspects of their IT infrastructure management, from maximizing productivity, to setting up cybersecurity safeguards, to preparing for regulatory reviews, and more.

Keep reading

AI for Banks: What to Expect and How to Prepare

AI for Banks: What to Expect and How to Prepare

Financial Institutions, Take Note. AI Will Soon Transform Your Cybersecurity, Compliance, and Customer Service Recent statistics leave little doubt that AI has significant upside potential for community banks. Recent numbers from Accenture Consulting show that 68...