Pub. 4 2015 Issue 9

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 22 Continued frompage 20 2016 W INTER IRA W ORKSHOPS Presented by Patrice M. Konarik Founder and President Sunwest Training Corp. Educational Resources 785-232-3444 www.ksbankers.com February 16 Dodge City, Advanced February 17 McPherson, Basic February 18 Topeka, Advanced How to Prepare: Go through your bank’s BCP documentation and ensure cybersecurity is adequately addressed and specifically written into the program. Step 4: Evaluate Your Vendors’ Cybersecurity Risk Profiles What to Expect: Appendix J reminds banks that they are ultimately responsible for the safety and soundness of activities outsourced to TSPs, so conduct a thorough examination of all vendors, particularly those involved in the most critical operations. How to Prepare: Starting with your most critical vendors, assess the following areas based on Appendix J: • Third-Party Management: Is the vendor’s risk fully identified and adequately controlled? • Third-Party Capacity: Is the vendor capable of restoring service to all clients? • Third-Party Testing: Has the vendor’s BCP been validated through adequate testing? Step 5: Educate and Involve Senior Management and the Board What to Expect: Bank examiners expect to see active involvement by senior management and the board of directors in all matters, including cybersecurity. How to Prepare: Senior leadership needs to do more than rubber stamp IT, Information Security and BCP programs each year. Their involvement needs to be felt throughout the enterprise. To begin, take these steps: • Routinely present cybersecurity updates at board meetings. • Encourage senior leadership to routinely express the importance of cybersecurity resilience to employees. • Ensure board meeting minutes reflect all cybersecurity discussions and actions, and keep a record to share at exams. Expect a Better Outcome at Exam Time by Preparing for It Examiner expectations regarding cybersecurity are growing, but completing the above steps will prepare your bank and ensure it is speaking the same cybersecurity language as examiners, which is half the battle. If your institution needs help completing these steps or has additional security needs, providers like CSI offer such solutions as cybersecurity risk assessments to help identify inherent risks and recommend additional controls, as well as Cloud and managed security services to improve cybersecurity maturity levels. For more information, download our white paper, What to Expect at Your Next Regulatory IT Exam. Steve Sanders, CSI’s vice president of Internal Audit, oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. He is a CISA, CRISC, CRMA, and a CTGA, and speaks regularly on information security, cybersecurity and IT audit topics.