This document discusses information technology risks in banking, specifically related to internet banking. It outlines two models of internet banking - established banks providing online services and internet-only banks. While regulatory expectations are the same, internet-only banks face unique risks like high marketing costs and low margins. The document also discusses various types of IT risks including financial, operational, and compliance risks. It provides examples of risks from hacking, viruses, and unauthorized access and their potential impacts. Finally, it outlines different supervisory approaches to assessing IT risks.
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Information technology risks
1. Federal Reserve
1
Supervision of IT Risks
Information Technology
Risks
Heidi Richards
Federal Reserve Board
2. Federal Reserve
2
Supervision of IT Risks
Overview
• Internet Banking: What’s Different?
• Information Technology Risks
– Financial
– Operational
– Compliance
• Supervisory Approaches
3. Federal Reserve
3
Supervision of IT Risks
Internet Banking Risks
• Two Distinct Models:
I. Established banks providing
services over the Internet
II. Internet banks
4. Federal Reserve
4
Supervision of IT Risks
Internet Banking
• Established banks
– Vast majority of Internet banking
activity
– Internet typically a small percentage of
total retail customers
– Corporate customers
– “Trade name” banks (Wingspan)
5. Federal Reserve
5
Supervision of IT Risks
Internet Banking Risks
• Internet-Only Banks in the United
States
– E*Trade Bank
– NetBank
– CompuBank
– First Internet Bank
• Less than 20 in United States
6. Federal Reserve
6
Supervision of IT Risks
Internet Banking Risks
• Internet-Only Banks
– Licensing regime is not different
– Reporting regime is not different
– Supervisory expectations are not
different
• Management expertise
• Business plan
• Capital
• Compliance
7. Federal Reserve
7
Supervision of IT Risks
Internet Banking Risks
• Internet-Only Banks
– Unique business model
• High marketing/advertising costs
• Slim interest margins
• Low fees
– Key risks are not operational
• Profitability has been elusive
8. Federal Reserve
8
Supervision of IT Risks
Supervisory Risks
– Credit Risk
– Market Risk
– Liquidity Risk
– Operational Risk
– Legal Risk
– Reputational Risk
9. Federal Reserve
9
Supervision of IT Risks
Technology Risks
• Financial
• Operational
• Compliance
10. Federal Reserve
10
Supervision of IT Risks
Different Classes of IT Risk
l Small banks
– Purchase tested technology or outsource
– Off the shelf from traditional vendors
l Large Banks
l Develop technology
– Partner with vendors
• Often not traditional financial vendors
• Controls over relationships
11. Federal Reserve
11
Supervision of IT Risks
Technology Risks: Financial
• Impact of technology investments on
earnings and capital
– Can investments create a direct drag on
earnings?
– Costs to move processing in-house
– Costs to resolve integration problems
– Investments in failed ventures or
unsuccessful product/services
12. Federal Reserve
12
Supervision of IT Risks
Technology Risks: Financial
• Impact of technology activities on
credit/market/liquidity risk
– Above market rates on Internet
deposits
– Rate-sensitive deposits
– Change in loan demographics
– Lending/investment methodology
– Rapid growth
13. Federal Reserve
13
Supervision of IT Risks Technology Risks:
Operational
• Security
• Availability
• Integrity
14. Rerouted transactions
Theft of Information Denial of Service
Slow Access to Web
Site
Federal Reserve
14
Supervision of IT Risks Internet Banking
Risks
Fraud
Hacking
Web-jacking
Spoofing
Viruses
Unauthorized Access
15. Federal Reserve
15
Supervision of IT Risks
Internet Security
A Secure
Computer
16. Federal Reserve
16
Supervision of IT Risks
Information-Only Site
No connectivity from Internet-site to the
internal network
17. Federal Reserve
17
Supervision of IT Risks Information Exchange Site
IEn-tmeranilet
Requires a path from the Internet-site to the
internal network
18. Federal Reserve
18
Supervision of IT Risks Information Exchange Site
OInn-ltienrenet
Applications
19. Federal Reserve
19
Supervision of IT Risks
Transactional Internet-Banking
site
20. Federal Reserve
20
Supervision of IT Risks
Hacking
Breaches of web sites or internal
systems, either to expose security
weaknesses cause damage, Hacking
in software or hardware,
or theft of information
or assets.
