Major Booklet Restructuring
As you may have already seen, the FFIEC pushed out a press release informing the public of the new Business Continuity Management (BCM) Booklet on November 14, 2019. Major updates to FFIEC booklets usually lead to many questions regarding what was changed, potential new requirements, or even if your current Business Continuity Plan has fallen out of compliance from the new release.
Don’t worry – we’ve got you covered. We’ll dig into all of the important changes to the FFIEC Business Continuity Management Booklet and answer your burning questions.
Digging into the Changes
At first glance, you might notice that the booklet looks very different. From the table of contents to the appendices, the Business Continuity Management (BCM) Booklet has undergone a pretty significant restructuring. While the change can be overwhelming, upon closer inspection, you will notice the original foundation and requirements for creating a Business Continuity Plan are still there. Even better news, most of the changes to the BCM booklet expand upon information that was provided in the original Business Continuity Planning Booklet, making the new BCM booklet much clearer and more concise
Some notable visual changes included a diagram on the business continuity cycle (something you will be very familiar with if you have sat in an SBS webinar covering business continuity planning), as well as the often-misunderstood Business Impact Analysis timeframes: Recovery Point Objective (RPO), Recovery Time Objective (RTO), and Maximum Tolerable Downtime (MTD - previously labeled “Max Allowable Downtime”).
Perhaps a bigger item of note is the reduction in appendices, leaving only Appendix A: Examination Procedures, Appendix B: Glossary, Appendix C: Abbreviations, and Appendix D: References. However, while appendices such as Appendix J’s stand-alone section have been removed, the requirements and expectations of these appendices have not. Appendix J, as well as much of the content included in the other appendices, have been integrated into the core of the booklet.
If you have been dragging your feet on addressing the new expectations set within the most recent BCP addition, Appendix J, consider this a wake-up call. While the new BCM booklet does not have all of the detail from Appendix J, one can note that the expectations of making third-party management a part of your business continuity process are spread throughout the updated handbook, with the bulk of expectations found in Section IV.A.5 Third- Party Service Providers and Section VII.I Third-Party Service Provider Testing.
A similar story could be told about the Cyber Resilience portion of Appendix J, whose content did make it into the new booklet but was broadened and simplified in the transition.
As with any piece of regulatory guidance, the Board of Directors cannot be overlooked. Expectations for Board of Director oversight were included in the previous version of the booklet; however, Board reporting expectations were scattered throughout the old document and far less concise. To simplify these expectations, Section IX of the new BCM booklet has been added, which consolidates Board Reporting requirements (bulleted below) as well as adds additional Board Reporting expectations. It would be wise to consider this section as a checklist when preparing BCM documentation for the Board.
· Risk assessment
· Exercise and test results
· Identified issues
· Strategy updates
· Audit results
· Metrics, including key risk indicators and key performance indicators for BCM and resilience
The BCM Booklet stops just short of requiring an annual, formal BCM Report to the Board (separate from the GLBA Annual Report) but does require a “written presentation providing the BIA, risk assessment, BCP, exercise and test results, and identified issues.” Meaning that you will need to be sure you are reporting on the above BCM components to the Board annually in some written, formal fashion.
Additionally, the guidance requires that “Board minutes should reflect business continuity discussion (including credible challenges) and approvals.”
Business Continuity Testing
It is safe to say that the testing component has also seen a great improvement. BCM testing expectations have become much clearer and easier to understand, thanks to information pulled in from the old document’s appendices. Where in the past many expectations could be found in the BCP booklet’s “Principles of the Business Continuity Testing Program” section, additional expectations would need to be sought out within the document's appendices. Not just one, but many of the appendices added over time contained testing expectations, including Appendix J: Strengthening of Outsourced Technology Services, Appendix H: Testing Program – Governance and Attributes, and Appendix D: Pandemic Planning. The various testing expectations and suggestions are now consolidated into Section VII – Exercises and Tests in the new BCM Booklet.
In addition, FS-ISAC’s CAPS exercise is a notable addition to the mix as a testing option under Section VII.H Industry Exercises and Resilience, potentially leading to this being suggested by examiners in the future, just as signing up for FS-ISAC itself eventually became a formal recommendation shortly after the release of the FFIEC Cybersecurity Assessment Tool.
Overall, the BCM Booklet highlights the following areas of focus around BCM testing:
· VII.A Exercise and Test Program
· VII.B Exercise and Test Policy
· VII.C Exercise and Test Strategies
· VII.D Exercise and Test Objectives
· VII.E Exercise and Test Plans
· VII.F Exercise and Test Scenarios
· VII.G Exercise and Test Methods
· VII.G.1 Full-Scale Exercise
· VII.G.2 Limited-Scale Exercise
· VII.G.3 Tabletop Exercise
· VII.G.4 Tests
· VII.H Industry Exercises and Resilience
· VII.I Third-Party Service Provider Testing
· VII.J Testing for Core and Significant Firms
· VII.K Post-Exercise and Post-Test Actions
BCM testing has been a focus of IT examinations this past year, and with the new BCM Booklet’s release, a robust BCM testing program seems to remain as a major expectation.
