By Marcia Savage, Site Editor
13 Oct 2009 | SearchFinancialSecurity.com
With the H1N1 virus threatening to hit hard this flu season, pandemic planning has become a priority for many organizations. A recent survey of about 1,500 U.S. organizations by the Pandemic Prevention Council showed that a slight majority reported that senior management has stressed the importance of preparing for a possible H1N1, or swine flu, outbreak.
However, while 75% of those surveyed have business continuity plans, only 55.6% of private companies have plans that address the H1N1 threat.
The banking industry has done a better job than other industries in developing pandemic plans, said Richard De Lotto, principal analyst in Gartner Inc.'s banking and investment industries advisory services. "It doesn't take much research into the 1918 pandemic to realize that you need to take this seriously," he said, referring to the "Spanish flu" pandemic that killed more than 500,000 in the U.S.
The avian flu threat and a 2006 advisory on pandemic planning issued by federal regulators helped to spur pandemic planning in the financial industry. The FFIEC updated the advisory in 2007 with expanded pandemic planning guidance. In April, the emergence of swine flu prompted an uptick in flu preparations, but experts cite several areas where financial institutions could improve their planning for a potentially massive H1N1 outbreak. Here are five mistakes banks make, or areas they overlook, in their pandemic plans:
Not doing enough
Even though financial services, as a heavily regulated industry, may be further ahead in preparing for a pandemic than others, many banks still don't have a comprehensive plan.
"The biggest issue is that the banks haven't really thought through it," said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to community and independent banks. "They haven't taken that time."
Federal banking regulators are very serious about pandemic planning, she said: "The regulators are saying it will occur, that it's not a matter of if, but when. And if banks aren't prepared, it could get pretty ugly."
Specifically, regulators told her some financial institutions don't understand the difference between planning for business continuity and a pandemic. In the first, the building is gone but the people remain, while in the second, the building is there but the people are gone. "They're not grasping the fact that you could be down 50% of your people," Razook said.
David Schneier, a compliance consultant who works with financial institutions, said he's yet to review "a truly viable pandemic plan." Most of the plans he's seen discuss possible pandemic scenarios but don't provide actionable steps in the event of a quarantine.
"What happens when a bank or credit union cannot staff their braches due to a severe outbreak? How will operations be maintained if offices are closed down and staff is forced to work remotely? I suspect that much of what occurs will be ad hoc," he said.
Meanwhile, some large financial institutions that perform extensive pandemic planning at their corporate headquarters fail to extend the effort to their regional or local offices, said Brian Zawada, co-founder and director of consulting services for Cleveland, Ohio-based Avalution Consulting LLC. They mistakenly believe they should focus their efforts on the locations with the most staff.
"You have to be consistent and able to show that preparedness activities are applied across the entity, no matter where or how many people," Zawada said.
Lack of defined policies
Some companies don't have clear contagious illness policies, Zawada said. These policies clarify that if employees are sick, they stay at home and if they show up to work sick, their manager has the right to tell them to go home.
"Those that don't have such policies have managers running around saying, 'I have this person coughing up a storm. What do I do?' By the time they get an answer, it's too late and others are sick," he said.
Other policy issues that need to be decided on before a flu epidemic hits is how a financial institution plans to handle sick leave. "One bank said they had an employee come back from Mexico and came to work with a fever. They sent him home. If he doesn't have any sick time left, does he get paid or not?" Razook said. "Banks should be figuring out what those policies are, and I don't think they are."
 |
||||
|
 |
|||
 |
||||
David Sarabacha, principal at Deloitte & Touche LLP and leader of the firm's business continuity management team, said companies vary widely in how they plan to handle sick leave.
"It stretches from, 'It's not our problem. We give a certain amount of time for sick or vacation days. If something arises, we won't give anymore', to other organizations saying they'll give seven to 14 more days of time off, especially if they tell you to go home," he said. "A third option is to borrow from future time off."
However, companies are also concerned about potential abuse of extended sick leave policies, Sarabacha said. At a recent meeting he attended, an executive at a large financial institution said his organization had done a lot of planning of sick leave policies in the event of a pandemic but isn't going to let employees know out of concern the system could be abused.