21. Federal Reserve
21
Supervision of IT Risks
Hacking --> Impact to Bank
• Examples
• Causes
• Damage to reputation
• Cost
• Down time
• Statistics
22. Federal Reserve
22
Supervision of IT Risks
Hacking --> Impact to Bank
• Examples
• Causes
• Damage to reputation
• Cost
• Down time
– Dependent on contract with vendor
– Dependent on when bank learns of hack
– Statistics
23. Federal Reserve
23
Supervision of IT Risks
Hacking --> Impact to Bank
Web site is defaced
Weak internal controls
Customer confidence
Integrity
Reputational
CAMELS deteriorates?
Event
Causes
Direct Effect
IT/Operational Risk
Business Risk
Regulatory Impact
24. z A program that can “infect” other programs by
modifying them to include a, possibly evolved,
copy of itself.
z Types of Viruses:
Federal Reserve
24
Supervision of IT Risks
Viruses
Viruses
z Worm: a virus that replicates itself from
machine to machine across
networks/Internet connections often
clogging networks and destroying data.
z Others - Rabbits, Trojan horses, & etc.
25. Federal Reserve
25
Supervision of IT Risks
Viruses --> Impact to Bank
• Examples
– LoveBug Virus
– Melissa Virus
• Damage to reputation
• Cost
• Down time
• Statistics
26. Viruses --> Impact to Bank
Federal Reserve
26
Supervision of IT Risks
• Examples
• Damage to reputation
– Bank can be innocent bystander
– Bank’s server can be used as “slave” or
“zombie”
• Cost
• Down time
• Statistics
27. Viruses --> Impact to Bank
Federal Reserve
27
Supervision of IT Risks
• Examples
• Damage to reputation
• Cost
– Clean-up
– Legal expense
• Down time
• Statistics
Melissa cost
between $93 million
and $385 million
LoveBug $5 to $10
billion
28. Viruses --> Impact to Bank
Federal Reserve
28
Supervision of IT Risks
• Examples
• Damage to reputation
• Cost
• Down time
– If not caught in time can require
re-formatting and re-installing all
applications and data
• Statistics
29. Federal Reserve
29
Supervision of IT Risks
Viruses --> Impact to Bank
Bank Site Used as “slave”
Weak internal controls
Legal liability
Security
Liquidity/Legal
CAMELS deteriorates?
Event
Causes
Direct Effect
IT/Operational Risk
Business Risk
Regulatory Impact
30. Unauthorized Access --> Impact to Bank
Federal Reserve
30
Supervision of IT Risks
Fraudulent transaction
Weak internal controls
Transaction loss
Security
Operational/ Reputational
CAMELS deteriorates?
