10 Things to Know about the Fed’s Guidance on Operational Resilience

On October 30, 2020, the Federal Reserve released a paper outlining some suggested practices for banks to maintain operational resilience and security. With the transition to online-based practices as a result of the COVID-19 Pandemic, cyber risk management is crucial now more than ever, and firms must form detailed and

strong plans for potential breaches in security. The demand for cyber security has led to a growing reliance on third party security companies, which pose their own risks to banks.

Firms must understand these risks and have procedures in place to account for any and all breaches in security. The paper does not revise any existing rules or guidance and the suggestions are drawn from existing guidance and standards.

Here are 10 important takeaways from the Fed’s guidance on resilience:

1. Maintaining effective governance is crucial to operating a safe and resilient company. A strong board of directors and senior management to oversee security operations is crucial for resiliency.

2. It is important to maintain a strong relationship between a firm’s board of directors and senior management to approve appropriate budgets and resources, and form effective risk management throughout the firm.

3. The firm’s organizational and legal structure should be appropriately maintained by its senior management. They must develop and manage resilient information systems and controls and identify core business goals of the firm.

4. Regular tests and reviews of internal controls are crucial to making sure critical operations function properly, including those performed by third parties.

5. Business continuity plans should be thorough and reviewed often. They should remain consistent with current operations, recovery priorities and risks and threats.

6. Firms should have trained personnel on staff who are prepared and well-versed in critical operations and risk management, should a disruption occur. Frequent training and awareness programs will help maintain long-term business continuity.

7. Recovery and resolution plans should be integrated in every level of company governance and management. These plans should be linked with operations across the firm and should prepare the firm for a wide range of internal and external scenarios.

8. All third party relationships should be established through formal agreements. Periodic reviews and reports of third party systems and controls are crucial to maintaining privacy and lowering risk of disruption.

9. Scenario analysis can be helpful to determining how to go about resolving disruption and a firm’s tolerance for disruption. Analysis should be tested frequently, keeping in mind the connections and dependencies of its critical operations.

10. Ongoing surveillance and reporting of operations are necessary for a resilient firm. Firms must be able to detect suspicious activities in a timely manner and have strong plans for resolving them in order to avoid potential negative impacts to the firm.