The FFIEC’s recent release of its Business Continuity Management handbook sets critical new paradigms for FS examiners, signaling a shift to operational resilience.
Guidance from the Federal Financial Institutions Examination Council (FFIEC) makes it clear that, in the financial services industry, recovering IT systems quickly after an outage is no longer good enough.
Bank regulators are expanding the old business continuity planning and disaster recovery (BCP/DR) model to encompass all aspects of resilience (ie. operational and cyber), effectively setting a new bar for regulated entities.
The FFIEC addresses these concerns and sets parameters for regulatory examiners of financial institutions and their third-party service providers.
Issued in November 2019, the FFIEC’s Business Continuity Management booklet represents the council’s first significant update in more than four years. It expands its focus to business continuity management, not just business continuity planning. In doing so, it echoes some of the key tenets of the 2018 Bank of England’s (BoE) influential discussion paper, Building the UK financial sector’s operational resilience (PDF, 868 KB).
The update formalizes a definition of resilience found in the National Institute of Standards and Technology (NIST) glossary: “The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”
It also enjoins examiners to hone in on FS enterprises’ and service providers’ ability to keep their most important business functions operating and available to customers and other stakeholders. And it wants to see FS entities working to minimize any ripple effects an outage might have on others in its business ecosystem and on overall financial systems.
While the BoE’s paper introduced bold new concepts, the 2019 FFIEC update appears to aim for a more nuanced pivot from BCP/DR to operational resilience.
Here are the shifts in a nutshell:
The 2015 FFIEC document spoke of systems recovery, whereas the new booklet emphasizes the continuity of operations throughout the overall entity: technology, operations, testing and communication, focusing on the "continued maintenance of systems and controls for the resilience of operations."
The new document provides a clear, repeatable process for identifying critical business functions and analyzing their interdependencies internally and externally (also known as “mapping”). It also says that entities should understand how a disruption of these functions could affect markets and the entity’s larger community.
The FFIEC booklet directs entities to determine how much disruption they can tolerate—including data loss as well as downtime. It also clarifies how entities should establish their targets for post-cyber-event systems recovery and data restoration, advising organizations to be realistic: “Establishing realistic RTOs (recovery time objectives) assists management in determining a critical path and hierarchy for recovery. For example, a process with a shorter RTO that is dependent upon on a process with a longer RTO may indicate a gap that should be analyzed further,” the document states. The concept appears similar to the BoE discussion paper’s “impact tolerances.”
Conducting tabletop exercises is no longer enough: the FFIEC guidance instructs examiners to also look for integrated tests of technology and business functions using multiple, complex and threat-intelligence-driven scenarios with event simulations.
While yearly testing of BCP/DR plans has long been the norm, the 2019 FFIEC booklet affords a multi-year testing schedule where appropriate—a change enabled in part by more robust testing. While high-priority business functions might still need annual testing, those deemed less critical could be tested every two or three years, for example. This change recognizes the burden that undifferentiated yearly testing can place on financial institutions, and lets them use periodic tests to build maturity over time.
Again, this change is subtle, but the language of the FFIEC document now encompasses non-financial organizations such as cloud service providers, establishing that, if they provide services to financial institutions, they must follow the same rules.
The new booklet expands the role of BIA from merely identifying risk to also maintaining business continuity with continuous systems monitoring, which can help to ensure that changes in business operations are always accounted for. It also calls for continually improving resilience processes by using metrics to analyze the effects of every disruption and to determine whether recovery objectives are reasonable.
The new guidance is clear on the duties and functions of management and the board of directors. “The board and senior management should set the ‘tone at the top’ and consider the entity’s entire operations, including functions performed by affiliates and third-party service providers, when managing business continuity,” the document advises.
Resilience is taking precedence among FS regulators not only in the US but worldwide. One reason is the escalation of cyberattacks on the FS industry, including nation-state sponsored incidents. Financial institutions globally experienced six nation-state attacks alone in 2018, up from two each in 2016 and 2017.
On the heels of its influential 2018 discussion paper, the BoE’s decision to stress test UK banks’ operational resilience this fall prefigured the FFIEC changes. (The BoE published the results of those tests in December 2019.)
But regulators already have been issuing resilience-focused Matters Requiring Attention (MRA) letters directly to financial institutions—even before the FFIEC published its update.
The writing is on the proverbial wall, and every financial entity and service provider would do well to pay attention. Those who embark now on the road to resilience will enjoy many advantages over those forced to contend with an MRA.
Remediating an MRA triggers a costly and stressful process of developing plans and implementing them on a tight schedule. Those so penalized must also satisfy regulators that they can maintain their resilience posture over the longer term, beyond remediation.
In the meantime, savvier organizations worldwide (those who scored high on resilience measures, so-called “high-RQ”) have already been revamping their BCP/DR programs with resilience in mind, according to PwC’s Digital Trust Insights study.
Being proactive on resilience means being able to manage the scope, costs and timing involved in building an organization's operational resilience.