Update from FDIC on CA Wildfires, BCP and Pandemic Planning Guidance

Richard Swart: Hi, this is Richard Schwartz with the Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we will be speaking with Mr. Michael Jackson, the Associate Director of Technology Supervision Branch of the Federal Deposit Insurance Corporation (FDIC). I wonder if you can start by estimating the impact on the financial institutions of the California wildfires?

Michael Jackson: Richard, we had a little bit of information on that and we know for certain that there were 19 FDIC insured non-member banks that were closed temporarily and we have information that approximately 100 bank branch facilities, and potentially 50 credit unions were in or very near the areas affected by the recent wildfires.

Swart: And out of those 19 that had to close, did they institute an instant response plan, a business continuity plan, disaster recovery? Or do you know the level of response that they had to make?

Jackson: We don't know the exact level of response but we feel certain that they instituted at least a certain form or certain degree of their business continuity plans, better known as the BCP. For the ones that may not, I am sure that as the fire neared that they took a look at their plan and started making preparations. All financial institutions are required to have a BCP.

Swart: Now the FDIC has prepared a very good booklet on BCP. I was wondering if you could summarize for our listeners some of the recommendations that you provide for the BCP process.

Jackson: Sure. The goal of the BCP is to minimize financial losses to the institution and to be able to continue to serve customers and financial markets with minimal disruption. Within that, also the banks need to gauge the risk to employees. The BCP should consider risk to the entire business process, including business functions, infrastructure, system procedures and people. The BCP, actually, when you have those for an institution it should be enterprise wide strategy and also begins with a business impact assessment. We talk about identify, assess, and prioritize all business functions and so on. And those business impact analysis, we have some books that are highlighted in our book.
Also, the plan should document the strategies and procedures to recover, resume and maintain all critical business function and processes. It should also consist of testing and monitoring of your business impact analysis and also consider enterprise wide. In the testing, you can do a form of testing. You can test cycles. You can test having a different scope. You know the bank or an institution you can set the objectives for the testing and the strategies and what they would expect for results. And also they need to weigh in assumptions into those testing policies and strategies.

Swart: Are there any particular lessons that we can learn from the reactions of financial institutions to these wildfires?

Jackson: Richard, I believe it is a little too soon for that, to draw conclusions on the banks reactions to that but I am sure that we will have some lessons that we can learn. If you take the fires, they were widespread and they covered, I think, somewhere around seven counties, and that may have impact on banks that maybe had a strategy where they would relocate or resume operations in another county. So, I am sure there are going to be some lessons but it is still too soon for that. However, the scope of this event was geographically limited and temporary, and it did actually, by that means, it reduced the overall impact of the event.

Swart: Now if you were to send out an examiner to a bank or another financial institution that you regulate, what would that examiner be looking for specifically in terms of the BCP or disaster recovery plan to ensure that it is well thought out and will be successful?

As I said before, you look at how they actually developed the plan. If they actually started with a business impact analysis and how they went through to actually identify and asses and prioritize their business functions. How they identified their processes and people in the systems. How they looked to interdependencies to support those business functions, either onsite or at another location or backup location.
And also the examiner wants to look at potential threats. And that the bank well thought out all the potential threats that they could think of, and then also the potential impact of disruptions to the business functions, and if they were a temporary disruption or a long-term disruption. And also determine the allowable downtime and recovery time. What is a good downtime for a bank? You have to consider that and also the business lines that they have. And how long will it really take to recover. Can it recover fully or partially? And at remote locations? And then once they determine that we like for the bank to actually consider, are they going to continue operations at that remote facility or are they going to resume operations at their permanent location or do they have to look for an alternate location? So those are some of the things that we would look at.

>Also, when there is an event like the fires for instance, we would look at the procedures that the banks employ to make decisions. Do they decide to stay where they are? Do they decide to invoke their BCP or portions of the BCP? And, how were those decisions supported later? Where they the right decisions? And also if they had to invoke their BCP, how were they operating? Did they operate as anticipated or did they have glitches in that? And we expect those things to be documented and basically once they document that they have lesson that they have to learn from those events. And also, do they need to revise their plan based on the results of going to the BCP?

Swart: We know the threat landscape is certainly changed the past few years, post-911 and the California wildfires is probably a good example. But the pandemic influenza outbreaks and other disease outbreaks are certainly receiving a lot of attention. Has the FDIC done anything in repairing other institutions or do you have any guidance that banks can rely upon in preparing for major disasters or pandemics?

Jackson: Yes. The FDIC as well as the other banking regulatory agencies will be actually implementing some guidance and we will issue that I would say in the near future. But some of the things that we have talked about with that, we would expect institutions to actually have a preventive program that they would actually monitor potential outbreaks and also start begin educating their employees.

We expect institutions to have a documented strategy that provides for scaling their pandemic efforts and so they are consistent with the efforts of a particular stage of the outbreak. Also we expect institutions to have to a comprehensive framework of facility systems or procedures. Procedures such as social distancing, telecommuting, redirecting customers and also operating from alternative sites. They need a test program to ensure the institutions planning practice and capabilities are effective and will allow critical operations to continue. They need an oversight program to ensure the ongoing review and updates to the pandemic plan.

Those are some of the things that we will send out as guidance to the industry and we would expect institutions to employ.

Swart: Aside from IT, what are the essential elements for a successful BCP?

Jackson: We believe that a lot of organizations, I think they have gotten it now that it is an enterprise wide solution and that they have to look at the whole enterprise and what business units or elements are critical and how they can actually support those in different scenarios.

Swart: Mr. Jackson thank you for your time today. It has been excellent information. I am sure our banks and financial institutions will be happy to know that the FDIC is planning on releasing some guidance. So thank you for listening to another podcast with the Information Security Media Group. To listen to a selection of other podcasts or to find other educational content regarding information security for the banking and finance community, you can visit www.BankInfoSecurity.com or www.CUInfoSecurity.com.

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.