Lack of adequate staffing planning
Without a doubt, planning for a scenario in which you lose 40% of your staff for extended periods is difficult. However, there are other staffing scenarios that financial institutions also need to consider if the swine flu strikes hard, experts say.
For example, an organization may see a spike in demand for certain services or products and a sharp drop for others in a pandemic, Zawada said. An insurance company, for instance, might see a decline in property claims but an increase in short-term disability or life insurance claims. If more people stay at home, some financial-services firms expect to see increased credit card activity. Consequently, a company needs to develop a staffing model that meets customer needs while accounting for staff absenteeism, he said.
"Understanding demand and building appropriate staffing models [is something] many organizations have done, but some are just beginning," Zawada said.
An area that banks haven't paid enough attention to is succession planning, Gartner's De Lotto said. "People might die or be incapacitated for long periods. How do you arrange for a turnover of command in a department with proper provisioning and passwords when your IT department is sick?"
Permissions could be installed on a thumb drive, but in the end, it's difficult for an organization to imagine large chunks of its managerial staff dead or incapacitated and to plan for successors, he said.
Razook said some banks that have conducted pandemic planning have done a good job at building a skills matrix -- conducting an assessment of their employees' skills. That allows them, for instance, to figure out who could fill in as a teller.
"They identify where their issues are and they're cross-training," she said.
Not accounting for vendors
Considering how much most financial institutions are dependent on third-party vendors, a possible pandemic presents hidden risks, said Schneier, the compliance consultant.
"For the minority of institutions that have actionable pandemic plans in place, how many of them are dependent upon their vendors in order for the plan to work? How many of those vendors have their own pandemic response plans in place and how would you even know if those plans are viable?" he said.
"Imagine a likely scenario where there's a quarantine, your staff is sent home to work remotely and one of your key telecom or hosted solution providers has an outage that can't be properly managed because they're operating at severely reduced staff levels. What's your next move?" he added.
 |
||||
|
 |
|||
 |
||||
Many organizations have tried to assess their vendors' business continuity preparations via questionnaires, but didn't have much success, Zawada said. They either didn't know what to do with questionnaires that were returned or vendors wouldn't cooperate, claiming their plans were proprietary.
"Those that did it well had one-on-one dialogue with their key suppliers and business partners where they may have jointly planned," he said. "They clearly understand each other's business model and expectations. They're working together in a collaborative manner. There is some of that [collaboration] but probably more could be done."
Deloitte's Sarabacha said successful organizations figure out their critical vendors and share as much detail of their pandemic plans as the legal departments will allow in order to gauge how complementary they are. If the plans aren't complementary, then organizations need to consider back up vendors or alternate plans.
The ability to see a vendor's plans -- and results of plan testing -- starts in the procurement and contract process, he said. More and more organizations are including language in their contracts to cover that oversight, he said: "They're getting more precise in those contracts so you have the right to do it if you choose."
Not testing
An area that many financial institutions and other organizations don't focus on enough in their pandemic planning is testing, experts said.
"We can't appraise the effectiveness of our planning until we've triggered the plan -- that is, taken action in response to a real situation or in response to well strategized scenario-based testing that examines external factors and incorporates consideration of critical interdependencies," said Carol Ward, an independent banking consultant.
"The complexity and difficulty of setting up scenario-based testing shouldn't be underestimated. Ongoing risk monitoring and testing is the weakest link in the effort to be ready. And I think it is causing the most difficulty," she added.
Since many pandemic plans rely on having workers telecommute, capacity planning is essential, experts said.
"Wouldn't it be terrible to have a plan that says everyone will telecommute and then no one can get into the system?" Razook said. "That's where testing comes in. Have 50% [of the workforce] go home and dial into your system and see if it crashes."
Sarabacha said he's seen organizations test whether employees who don't normally work at home can do so, but not test their systems' capacity. "The challenge is from a capacity perspective. Can your internal systems handle the type of load that has never come before?" he asked.
Of course, some possible pandemic scenarios are tricky to test. For example, if schools shut down, banks will have employees who need to stay home with their kids -- a scenario that's difficult to develop into a tabletop exercise, De Lotto said.
