The FDIC InTREx Security Procedures: The Impact on Banks’ Digital Strategy

The use of technology continues to change in banking, and with it changes in cybersecurity risks. To address these changes, the FDIC updated the Information Technology Risk Examination (InTREx) procedures.

Updates include the requirement for banks to notify the FDIC within 36 hours of any computer security incident. InTREx also evaluates whether banks notify law enforcement and customers in these cases. It also applies to third-party organizations serving banks.

These rules are bound to impact banks’ digital strategy. Let’s uncover how.

How should banks consider the InTREx rules when advancing digital strategy?

In most cases, community banks adding digital tools will use vendors, so it’s important to understand these rules. Digital growth is generally achieved through adding tech stack, including software platforms to meet strategic goals and enhance customer experience.

With the recent digital disruption and transformation within financial services, banks have relied more on external partners to stay relevant and enhance offerings. The InTREx exam procedures can help protect banks and their customers by gaining a deeper understanding of their vendors. As important and private data is shared among a variety of platforms, knowing where the data is, what controls protect it, who has access to it, and when a failure occurs is paramount in keeping customers’ trust.

How do the InTREx rules affect vendor relationships?

Review existing vendors with this updated guidance as part of your vendor review process, especially for critical or high-risk vendors. Make sure you update contact information, get current due diligence packets, and understand any new technology partners they’ve engaged with since the last review, as sometimes these would be considered fourth-party vendors.

Even if you rely more heavily on vendors, the risk responsibility does not fall entirely on them. Banks bear the responsibility to make sure they fully understand the risks of each relationship. Contractually, there may be language to help the bank financially in case of a vendor breach.

It’s critical to understand the information each vendor has and make sure you get status reports, remain in touch, and conduct timely reviews. Don’t focus on responsibility from a financial perspective alone — make sure you account for reputational risk to the institution, as well.

How should banks better secure their data?

As chief information security officers would advise, all data should be secured consistently and at the highest level based on its defined classification and from your approved program. Since the breadth and depth of data available today has grown exponentially, banks need to step back and assess what that really means to them and their vendors. Banks should make sure they have clear definitions of all their data, understand its importance, the places it resides, who has access, and how it is used across the institution.

Once a bank understands its data, it’s important to make sure the data is segregated with good controls around access. Most banks have this reviewed in their annual information technology/cybersecurity examination, but since the data may not entirely reside within the bank’s walls, the same diligence needs to be applied to vendors hosting this information. If you are consistent with your controls — regardless of where your data is hosted — you should be in a good position.

Should banks consider controls beyond a data warehouse or analytics system?

Governance around a data warehouse or data analytics system is a hot topic. Banks shouldn’t need to stress much when looking at the purpose of a data warehouse or analytics system. Those systems are designed to help you with existing data — they are not necessarily generating new data from the bank or from customers.

This doesn’t mean that you can simply connect all your data sources to your new warehouse or analytics system and be set. When looking at these options, you’ll need to extend your annual security review to these platforms. You should learn:

• Where the data is housed in the new tool (on-premises or hosted)
• How it gets uploaded (including all the stops along the way)
• How it’s segmented on the new host
• What permissions are retained or replaced
• How the data is accessed in the new system, and
• How the source data is now accessed

Since you are aggregating the data, you may not need the same access as before from the source systems, as it should be used in the new platform. Restricting access might make sense for data integrity.

Another key element is verifying the data in the new platform before going into production. Since you are combining, mapping, cleansing, and normalizing data when standing up your warehouse/analytics platform, you should spend time verifying the output (dashboards, reports, etc.) is valid.

Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.

How we can help

Since banks hold such valuable data — not to mention money — data security and following all the InTREx procedures are essential. And with more data than ever to help understand performance, customer experience, and drive overall strategy, taking the time in the plan and build stages can provide scalable and long-term benefits.

CLA provides many services tailored for banks including exam readiness assessments, digital strategy, cybersecurity consulting and advisory, and cybersecurity auditing. Contact us to see how we can help you better protect your data.

This article was originally published on BankDirector.com.