Failure to Upgrade Software Systems as a Potential Regulatory Risk - thoughts from Jeff Jinnett

In the current highly regulated, but intensively competitive banking environment, many banks are upgrading to the latest versions of third party operational software in order to be able to take advantage of new features, such as multi-touch capability. Conversely, other banks may seek to reduce costs by continuing to run on older software versions as long as possible.  A reasonable balance needs to be reached between these two approaches in order to achieve greatest operational efficiency and competitive market advantage while maintaining a cost-effective, but secure IT infrastructure.  One caution that is appropriate for banking institutions that err too much on the side of running significantly older software versions is the possibility that a regulator may later determine that the institution had incurred too much risk and impose regulatory penalties on the bank. For example, the FDIC’s Financial Institution Letter 43-2003 provides that regulated banks must conduct an IT security risk assessment which includes an inventory of hardware and software maintained:

“Consumer privacy regulations require that periodic risk assessments be provided to the Board of Directors. In these assessments, management details measures taken to mitigate risks. The effectiveness of the institution's patch management program should be discussed in these periodic reports. An inadequate patch management program may adversely affect certain components of an institution's overall Information Technology (IT) examination rating…In developing an effective patch management program, it is important to have a comprehensive understanding of the institution's IT environment. An up-to-date inventory of hardware and software should be maintained, including the specific applications and their location. At a minimum, it is suggested that the inventory include a description of the system's hardware, main frame and mid-range computers, operating systems (versions and all patches installed), application software (versions and all patches installed), and storage devices. This inventory should reflect production servers, firewalls, network appliances, routers, and other network infrastructure. [emphasis added] ”

Further, the FFIEC IT Handbook InfoBase guidance  warns against having a static security program:

“A static security program provides a false sense of security and will become increasingly ineffective over time.  Monitoring and updating the security program is an important part of the ongoing cyclical security process.  Financial institutions should treat security as dynamic with active monitoring; prompt, ongoing risk assessment; and appropriate updates to controls. [emphasis added]” 

Finally, the Federal Reserve’s “ Interagency Guidelines Establishing Standards For Safeguarding Customer Information ”  includes sample examination questions that probe the bank’s efforts to update IT security systems, such as the following:

“Does the bank periodically update its information security program to reflect changes in the bank’s operations and systems, as well as changes in the threats or risks to the bank’s customer information?”

Therefore, in striking the balance between upgrading to the latest versions of operational software in order to retain a competitive marketplace edge as versus continuing to run older software versions in order to reduce costs, banks need to avoid being seen by regulators as having incurred unacceptable security risks as a result of relying on out-of-date operational software as part of a static IT security approach.