What Do You Need to Review?
So, what about all of these new sections? If it's been a while since you went through the entire booklet, it may appear that there are several new sections and additions to the BCP Booklet. However, after a review of the old BCP Booklet and mapping some of the information covered in these “new” sections back to the old, many of them are found to be taken from information already included in the previous version of the booklet. To help clarify some of the standout sections, see below for where the information could be found in the previous FFIEC Business Continuity Planning Booklet, as well as what information stands out as new.
· III.A.2 Interdependency Analysis – Built from information originally located in Appendix E: Interdependencies.
· IV.A.1 Physical - Built from information originally located in Appendix E: Interdependencies.
· IV.A.2 Cyber Resilience - Built from information originally located in Appendix J: Strengthening the Resilience of Outsourced Technology Services.
· IV.A.4 Personnel – Built from information originally located in Appendix G: Business Continuity Plan Components.
· IV.A.5 Third-Party Service Providers – Built from information originally located in Appendix J: Strengthening the Resilience of Outsourced Technology Services.
· IV.A.6 Telecommunications - Built from information originally located in Appendix E: Interdependencies.
· IV.A.7 Power – This section was mostly referenced in the Risk Management section of the old document; considerations, while brief in the update BCM booklet, were given further detail in the previous version.
· IV.A.8 Change Management – Built from information originally located in the Other Policies, Standards and Processes section. V.D Payment Systems – Built from information originally located in Appendix G: Business Continuity Plan Components.
· V.E. Liquidity Considerations - Built from information originally located in Appendix G: Business Continuity Plan Components.
· V.F.2 Disaster Recovery – The topic of Disaster Recovery is not new, but the section does address disaster recovery in a more definitive way than it had in the previous booklet, consolidating expectations of IT and associated resource restoration more clearly in the updated BCM booklet.
· VII.H Industry Exercises and Resilience – This section is reasonably new; while the idea of expanding the scope of testing was covered in Appendix J of the old document, involvement in industry exercises were not covered specifically as they are in the updated BCM booklet.
· VII.I Third Party Service Provider Testing - Built from information originally located in Appendix J: Strengthening the Resilience of Outsourced Technology Services.
· VII.J Testing for Core and Significant Firms - Built from information originally located in Appendix H: Testing Program – Governance and Attributes.
· VII.K Post-Exercise and Post-Test Actions – Originally found in the Risk Monitoring and Testing section.
· VIII Maintenance and Improvement – This section is new to the document; while the maintenance of your plan was covered in the previous version, it was nothing near the detail covered in the new document.
· IX Board Reporting – As noted above, this is a new section added in the update. While board oversite was an expectation before, additional expectations are clearly defined and listed in the new section.
Lack of Pandemic Preparedness
Perhaps one of the most interesting adjustments from the old BCP Booklet to the new BCM guidance is the near-disappearance of all references to pandemic planning. The old BCP Booklet references “pandemic” a whopping 152 times; however, in the new BCM Booklet, the word “pandemic” appears a total of 18 times, but really only 3 times in the actual guidance (outside of Exam procedures and references).
Pandemic is referenced a few times as a part of the BCM Risk Assessment, specifically called out as a “low likelihood and high impact event.”
So what does this mean for Pandemic Planning? Can we shred our Pandemic Preparedness Plan?
Not quite. The goal of the BCM Risk Assessment is to drive decisions when building out your BCM Recovery Procedures, and as long as Pandemic is listed as a BCM Risk Assessment threat, you can continue to use your short-term and long-term pandemic recovery procedures.
However, the lack of Pandemic discussion in the BCM booklet is a pretty strong indicator that regulatory focus is much more on cyber and vendor-related issues than pandemic issues, which makes sense given today’s environment.
Overall: Short and Sweet
Overall, the new Business Continuity Management Booklet appears to be a significant improvement over the old BCP booklet. The BCM booklet update has not only grouped much of the information into an organized fashion, but it has also managed to reduce some of the unnecessary fluff and redundancy found in the previous version, resulting in a shorter, yet more understandable booklet.
If your organization has been making its best effort to keep up with the requirements set within the old booklet and the additions that have been added over time, you are probably not going to be derailed by the most recent update, as the core of creating your Business Continuity Plan has been held intact.
Even so, you will almost certainly find it beneficial to give the new booklet a full review, especially some of the standout sections noted above, such as IX Board Reporting, VIII Maintenance and Improvement, and VII.H Industry Exercises and Resilience.
Written by: Cole Ponto
Information Security Consultant - SBS CyberSecurity, LLC