John Moeller
Principal
The New FDIC InTREx Security Procedures: The Impact on Banks’ Digital Strategy
Here’s how banks can update their due diligence in compliance with the new exam.
Brought to you by CliftonLarsonAllen LLP
Tim Dively
Digital Growth Director – Financial Services Group
Close
About the authors
Written by
John Moeller
Principal
John Moeller is a principal for CliftonLarsonAllen LLP. His areas of specialization includes cyber security threats, risk and mitigating controls, and development of strategic technology plans for financial institutions.
Close
About the authors
Written by
Tim Dively
Digital Growth Director – Financial Services Group
Tim Dively is the national digital growth director at CliftonLarsonAllen LLP. He couples his traditional banking experience from the C-Suite with his passion for leveraging data and digital to help his clients and the industry evolve and develop best strategies in the transformed financial services environment and ecosystem.
Prior to joining CliftonLarsonAllen LLP, Mr. Dively was the senior vice president, chief technology and operating officer for a mid-sized community bank in Wisconsin.
Mr. Dively works directly with his clients in performing current state assessments for operations, IT, data, change management, cybersecurity, strategy and digital planning. These assessments help each of his clients recognize their strengths and opportunities while identifying where they might be able to leverage new digital tools such as AI, automation, fintech integration, third party vendors, CX and operational process improvements/efficiencies to meet bank performance goals and improve CX across all channels.
The use of technology continues to change in banking, and with it changes in cybersecurity risks. To address these changes, the FDIC updated the Information Technology Risk Examination (InTREx) procedures.
Updates include the requirement for banks to notify the FDIC within 36 hours of any computer security incident. InTREx also evaluates whether banks notify law enforcement and customers in these cases. It also applies to third-party organizations serving banks.
These rules are bound to impact banks’ digital strategy. Here are some questions to ask bank security staff to make sure they’re in compliance with the updates.
In most cases, community banks adding digital tools will use vendors, so it’s important to understand these rules. The InTREx exam procedures can help protect banks and their customers by gaining a deeper understanding of their vendors. It’s paramount in keeping customer trust to know where their data is, what controls protect it, who has access to it, and what happens when a failure occurs.
With this updated guidance, is your bank reviewing existing vendors as part of your vendor review process, especially for critical or high-risk vendors? Make sure they’re updating contact information, getting current due diligence packets, and understanding any new technology partners they’ve engaged with since the last review, as sometimes these would be considered fourth-party vendors.
Even if your bank relies more heavily on vendors, the risk responsibility does not fall entirely on them. Banks bear the responsibility to make sure they fully understand the risks of each relationship. Contractually, there may be language to help the bank financially in case of a vendor breach.
It’s critical to understand the information each vendor has and make sure your bank gets status reports, remains in touch and conducts timely reviews. Don’t focus on responsibility from a financial perspective alone — make sure your bank accounts for reputational risk to the institution, as well.
How Should Banks Better Secure Their Data?
As chief information security officers would advise, all data should be secured consistently and at the highest level based on its defined classification and from your approved program. Since the breadth and depth of data available today has grown exponentially, banks need to step back and assess what that really means to them and their vendors. Banks should make sure they have clear definitions of all their data, understand its importance, the places it resides, who has access, and how it is used across the institution.
Once a bank understands its data, it’s important to make sure the data is segregated with good controls around access. Most banks have this reviewed in their annual information technology/cybersecurity examination, but since the data may not entirely reside within the bank’s walls, the same diligence needs to be applied to vendors hosting this information. If you are consistent with your controls — regardless of where your data is hosted — you should be in a good position.
Should Banks Consider Controls Beyond a Data Warehouse or Analytics System?
Governance around a data warehouse or data analytics system is a hot topic. When looking at these options, you’ll need to extend your annual security review to these platforms. Security staff should learn:
- Where the data is housed in the new tool (on-premises or hosted)
- How it gets uploaded (including all the stops along the way)
- How it’s segmented on the new host
- What permissions are retained or replaced
- How the data is accessed in the new system
- How the source data is now accessed
Since you are aggregating the data, your bank may not need the same access as before from the source systems, as it should be used in the new platform. Restricting access might make sense for data integrity.
Another key element is verifying the data in the new platform before going into production. Since your bank is combining, mapping, cleansing and normalizing data when standing up its warehouse/analytics platform, your bank staff should spend time verifying the output (dashboards, reports, etc.) is valid.
Since banks hold such valuable data — not to mention money — data security and the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.
The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CLA) to the reader.
CLA exists to create opportunities for our clients, our people, and our communities through our industry-focused wealth advisory, digital, audit, tax, consulting, and outsourcing services. CLA (CliftonLarsonAllen LLP) is an independent network member of CLA Global. See CLAglobal.com/disclaimer. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.