For many bank CIOs and security officers, questions about Bank IT General Controls (ITGCs) surface when examiners request documentation, vendors require assurance, or leadership wants confidence that controls are keeping pace with evolving threats.

Risk assessments provide financial institutions with forward-thinking insights that satisfy requirements to protect confidential customer data. When performed thoroughly, they also strengthen exam readiness by clarifying controls and remediation efforts.   

A Gramm-Leach-Bliley Act (GLBA) compliant risk assessment performed by an independent third party supports strong governance practices by providing documented information security controls.  A qualified banking assessment consultant who reviews your internal controls, ACH processes and other IT systems can give your institution stronger insights into your cybersecurity framework, enabling you to meet state and federal regulations while satisfying your bank examiner’s needs.

In practice, a GLBA risk assessment consultant typically:

• Assess internal controls for effective compliance
• Identifies weaknesses in current internal controls
• Recommends additional controls or improvements to address gaps
• Prepares detailed risk assessment reports
• Provides executive summaries for board members and senior management

GLBA Information Security Risk Assessment

During a GLBA Safeguards Rule risk assessment, financial institutions are tasked with identifying, evaluating and mitigating information security risks to protect consumer financial information.

This protected information also includes details about:

• Customers
• Loan applicants
• Transactions
• Loan guarantees
• Employees and prospective employees

The Federal Reserve or other regulatory agencies may act in response to deficient performance under the Interagency Guidelines Establishing Information Security Standards, for example, by requiring a compliance plan.

Your institution is expected to produce a risk assessment report that identifies any internal or external risks that could result in “the unauthorized disclosure, misuse, alteration, destruction or other compromise” of the security, confidentiality and integrity of customer information.  

The assessment shouldn’t concentrate on just a subset of your risks, such as risks to a computer system. Areas like your core processing systems, local-area and wide-area networking, wire transfers and electronic banking have large attack surfaces. Cybersecurity threats can take advantage of these vulnerabilities unless you identify and monitor all possible attack vectors.

Risk assessments should be considered an ongoing process with findings documented in a formal report of your institution’s policies and procedures, ensuring customer information is properly discarded. The report should be included in your written information security program.

Noncompliance with GLBA could result in severe consequences and large financial losses. Legal consequences, in the form of criminal charges or class action lawsuits, are a possibility.

Third-Party Service Provider for Risk Assessment

A third-party risk assessment partner can bring a wealth of experience in both the financial institution and IT security industries. Their familiarity in both fields, and their set of fresh eyes, helps them identify the unique cybersecurity threats facing the financial and banking industry. An external audit of your controls by a partner with ample experience with technology can help speed up your institution’s reaction times in the event of a breach, enabling a more comprehensive disaster recovery process.

Utilizing a service provider to manage and monitor GLBA compliance can also provide relief to internal teams overwhelmed by GLBA compliance requirements. Overburdened or overstretched teams can miss signs of risk. The consequences for noncompliance are severe to ensure the protection of customer data. Outsourcing can help teams meet requirements and avoid legal, financial and reputational damage.

Impact on Bank Examinations

Bank examiners use your risk assessment to help them understand your systems and what actions you’ve taken to protect them. A third-party risk assessment brings another set of eyes that streamlines the bank examination process.

Guidance from your bank assessment consultant also provides detailed insights beyond compliance matters. Recommendations could include pointers to improve risk controls and mitigation policies, creating a more secure environment. Overall, it puts you in a better light with examiners, as long as your risk assessor’s report is thorough.

Uncovering Noncompliance-Related Risks

In some cases, a risk assessment can also uncover control gaps that increase exposure to fraud or unauthorized activity.

For example, a bank may have a long-standing business as a client, whose credit is no longer reviewed annually because of the length of the relationship. Over time that reduced oversight could let financial conditions or transaction behavior change without detection. Without consistent monitoring controls in place, unauthorized or unsupported transactions may go unnoticed until losses occur.

A risk assessment helps identify these types of gaps by evaluating whether controls, monitoring, and review processes are operating as intended – regardless of how long a customer relationship has been in place.

Anders Audit and Assurance advisors are familiar with the internal controls and processes that protect sensitive information belonging to financial institutions, with the knowledge and experience to guide you to tighter protective procedures. To learn more about our services, and the associated costs, request a meeting below.