Event
Causes
Direct Effect
IT/Operational Risk
Business Risk
Regulatory Impact
31. Federal Reserve
31
Supervision of IT Risks
IT Risks
• Major risks have been related to
systems integration
– Integrity of information
– Availability of systems to customers
• Examples:
– Wells Fargo/First Interstate merger
– Fleet/BankBoston merger
32. Federal Reserve
32
Supervision of IT Risks
Compliance Risks
• Consumer protection rules
– Unique to each country
– Often involve disclosure requirements
– Electronic environment may pose
challenges
– United States: ESign Act
33. Federal Reserve
33
Supervision of IT Risks
Supervisory Approaches
• IT Audit
• IT Examinations/Ratings
• Business Line/MIS Approach
• Operational Risk
34. Federal Reserve
34
Supervision of IT Risks
IT Audit Approach
• IT Auditors
– Input ==> Processing ==> Outputs
• IT auditors test transactions to
ensure input properly translated into
outputs
– System Development Life Cycle
35. Federal Reserve
35
Supervision of IT Risks
IT Examinations
• U.S. banking agencies historically
conducted separate IT examinations
– 2-3 year frequency
– Separate presentation of findings
• Federal Reserve recently eliminated
separate exams
– All examinations now to include risk-focused IT
component
– Integrated report
36. Federal Reserve
36
Supervision of IT Risks
Supervisory Approaches:
Traditional IT Review Methodology
• Audit Coverage
• Management
• Systems & Programming
• Quality Assurance
• Operations
• Information Security
• Contingency
• Telecommunications
• Outsourcing
37. Federal Reserve
37
Supervision of IT Risks
IT Rating System
• Used by all federal banking regulators in
United States for banks with material in-house
processing
• Based on COBIT IT Audit model
• 4 components and composite rated on 1 to
5 scale
38. Federal Reserve
38
Supervision of IT Risks
IT Rating System
• Audit
• Management
• Development & Acquisition
• Support & Delivery
39. Federal Reserve
39
Supervision of IT Risks
IT Rating: Audit
• Independence
• Adequacy of Risk Analysis
• Scope, Frequency, Accuracy, Timeliness of
Reports
• Audit participation in Application
Development, Acquisition and Testing
• Auditor Qualifications
40. Federal Reserve
40
Supervision of IT Risks
IT Rating: Management
• Director Oversight and Support
• Management Depth and Succession
• Adequate Strategic Planning
• Responsiveness to Changing Business
Conditions
• IT Plans, Policies, Procedures, and
Standards
• Performance Reporting, e.g. Operations,
MIS
41. Federal Reserve
41
Supervision of IT Risks
IT Rating: Development and
Acquisition
• Systems Development, Acquisition and
Change Management
• Identification and Implementation of IT
Solutions
• Project Management
• Testing
• Program change controls
42. Federal Reserve
42
Supervision of IT Risks
IT Rating: Support and Delivery
• Security Administration
• Formal Policy and Awareness Program
Communicated and Enforced Enterprise-wide
• Logical and Physical Security Closely
Monitored, With Incidents Communicated
and Resolved
• Continuity Planning
• Comprehensive DRP and BRP
• Provisions Current and Tested
• Pre-defined Recovery Time Frames
43. Federal Reserve
43
Supervision of IT Risks
IT Rating: Support and Delivery
• Operations Management
– Service Level Performance
– Adherence to Defined SLA’s
• Monitoring of Third Party Relationships
44. Federal Reserve
44
Supervision of IT Risks
Support and Delivery: Outsourcing
• Transfer of Direct Managerial
Responsibility
• Include Use of Affiliates
• Activities Include Information Technology,
Audit, Loan Review, EFT
• Reduced Costs
• Access to Expertise
45. Federal Reserve
45
Supervision of IT Risks
Outsourcing Arrangements
• Third-party Service Provider
• Affiliated Service Provider
• Facilities Management
• Turnkey Application
• Service Bureau
• Independent Data Center
46. Federal Reserve
46
Supervision of IT Risks
Outsourcing Vendors
• Core Bank Processing
– FiServ
– EDS
– Alltel
– Jack Henry & Associates
• Internet Banking
– S1
– Digital Insight
– Corillian
– Netzee
47. Federal Reserve
47
Supervision of IT Risks
Outsourcing Risk Management
• Risk Assessment
• Selection of Service Provider
• Contracts
• Controls
• Ongoing Monitoring
• Information Access
• Audit
48. Federal Reserve
48
Supervision of IT Risks
Outsourcing Risk Management
• Reliability of Service
