The FDIC InTREx Security Procedures: The Impact on Banks’ Digital Strategy – CLA (CliftonLarsonAllen)
Is your clients’ data well protected from cyberattacks?
Consult an Advisor
The use of technology continues to change in banking, and with it changes in cybersecurity risks. To address these changes, the FDIC updated the Information Technology Risk Examination (InTREx) procedures.
Updates include the requirement for banks to notify the FDIC within 36 hours of any computer security incident. InTREx also evaluates whether banks notify law enforcement and customers in these cases. It also applies to third-party organizations serving banks.
These rules are bound to impact banks’ digital strategy. Let’s uncover how.
In most cases, community banks adding digital tools will use vendors, so it’s important to understand these rules. Digital growth is generally achieved through adding tech stack, including software platforms to meet strategic goals and enhance customer experience.
With the recent digital disruption and transformation within financial services, banks have relied more on external partners to stay relevant and enhance offerings. The InTREx exam procedures can help protect banks and their customers by gaining a deeper understanding of their vendors. As important and private data is shared among a variety of platforms, knowing where the data is, what controls protect it, who has access to it, and when a failure occurs is paramount in keeping customers’ trust.
Review existing vendors with this updated guidance as part of your vendor review process, especially for critical or high-risk vendors. Make sure you update contact information, get current due diligence packets, and understand any new technology partners they’ve engaged with since the last review, as sometimes these would be considered fourth-party vendors.
Even if you rely more heavily on vendors, the risk responsibility does not fall entirely on them. Banks bear the responsibility to make sure they fully understand the risks of each relationship. Contractually, there may be language to help the bank financially in case of a vendor breach.
It’s critical to understand the information each vendor has and make sure you get status reports, remain in touch, and conduct timely reviews. Don’t focus on responsibility from a financial perspective alone — make sure you account for reputational risk to the institution, as well.
As chief information security officers would advise, all data should be secured consistently and at the highest level based on its defined classification and from your approved program. Since the breadth and depth of data available today has grown exponentially, banks need to step back and assess what that really means to them and their vendors. Banks should make sure they have clear definitions of all their data, understand its importance, the places it resides, who has access, and how it is used across the institution.
Once a bank understands its data, it’s important to make sure the data is segregated with good controls around access. Most banks have this reviewed in their annual information technology/cybersecurity examination, but since the data may not entirely reside within the bank’s walls, the same diligence needs to be applied to vendors hosting this information. If you are consistent with your controls — regardless of where your data is hosted — you should be in a good position.
Governance around a data warehouse or data analytics system is a hot topic. Banks shouldn’t need to stress much when looking at the purpose of a data warehouse or analytics system. Those systems are designed to help you with existing data — they are not necessarily generating new data from the bank or from customers.
This doesn’t mean that you can simply connect all your data sources to your new warehouse or analytics system and be set. When looking at these options, you’ll need to extend your annual security review to these platforms. You should learn:
Since you are aggregating the data, you may not need the same access as before from the source systems, as it should be used in the new platform. Restricting access might make sense for data integrity.
Another key element is verifying the data in the new platform before going into production. Since you are combining, mapping, cleansing, and normalizing data when standing up your warehouse/analytics platform, you should spend time verifying the output (dashboards, reports, etc.) is valid.
Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.
Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.
CLA provides many services tailored for banks including exam readiness assessments, digital strategy, cybersecurity consulting and advisory, and cybersecurity auditing. Contact us to see how we can help you better protect your data.
This article was originally published on BankDirector.com.
Privacy policy
Terms of use and disclaimers
CliftonLarsonAllen Wealth Advisors, LLC disclaimers
© 2024 CliftonLarsonAllen. All rights reserved. “CliftonLarsonAllen” and “CLA” refer to CliftonLarsonAllen LLP.
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
CliftonLarsonAllen is a Minnesota LLP, with more than 120 locations across the United States. The Minnesota certificate number is 00963. The California license number is 7083. The Maryland permit number is 39235. The New York permit number is 64508. The North Carolina certificate number is 26858. If you have questions regarding individual license information, please contact Elizabeth Spencer.
CLA (CliftonLarsonAllen LLP), an independent legal entity, is a network member of CLA Global, an international organization of independent accounting and advisory firms. Each CLA Global network firm is a member of CLA Global Limited, a UK private company limited by guarantee. CLA Global Limited does not practice accountancy or provide any services to clients. CLA (CliftonLarsonAllen LLP) is not an agent of any other member of CLA Global Limited, cannot obligate any other member firm, and is liable only for its own acts or omissions and not those of any other member firm. Similarly, CLA Global Limited cannot act as an agent of any member firm and cannot obligate any member firm. The names “CLA Global” and/or “CliftonLarsonAllen,” and the associated logo, are used under license.