"You can do some remote access tests and table top exercises, but it's kind of hard to simulate this [a pandemic]," Zawada said.
By Marcia Savage, Site Editor
05 Oct 2009 | SearchFinancialSecurity.com
When it comes to their vendor management program, financial institutions often overlook non IT-vendors -- the cleaning crews and other service providers that can pose a real risk to sensitive information, industry experts said.
Banking regulators require financial institutions to have vendor management programs that ensure customer data is protected. However, many banks focus only on IT vendors, said Ruth Razook, CEO of RLR Management Consulting Inc., a La Quinta, Calif.-based firm that provides IT, strategy and other services to community and independent banks. That leaves out suppliers like janitors and plant maintenance providers whose after-hours and unsupervised access to office facilities makes them a high risk for stealing confidential information left on desks or in trash cans, she said.
Regulators are looking for an enterprise-wide vendor management program that takes into account all types of vendors, Razook said. They stressed the point during a conference panel she recently moderated with representatives from the FDIC and the Office of the Comptroller of the Currency (OCC). "Most banks still concentrate on their IT vendors and it's got to change," she said.
David Schneier, a compliance consultant who works with financial institutions, said an example of unchecked risks with non-IT vendors occurred while he did some late-night risk assessment work for a credit union last year. Sitting in the executive office suite, he heard a sound and peered out the door. To his surprise, a preschooler, followed by his father, was ambling to the restroom.
The next morning, he asked the credit union's CEO about it, who in turn asked the facilities manager. It turned out that the man was the husband of a woman working for the cleaning vendor, and that he and his son regularly brought her dinner to the office. "Think about the scenario: A completely unknown entity, the husband, within a secured area and no one from the credit union had any idea about it," Schneier said.
On further questioning, he learned that the credit union didn't have any assurances that the cleaning crew was properly vetted or any contractual clauses to govern such a situation.
"Now ask yourself how you'd feel if you had money deposited with them and knew there was the potential that your account number or Social Security number was on a form or printed report left out in the open and where any number of unknown entities potentially had access to it," Schneier said.
By overlooking non-IT vendors and not implementing proper security controls, financial institutions run the risk of violating GLBA if the vendor gains unauthorized access to sensitive information, said Susan Orr, a financial-services consultant who spent 14 years as a banking examiner. They also are putting customers at risk for identity theft. Other third parties to consider include accounts payable and HR vendors to ensure corporate and employee information is secure, she added.
While physical theft is the main risk with vendors like cleaning services and security guards, there is the chance that criminals could plant a person with technical skills on a cleaning crew to break into computers and steal data, said Paul Rohmeyer, a consultant and assistant professor at Stevens Institute of Technology in Hoboken, N.J.
The proliferation of small and cheap storage devices also provides criminals with a way to siphon off data if they can access machines, he added.
Financial institutions need to educate users about shutting down and locking systems during off hours and not writing down passwords, but they also need to deploy technical measures such as controls that prevent someone from plugging a flash drive into a PC, he said.
Razook said a good place for banks to start an enterprise-wide vendor management process is with a vendor list from accounts payable. "Do a risk assessment on those vendors and decide who should be incorporated into a vendor management program and who you can exclude but it should be noted that you went through that process," she said.
An exception might be a food service that doesn't have access to the building unsupervised, Razook said. For higher risk vendors, a company may want to verify they're insured or that a confidentiality agreement is in place.
"Banks should go through that process," she said. "The regulators are going to be looking for that."
Orr said a written vendor management program is a regulatory requirement and regulators will be reviewing banks' programs. "Granted, this year there have been credit situations that are occupying examiners' attention, but institutions should not get complacent or lax in thinking that because this year no one looked at it or commented on it that they will get by next year," she said.
Central District IT Conference
July 19-22, 2010 Chicago, IL
Workshop with OCC IT Examiners
Complimentary Webinar: Remote Deposit Capture Lessons Learned— Surviving the RDC Implementation & Preparing for the Auditors and Regulators!
July 27, 2010 1:00-2:00pm (CT)
To register for this free webinar, go to: https://www1.gotomeeting.com/register/506475328
Sponsored by the cbanc Network – Where bankers go to get what works.