• Third Party Vendor’s Access to
Confidential Information
• Adequacy of Vendor’s Audit Program
• Extent Vendor Uses Sub-contractors or
Other Third-parties to Perform Services
49. Federal Reserve
49
Supervision of IT Risks
Most Common IT Examination
Findings
• Inadequate/No IT Audit Program
• Poor Systems Integration Management
• No Testing of Disaster Recovery Plan
• Monitoring of Outsourced Vendor
• Inadequate Security (e.g. password
control)
50. Federal Reserve
50
Supervision of IT Risks
Most Common Internet Banking
Examination Findings
• Policies and Procedures not Updated
• No Board Approval, Strategic Plan, or
Impact Assessment of Internet Banking
• Internet Banking not included in
Contingency Plan
• No Monitoring of Outsourced Vendor
• No Audit Coverage of Internet Banking
51. Federal Reserve
51
Supervision of IT Risks
Supervisory Approaches
Separate IT examinations
– Increased specialist attention to
technology risks
– Risk: divergence of IT view from safety and
soundness view
– Safety and soundness examiners generally
do not understand IT
hIT examiners generally do not understand
business risks
52. Federal Reserve
52
Supervision of IT Risks
Supervisory Approaches
Point in time IT examination may be
increasingly less relevant
– Business strategic risk drives IT actions
– Need business knowledge to identify risk
– IT examiner often not equipped to
address
– Separate IT rating may not always be
incorporated in overall risk assessment
53. Federal Reserve
53
Supervision of IT Risks
Supervisory Approaches
New IT models are very different
– Centralized “standards” with local
business ownership of IT resources
– Decentralized business ownership with
some centralized support services
– Business ownership with outsourced
infrastructure
– Internet Banking requires integrated
approach
54. Federal Reserve
54
Supervision of IT Risks
Supervisory Approaches:
Business Line Approach
IT business model has changed
– IT rarely centralized in large
organizations
– Business owns IT
– Who does the IT examiner talk to?
– How does supervisor judge IT risks in
businesses without assessing the
business?
55. Federal Reserve
55
Supervision of IT Risks
Business Line Approach
• Identify key business lines that rely
heavily on automated systems
• Review integrity of MIS, including risk
management, in conjunction with business
line review
• Availability of systems that support real-time
functions
56. Federal Reserve
56
Supervision of IT Risks
Supervisory Approaches:
Operational Risk
• What is Operational Risk?
– Early definition – “Everything other than
market and credit risk”
– Direct or indirect losses
– Loss events may be traced back to weaknesses
in processes or people
• Information Technology is one component
• Industry sound practices beginning to
emerge
57. Federal Reserve
57
Supervision of IT Risks
Operational Risk
• Rapid Change and Consolidation
• Enterprise-Wide Risk Management
• Realization that Operational Risk is on par
with Traditional Banking Risks
• Basel Committee Study on Capital
Requirements
58. Federal Reserve
58
Supervision of IT Risks
Operational Risk: Examples
• Settlement snafus
• Back-office mistakes
• Audit oversights
• Risk control lapses
• Other failures associated with the daily
running of different business lines
59. Federal Reserve
59
Supervision of IT Risks
Questions for Supervisors
l How do IT risks impact the
organization’s key business functions?
l What specific IT issues need special
attention at this institution because of
the risks they pose?
60. Federal Reserve
60
Supervision of IT Risks
Questions for Supervisors
l How has/is the institution handling
change in its IT activities and
operations?
l New activities: Internet banking
l Which (if any) merit supervisory review?
l Has the bank implemented IT audit and
controls appropriate for its level of
complexity?
61. Federal Reserve
61
Supervision of IT Risks
Questions for Supervisors
l Are you comfortable with core aspects
of the institution’s operations:
l Reliability of service provider
l Reliability of risk management and reporting
systems
l Security of data
l Integrity of systems through mergers, etc.
62. Federal Reserve
62
Supervision of IT Risks
Information Resources
• US Banking Agencies web sites
• Consulting firms
• Industry IT audit associations
– ITaudit.org
– ISACA