Technology Risk Management

We perform, evaluate, and update Information Technology (IT), Information Security (IS), Privacy, Vendor Management and Cybersecurity Risk Assessments. RGS deploys seasoned professionals with the expertise to evaluate the current state of the IT, IS and Cyber security internal control frameworks and determine the risks based on systems and technologies being used including all Third-Party vendors. Our approach is designed to identify vulnerabilities and control weaknesses before a security breach occurs. We also identify opportunities for process and control enhancement. Other key considerations include:

• Known and emerging risks
• Regulatory changes and priorities
• Strategic initiatives
• Prior audit and/or regulatory issues
• Resource planning and skill requirements

We develop and update IT/IS/Cybersecurity/Third-Party Risk Management policies and procedures and facilitate implementing a program to ensure that policies and procedures are kept up to date timely and systematically. RGS team customizes programs that suit and support an institution’s needs, based on the systems and technologies used, Third-party vendor and IS/Cybersecurity and related processes implemented at the institution. We also focus on enhancing policies and procedures to ensure the appropriate alignment with regulatory requirements.

We perform, evaluate, and update BCP programs, and review DRT testing protocols and related issue escalation protocols. Our approach evaluates the design of the plan for completeness and compliance with regulatory requirements. RGS team reviews the plan for best practices related to risk assessments, communications, business impact analysis, incident responses and reporting, 3rd party vendor issues and response team designations, as well as business unit involvement process. We also observe and report on DR testing in collaboration with management and assist in development of comprehensive BCP/DR test plans, structured according to your needs and the backup systems involved.

RGS provides outsourced Information Security Officer services, which are a very cost-effective process for smaller banks and other institutions to ensure that highly qualified resources manage and perform the crucial Information Security and Cybersecurity function. This process can be modified to support needs of institutions having inhouse function but needing supplemental resources or technical guidance for effectively managing the function inhouse to manage and mitigate related risks. RGS services ensure that the institution maintains updated IS/Cybersecurity risk assessments; IS/Cybersecurity policies and procedures; incident identification, response and reporting; security monitoring reviews; assistance with remediation of issues; and ongoing ISO responsibilities.

RGS team is experienced in reviewing/assessing/auditing payment systems and having completed various assessments of FedLine Solutions and SWIFT implementations. In terms of the Security and Resiliency Assurance Program of the Federal Reserve Bank, we perform assurance assessments of the FedLine security requirements related to the FedLine systems used or subscribed to by an institution. We also perform comprehensive independent assessment required by SWIFT to assess the level of compliance against their Customer Security Controls Framework, covering both mandatory and advisory controls.

We implement SOX and FDICIA internal control frameworks for regulatory compliance purposes and to help entities gain efficiencies within the overall internal control environment. RGS services also include SOX or FDICIA flowchart and Narrative/Key-controls documentation, as well as a SOX or FDICIA health check for institutions with existing programs as it may be time to increase efficiencies, eliminate redundant controls and ensure that any process changes due to digitalization have appropriate controls. In addition, our team of professionals provide cost-effective quality testing of SOX and FDICIA controls based on our client’s control and testing frameworks.

RGS helps institutions prepare for upcoming regulatory examinations, highlighting likely IT/ IS/ Cybersecurity issues that need immediate attention of the Board and Senior Management before the onset of the regulatory examination. RGS leaders bring years of experience working with institutions and the Technology/Security related regulatory examination process. Whether reviewing information requests or validating prior regulatory issues we understand regulatory expectations and the nuances associated with IT/IS/Cybersecurity compliance. Our mock examinations are designed to identify potential issues ahead of time and help reduce the number of potential examination findings. Our mock examinations have been of great help to various institutions from De Novo (facing their first examination) to ones with significant or complex regulatory issues, or the ones that have changed their systems, processes or services, etc.

We can help with or execute project management programs to support any type of technology related project including system upgrades, system conversions, new product launches and new delivery channels/applications. Our team are hands-on, experienced and are assigned according to the technical expertise required and are led by senior RGS IT professional with hands-on experience in project management and related reviews.

RGS offers customized training programs that are designed not only to address core Board training requirements but also includes industry developments, regulatory updates, and best practices. We create staff training programs tailored to specified needs. Our training programs focuses specifically on evolving technology risks, digitalization, vendor management and data security.

RGS specializes in helping institutions ensure that corrective actions implemented to address IT/IS/Cybersecurity/Vendor-Management and other audit or regulatory examination issues are appropriate and fully addresses the issues and their root-cause. The RGS validation process is thorough, well documented, and clear in demonstrating whether an issue has been properly remediated. Our team is experienced in working with the institution’s management and board, as well as regulatory authorities. Our work ensures a comprehensive evaluation and clear conclusion whether regulatory matters requiring attention, or consent order actions are fully remediated, with a clear understanding of the root cause, and the remediations set the stage for regulatory acceptance of the comprehensiveness and adequacy of corrective actions, setting the stage for removal of the supervisory action and lifting of restrictions on business, if any.

RGS provides staffing to support IT, IS and Cybersecurity operational and audit functions to resolve short term resource needs. Our IT, IS and Cybersecurity resources augment needs from core skills to specialized support required by the institution. RGS can perform required tasks, including updating policies and procedures for new regulations, updating risk assessments, catching up monitoring programs, assisting with remediation of issues, or assisting with daily IT/IS/Cybersecurity function or related internal audits.

RGS can assist you in the evaluation of system options taking to account your risk profile as well as the future business and growth plans. Our experience in dealing with many different systems allows us to provide valuable insights as to functionality and systems that may be the best fit for your needs and risk profile, thereby ensuring suitability of technological solutions being procured.

Timely identification of issues in the pre-implementation phase can save on costly remediations after the implementation. RGS can collaborate with users performing tests, or perform the testing for you, regarding validating system functionalities, integrity, outcomes, expectations, and performance in accordance with proposed design and specifications, which we can comprehensively develop as well.

While user acceptance tests of IT systems are expected to be designed to identify issues allowing for their timely remediation, the pre-implementation reviews provide independent validation of accuracy and appropriateness of the implementation process, and identification of any issues that need to be addressed for optimal results. While following FFIEC guidelines, RGS’s subject matter experts partner with management and users in ensuring appropriateness of project management and implementation, as well as testing for identifying any system, data or control issues. Our pre-implementation testing can save on costly remediations after the implementation.

The post-implementation reviews of the IT systems performed by RGS in accordance with FFIEC guidelines ensure that the implementation was done appropriately in line with the project plan. Our work, performed by subject matter experts, ensure that the entire life cycle of implementation was handled appropriately and the implementation does not result in data integrity, control or MIS issues that may expose the institution to risks. Throughout our testing and review, we assist in resolving issues that may have occurred while ensuring that supporting information and documentation of the post implementation review is thorough and detailed.

Third-party risks are increasing with increased reliance on these vendors as also the evolving technological and cybersecurity risks concerned. The comprehensive work done by RGS in the area of Vendor Management ensures that institutions have a comprehensive vendor risk assessment and risk management process. RGS can also assist the management in performing vendor due diligence reviews, documenting these comprehensively. RGS process not only mitigates related risks, it is also helpful during related audits and regulatory examinations.

RGS has expertise to address your needs regarding other support required for IT/IS/Cybersecurity and provides various consultancy services to support client needs. Some of these, e.g., User Acceptance Testing and pre- and post-implementation reviews are described in detail below. Please contact us for your specific needs.