Transparency in coverage machine-readable files
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
Consult an Advisor
The use of technology continues to change in banking, and with it changes in cybersecurity risks. To address these changes, the FDIC updated the Information Technology Risk Examination (InTREx) procedures.
Updates include the requirement for banks to notify the FDIC within 36 hours of any computer security incident. InTREx also evaluates whether banks notify law enforcement and customers in these cases. It also applies to third-party organizations serving banks.
These rules are bound to impact banks’ digital strategy. Let’s uncover how.
In most cases, community banks adding digital tools will use vendors, so it’s important to understand these rules. Digital growth is generally achieved through adding tech stack, including software platforms to meet strategic goals and enhance customer experience.
With the recent digital disruption and transformation within financial services, banks have relied more on external partners to stay relevant and enhance offerings. The InTREx exam procedures can help protect banks and their customers by gaining a deeper understanding of their vendors. As important and private data is shared among a variety of platforms, knowing where the data is, what controls protect it, who has access to it, and when a failure occurs is paramount in keeping customers’ trust.
Review existing vendors with this updated guidance as part of your vendor review process, especially for critical or high-risk vendors. Make sure you update contact information, get current due diligence packets, and understand any new technology partners they’ve engaged with since the last review, as sometimes these would be considered fourth-party vendors.
Even if you rely more heavily on vendors, the risk responsibility does not fall entirely on them. Banks bear the responsibility to make sure they fully understand the risks of each relationship. Contractually, there may be language to help the bank financially in case of a vendor breach.
It’s critical to understand the information each vendor has and make sure you get status reports, remain in touch, and conduct timely reviews. Don’t focus on responsibility from a financial perspective alone — make sure you account for reputational risk to the institution, as well.
As chief information security officers would advise, all data should be secured consistently and at the highest level based on its defined classification and from your approved program. Since the breadth and depth of data available today has grown exponentially, banks need to step back and assess what that really means to them and their vendors. Banks should make sure they have clear definitions of all their data, understand its importance, the places it resides, who has access, and how it is used across the institution.
Once a bank understands its data, it’s important to make sure the data is segregated with good controls around access. Most banks have this reviewed in their annual information technology/cybersecurity examination, but since the data may not entirely reside within the bank’s walls, the same diligence needs to be applied to vendors hosting this information. If you are consistent with your controls — regardless of where your data is hosted — you should be in a good position.
Governance around a data warehouse or data analytics system is a hot topic. Banks shouldn’t need to stress much when looking at the purpose of a data warehouse or analytics system. Those systems are designed to help you with existing data — they are not necessarily generating new data from the bank or from customers.
This doesn’t mean that you can simply connect all your data sources to your new warehouse or analytics system and be set. When looking at these options, you’ll need to extend your annual security review to these platforms. You should learn:
Since you are aggregating the data, you may not need the same access as before from the source systems, as it should be used in the new platform. Restricting access might make sense for data integrity.
Another key element is verifying the data in the new platform before going into production. Since you are combining, mapping, cleansing, and normalizing data when standing up your warehouse/analytics platform, you should spend time verifying the output (dashboards, reports, etc.) is valid.
Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.
Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.
CLA provides many services tailored for banks including exam readiness assessments, digital strategy, cybersecurity consulting and advisory, and cybersecurity auditing. Contact us to see how we can help you better protect your data.
This article was originally published on BankDirector.com.
Privacy policy
Terms of use and disclaimers
CliftonLarsonAllen Wealth Advisors, LLC disclaimers
© 2024 CliftonLarsonAllen. All rights reserved. “CliftonLarsonAllen” and “CLA” refer to CliftonLarsonAllen LLP.
Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.
CliftonLarsonAllen is a Minnesota LLP, with more than 120 locations across the United States. The Minnesota certificate number is 00963. The California license number is 7083. The Maryland permit number is 39235. The New York permit number is 64508. The North Carolina certificate number is 26858. If you have questions regarding individual license information, please contact Elizabeth Spencer.
CLA (CliftonLarsonAllen LLP), an independent legal entity, is a network member of CLA Global, an international organization of independent accounting and advisory firms. Each CLA Global network firm is a member of CLA Global Limited, a UK private company limited by guarantee. CLA Global Limited does not practice accountancy or provide any services to clients. CLA (CliftonLarsonAllen LLP) is not an agent of any other member of CLA Global Limited, cannot obligate any other member firm, and is liable only for its own acts or omissions and not those of any other member firm. Similarly, CLA Global Limited cannot act as an agent of any member firm and cannot obligate any member firm. The names “CLA Global” and/or “CliftonLarsonAllen,” and the associated logo, are used under license.
Transparency in coverage machine-readable files
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
