Have There Been Any Official Board Reporting Updates to the FFIEC InfoSec Handbook since 2016?

Vlog: Are Bank Regulators Considered Vendors?

In this special vlog installment of Ask the Guru, Tom Hinkel answers a question asked by an OCC bank examiner, “Are regulators considered vendors for banks?” Watch the video below to hear Tom’s...

UPDATE – New Proposed Cyber Incident Notification Rules Finalized

Currently, financial institutions are required to report a cyber event to their primary federal regulator under very specific circumstances. This requirement dates back to GLBA, Appendix B to Part...

FFIEC Replaces, and Expands, the Operations Handbook

Back in June of this year the FFIEC released an update to the 2004 Operations Handbook called Architecture, Infrastructure, and Operations (AIO). As the lengthier name implies, this was not simply...

New FFIEC Guidance for Access and Authentication

In response to an expanded cybersecurity threat landscape, the FFIEC just issued an update to agency expectations for access and authentication to financial institution products and systems. This...

New Proposed Cyber Incident Notification Rules

A new rule approved by the OCC, Federal Reserve, and FDIC requires financial institutions to report a cyber event to their primary federal regulator and customers under very specific circumstances.

Hot Topic: Ransomware on the Radar (Updated)

Both the State banking regulators and the Treasury Department have issued recent advisories to financial institutions regarding the ransomware threat. Ransomware is defined as a form of malicious...

Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more...

Can We Apply Similar Controls to Satisfy Both GLBA and GDPR?

Hey Guru! Are the Gramm–Leach–Bliley Act (GLBA) and the General Data Protection Regulation (GDPR) similar enough to apply the same or equivalent set of layered controls? My understanding is that...

Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19

On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020 This statement...

Reading Between the Lines: Recent Regulatory News

Federal Reserve Statement on Supervisory Activities Where did it come from, and where can I find it? The Federal Reserve Who needs to know about it?

Are You Required to Address Your COVID-19 Readiness with Your Customers?

Hey Guru! Are we required to post any kind of statement to the public or our customers as to our readiness for the COVID-19? If so, can you direct me to the kinds of things we need to say? We are...

FFIEC Issues Statement on Pandemic Planning

Background Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency...

FFIEC Rewrites Business Continuity Guidance

The all new IT Examination Handbook is more than an update, it’s a complete re-write, and represents a significant change in how the business continuity process is managed. It also has several new...

Using Risk Scoring to Determine the Frequency of IT Audits

Hey Guru! In my last IT examination, one of the findings was that the scope and cycle of our IT audits should be more closely tied to risk. We have IT audits every 12 months, what else should we...

FFIEC Issues Press Release on Cybersecurity Preparedness Assessments (and Muddies the Waters)

A Standardized Approach On August 28th, the FFIEC issued a press release entitled “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness”. The release “…emphasized the...

Pandemic Testing and the BCP

Hey Guru! We finished a FDIC exam earlier this year, and in the IT portion they hit us on our pandemic plan saying it “needed improvement.” Here is the actual finding: Management should improve...

Ask the Guru: Is it Legal to Share Exam Findings?

Hey Guru! We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we...

Ask the Guru: Addressing BCP and Incident Response in Vendor Contracts

Hey Guru! I’m looking at an FIL that came out recently (FIL-19-2019), and trying to figure out how to react to it. In your opinion, how do we “ensure that business continuity and incident response...