Beruflich Dokumente
Kultur Dokumente
Federal Reserve
Supervision of IT Risks
Overview
Internet Banking: Whats Different? Information Technology Risks
Financial Operational Compliance
Supervisory Approaches
Federal Reserve
Supervision of IT Risks
Supervision of IT Risks
Internet Banking
Established banks
Vast majority of Internet banking activity Internet typically a small percentage of total retail customers Corporate customers Trade name banks (Wingspan)
Federal Reserve
Supervision of IT Risks
Supervision of IT Risks
Federal Reserve
Supervision of IT Risks
Federal Reserve
Supervision of IT Risks
Supervisory Risks
Credit Risk Market Risk Liquidity Risk Operational Risk Legal Risk Reputational Risk
Federal Reserve
Supervision of IT Risks
Technology Risks
Financial Operational Compliance
Federal Reserve
Supervision of IT Risks
Small banks
Purchase tested technology or outsource Off the shelf from traditional vendors
Large Banks
Develop technology Partner with vendors
l
10
Supervision of IT Risks
11
Supervision of IT Risks
12
Supervision of IT Risks
Federal Reserve
13
Supervision of IT Risks
Federal Reserve
14
Supervision of IT Risks
Internet Security
A Secure Computer
Federal Reserve
15
Supervision of IT Risks
Information-Only Site
16
Supervision of IT Risks
17
Supervision of IT Risks
Federal Reserve
18
Supervision of IT Risks
Federal Reserve
19
Hacking
Supervision of IT Risks
Breaches of web sites or internal systems, either to expose security weaknesses in software or hardware, cause damage, or theft of information or assets.
Hacking
Federal Reserve
20
Supervision of IT Risks
21
Supervision of IT Risks
Federal Reserve
22
Supervision of IT Risks
Hacking
Event Causes
23
Viruses
Supervision of IT Risks
z A program that can infect other programs by modifying them to include a, possibly evolved, copy of itself. z Types of Viruses:
Viruses
z Worm: a virus that replicates itself from machine to machine across networks/Internet connections often clogging networks and destroying data. z Others - Rabbits, Trojan horses, & etc.
Federal Reserve
24
Supervision of IT Risks
25
Viruses
Supervision of IT Risks
26
Viruses
Supervision of IT Risks
27
Viruses
Supervision of IT Risks
Statistics
Federal Reserve
28
Supervision of IT Risks
Viruses
Event Causes
29
Supervision of IT Risks
CAMELS deteriorates?
Federal Reserve
30
Supervision of IT Risks
IT Risks
Major risks have been related to systems integration
Integrity of information Availability of systems to customers
Examples:
Wells Fargo/First Interstate merger Fleet/BankBoston merger
Federal Reserve
31
Supervision of IT Risks
Compliance Risks
Consumer protection rules
Unique to each country Often involve disclosure requirements Electronic environment may pose challenges United States: ESign Act
Federal Reserve
32
Supervision of IT Risks
Supervisory Approaches
IT Audit IT Examinations/Ratings Business Line/MIS Approach Operational Risk
Federal Reserve
33
Supervision of IT Risks
IT Audit Approach
IT Auditors
Input ==> Processing ==> Outputs
34
Supervision of IT Risks
IT Examinations
U.S. banking agencies historically conducted separate IT examinations
2-3 year frequency Separate presentation of findings
35
Supervision of IT Risks
Federal Reserve
36
Supervision of IT Risks
IT Rating System
Used by all federal banking regulators in United States for banks with material inhouse processing Based on COBIT IT Audit model 4 components and composite rated on 1 to 5 scale
Federal Reserve
37
IT Rating System
Audit Management Development & Acquisition Support & Delivery
Supervision of IT Risks
Federal Reserve
38
Supervision of IT Risks
IT Rating: Audit
Independence Adequacy of Risk Analysis Scope, Frequency, Accuracy, Timeliness of Reports Audit participation in Application Development, Acquisition and Testing Auditor Qualifications
Federal Reserve
39
Supervision of IT Risks
IT Rating: Management
Director Oversight and Support Management Depth and Succession Adequate Strategic Planning Responsiveness to Changing Business Conditions IT Plans, Policies, Procedures, and Standards Performance Reporting, e.g. Operations, MIS
Federal Reserve
40
Supervision of IT Risks
Systems Development, Acquisition and Change Management Identification and Implementation of IT Solutions Project Management Testing Program change controls
Federal Reserve
41
Supervision of IT Risks
Continuity Planning
Comprehensive DRP and BRP Provisions Current and Tested Pre-defined Recovery Time Frames
Federal Reserve
42
Supervision of IT Risks
Federal Reserve
43
Supervision of IT Risks
Federal Reserve
44
Supervision of IT Risks
Outsourcing Arrangements
Third-party Service Provider Affiliated Service Provider Facilities Management Turnkey Application Service Bureau Independent Data Center
Federal Reserve
45
Supervision of IT Risks
Outsourcing Vendors
Core Bank Processing
FiServ EDS Alltel Jack Henry & Associates Internet Banking S1 Digital Insight Corillian Netzee
Federal Reserve
46
Supervision of IT Risks
Federal Reserve
47
Supervision of IT Risks
Federal Reserve
48
Supervision of IT Risks
Federal Reserve
49
Supervision of IT Risks
Federal Reserve
50
Supervision of IT Risks
Supervisory Approaches
Separate IT examinations
Increased specialist attention to technology risks Risk: divergence of IT view from safety and soundness view
Safety and soundness examiners generally do not understand IT hIT examiners generally do not understand business risks
Federal Reserve
51
Supervision of IT Risks
Supervisory Approaches
Point in time IT examination may be increasingly less relevant
Business strategic risk drives IT actions Need business knowledge to identify risk IT examiner often not equipped to address Separate IT rating may not always be incorporated in overall risk assessment
Federal Reserve
52
Supervision of IT Risks
Supervisory Approaches
New IT models are very different
Centralized standards with local business ownership of IT resources Decentralized business ownership with some centralized support services Business ownership with outsourced infrastructure Internet Banking requires integrated approach
Federal Reserve
53
Supervision of IT Risks
54
Supervision of IT Risks
Federal Reserve
55
Supervision of IT Risks
Early definition Everything other than market and credit risk Direct or indirect losses Loss events may be traced back to weaknesses in processes or people
56
Supervision of IT Risks
Operational Risk
Rapid Change and Consolidation Enterprise-Wide Risk Management Realization that Operational Risk is on par with Traditional Banking Risks Basel Committee Study on Capital Requirements
Federal Reserve
57
Supervision of IT Risks
Federal Reserve
58
Supervision of IT Risks
How do IT risks impact the organizations key business functions? What specific IT issues need special attention at this institution because of the risks they pose?
Federal Reserve
59
Supervision of IT Risks
How has/is the institution handling change in its IT activities and operations?
l l
New activities: Internet banking Which (if any) merit supervisory review?
Has the bank implemented IT audit and controls appropriate for its level of complexity?
Federal Reserve
60
Supervision of IT Risks
Reliability of service provider Reliability of risk management and reporting systems Security of data Integrity of systems through mergers, etc.
Federal Reserve
l l
61
Supervision of IT Risks
Information Resources
US Banking Agencies web sites Consulting firms Industry IT audit associations
ITaudit.org ISACA
Federal Reserve
62
Supervision of IT Risks
Questions?
Federal Reserve
63