My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it’s a case of the old “if it wasn’t for the last minute nothing would ever happen” philosophy). And in authoring some of our reports we’re identifying issues and gaps that are in some cases minor but in others are big enough to drive a car through. This is nothing new.
What is new is the ambivalence we’re experiencing from management. It seems that a little known byproduct of our currently sad economic state is that keeping the doors open seems to be the only goal that really matters. Management is not particularly concerned with much else, or so it would seem. Not that this by itself is a new phenomenon either but there’s almost a reckless undertone emerging.
We’ve encountered some glaring issues recently that underscore a fundamental problem that I’ve struggled with for a long time: The FDIC and NCUA examiners just don’t pay enough attention to IT-based risks. In some instances they touch on high-level issues and in rare instances can get a bit more granular, but we’ve collected empirical evidence that an in-depth review hasn’t been conducted for the vast majority of institutions that we’ve worked with.
Forget about industry best practices and forget about the fact that financial institutions are required by law to implement and maintain certain basic safeguards. We live in an age where identify theft and credit card fraud are rampant. Every day we are presented with more stories, more guidance and more information about how the criminal element is finding newer and more insidious ways to get at our money and credit. My senior citizen mother and my grade-school aged children are all aware of the term phishing, have all been coached as to which email is safe to open versus which isn’t and know not to share personal information. If I can convince them of the threats out there in the great digital void you have to think it’s fairly obvious, right?
So why is it that the examiners aren’t paying more attention to the IT infrastructure? I had a chance to ask someone from the NCUA office a few months back that very question and while I didn’t like his answer, it made sense particularly considering the more pressing issues banks and credit unions are currently dealing with. It comes down to resource availability. Only so many hours are allocated to an exam based on their size. And so for the smaller institutions, the examiners prioritize the work based on risk. Can anyone argue that scrutinizing the books is less important than auditing the IT infrastructure?
Even so, some of the institutions we’ve worked with and which I’ve personally reviewed have had issues for what has to be several years. How is it possible that in the past five years not one examiner has ever noticed the absence of a business continuity plan? Or any form of security around the firewall (and an unusually permissive firewall at that)? Or the lack of strong (or even reasonable) password controls?
Something has to give. When you combine the lack of proper examiner supervision with a less than concerned management mindset the potential for serious issues becomes much greater (and likely). Somehow the various entities that are responsible for providing oversight for those places we trust with our money need to figure out a way to provide reasonable assurances that at least the bare minimums are being met when it comes to IT controls. With all the money being spent to keep the banking industry afloat can’t someone figure out a way to slice off a little bit in order to hire enough IT people to conduct the necessary examinations? Congressman? Senator? Mr. President? Anyone?