On June 30, 2016, exactly one year after the FFIEC’s release of the Cybersecurity Assessment Tool (CAT), the FDIC published a financial institution letter about its updated Information Technology Risk Examination (InTREx) Program.
The letter provides an overall summary of the new InTREx Program’s goals, which are similar to those of the CAT. While it’s encouraging to see the FDIC investing in its IT exam procedures, one potential issue is that the potential benefits of following one approach may be lost when regulatory agencies decide to implement their own security frameworks and related test focus areas. Going forward, the exam process will be more risk-based, with initial questionnaires used to guide unique exam approaches instead of a one-size-fits-all approach. This should help address the ongoing frustration experienced by smaller banks who hear the same recommendations that large banks hear, but don’t have the same resources the large banks have to implement those changes.
This new IT Profile, which is limited to 26 questions regarding the bank’s core, network, online banking, internal customer development, technology support as a service offering, and other security environment items, replaces the previous IT Officer’s Questionnaire.Examiners intend to deliver these 90 days prior to scheduled exams, allowing the bank time to respond and the FDIC time to customize a request list for the risk-based exam.
Depending on the level of customization applied to these risk-based exams, the FDIC will be focusing the IT review on the areas of audit, management, development and acquisition, and support and delivery. Key tests related to GLBA and the CAT are also included within this exam process, with potential expanded analysis sections also added for management and support and delivery testing if certain conditions are met. We expect FDIC exams will be more consistent in the future, with these specific test procedures defined, which should allow banks to prepare for expected potential questions and requests far in advance.
The details of the Information Technology Profile and exam analysis procedures are attached in the financial institution letter, which allows banks the opportunity to gather documentation even prior to receiving request lists in an effort to maintain a smooth examination process and avoid regulatory recommendations. We also recommend discussing any questions within the exam process with existing IT auditors to ensure management concerns with upcoming exam focuses are addressed within IT audit planning discussions and onsite reviews.
For FDIC regulated banks, this signifies a clear step away from the CAT focus by adding transparency around the specific examination procedures to be followed in the upcoming year. For non-FDIC regulated banks, this also may trigger other agencies to communicate risk-based exam details to address requests for insight into a consistent approach. Other agencies may adopt a similar approach or publish their own focus areas to promote their specific interpretation of cybersecurity priorities.