Written by:

The most recent edition was updated in to provide additional guidance and details on preparing business continuity plans and programs for auditing by financial examiners. Testing is a critical step in the cyclical BCP process and should be sufficient in scope and rigor to demonstrate the ability to meet recovery objectives, regardless of whether a service is performed in-house or is outsourced. Cyber Resilience The increasing sophistication and volume of cyber threats and their ability to disrupt operations or corrupt data can affect the business resilience of financial institutions and TSPs. The financial institution should ensure that results of such reviews are documented and reported by the TSP to the appropriate management oversight committee or the board of directors and used to determine any necessary changes to the financial institution’s BCP and, if warranted, the service provider contract. Effective ongoing monitoring assists the financial institution in ensuring the resilience of outsourced technology services. A financial institution should consider the maturity of new technologies and gain an understanding of the benefits and risks of engaging TSPs using such technologies during the due diligence process. The four steps in this process include:.

Users can scroll down past the introduction of the Infobase to opt in to receive e-mail or RSS feed updates when changes are made to the Infobase. Guidance to examiners on the principles of BCM and approaches of business continuity planning and resilience; and examination procedures to help determine the effectiveness of business continuity and resilience. Finally, the IT booklets are laid out on the screen, with a description of each, and the ability for the user to select the view they choose, from the Table of Contents, the Online View of the booklet, a Download of the booklet, or a Download of the workprogram. Without advance notice or awareness of deterioration in a TSP’s financial condition, the financial institution clients might not have appropriate time to make alternate processing arrangements. A financial institution should recognize these possible scenarios and plan for alternate communications infrastructure, if available.

FFIEC IT Examination Handbook InfoBase – Business Continuity Planning

Financial institutions’ business resilience strategies depend on functioning communication links between various entities, including TSPs. A financial institution should consider the maturity of new technologies and gain an understanding of the benefits and risks of engaging TSPs using such technologies during the due diligence process.

The appliance marks a new B Risk Measurement II. Financial ffiec business continuity planning handbook participants that perform clearing and settlement activities for critical financial markets core firms and organizations that process a significant share of transactions in critical financial markets significant firms are required to follow interagency guidelines, Refer to the “Interagency Paper on Sound Practices ffiec business continuity planning handbook Strengthen the Resilience of the U.


Second, the parties can assess their immediate or short-term space, systems, and personnel capacity to absorb, assume, or transfer failed operations. That, in conjunction with industry consolidation, has resulted in fewer, more specialized TSPs providing services to larger numbers of financial institutions.

Conclusion When using third-party service providers, management should ensure adequate business resiliency through: The following possible scenarios could jeopardize ongoing operations:. Clients gain assurance through an effective BCP testing program.

Updated FFIEC Business Continuity Planning booklet tips

Prompt delivery of introductory, reference, and educational training material on ffiec business continuity planning handbook topics of interest to field examiners from the FFIEC member agencies. A financial institution should review available audit reports addressing TSPs’ resiliency capabilities and interdependencies e. Anti-malware vendors are continually challenged to keep pace with rapidly proliferating malware threats.

In some cases of data corruption, data may appear usable but produce unexpected and undesirable results. Data replication, however, may ffiec business continuity planning handbook be susceptible to simultaneous cyber attacks, and using this replication strategy may inadvertently result in backup or replicated data being destroyed or corrupted along with the production data.

Appropriate testing for the most likely significant disruptive ffiec business continuity planning handbook provides assurances that financial institutions and service providers will be better prepared to recover from these events. To strengthen resilience against malware threats, financial institutions and TSPs should use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring, and employee security awareness training, in addition to traditional signature-based anti-malware systems.

Finally, the oversight and controls on outsourced activities should be commensurate with the level of risk presented by these arrangements. Ten business continuity risks to ffiec business continuity planning handbook in Take a chance on virtualized backup and disaster recovery Load More View All Get started. When a financial institution relies upon third parties to provide operational services, they also rely on those service providers to have sufficient recovery capabilities for the specific services they perform on behalf of the financial institution.

Wholesale Payment Systems

Scenarios to consider include: Search Storage Block, file and object storage interfaces enable integration Explore the capabilities, as well as the strengths and weaknesses, of some storage vendors’ products that support and integrate A financial institution should evaluate ffiec business continuity planning handbook perform thorough due diligence before engaging a TSP.

Incident Response Financial institutions and their service providers should anticipate potential cyber incidents and develop a framework to respond to these incidents.


The testing strategies should encompass internal and external dependencies, including activities outsourced to domestic and foreign-based TSPs.

At the bottom of the screen, the user can link to a page containing all of the booklets and workprograms available for single or bulk download.

The business continuity ffiec business continuity planning handbook process should include regular updates to the BCP. The testing program should be based on a financial institution’s established risk prioritization and evaluation of the criticality of the functions involved. Similarly, smaller, less complex institutions are expected to fulfill their responsibilities by developing an appropriate business continuity planning process that incorporates comprehensive recovery guidelines based on the institution’s size and risk profile.

Laws, Regulations, and Guidance Appendix J: This assurance includes adequate infrastructure and personnel to restore services to financial institution clients and support typical business volumes. This ffiec business continuity planning handbook that the alternate TSP would not be affected by the situation that prevented the original TSP from fulfilling its servicing responsibilities and that the alternate TSP would have the necessary expertise to provide the service.

This email address is already registered. Third-party management Third-party capacity Testing with third-party technology service providers Cyber resilience Financial institutions should partner with their technology service provider s as needed to strengthen the resilience of outsourced technology as recommended through this guidance.

Business Continuity Planning

Data replication can be an effective strategy for rapid recovery in the event of data destruction or data corruption. The increased reliance on technology for all daily processes means it is no longer feasible for a financial institution ffiec business continuity planning handbook operate manually for an extended length of time.

Financial institution management should ensure that any issues identified with either their recovery capabilities or those of their TSPs are documented with action plans and target dates for resolution.

Management at the financial institution and ffiec business continuity planning handbook TSP should ensure appropriate redundancy controls and segregation of replicated backup data files to provide for sufficient recovery capabilities against these threats.

As a result, the financial institution and TSP should consider identifying and making advance arrangements for third-party forensic and incident management services. Increasing test complexity helps identify weaknesses in the financial institution’s business continuity plan.