What Banks Need to Know About the InTREx Cybersecurity Program

On July 1, 2016, the FDIC updated its Information Technology Risk Management Program (IT-RMP) with the Information Technology Risk Examination (InTREx) Program. Applicable to all FDIC-supervised institutions, regardless of size, InTREx is intended as a more efficient approach to its information technology and operations risk procedures. It enhances cybersecurity preparedness efforts and puts greater focus on identifying, assessing, and validating IT to ensure that management is able to effectively address institutional risk.

InTREx will significantly change how banks plan and perform audits, with respect to timing components, and reporting.

An InTREx Audit Checklist for Banks

• At least 90 days prior to an IT examination, your bank will receive an Information Technology Profile through FDICconnect. While this profile is less than half as long as the IT-RMP Officer's Questionnaire, the questions specifically provide FDIC examiners with the data necessary for your audit.

• At least 45 days before the scheduled exam date, the IT examiner-in-charge will send you an IT Request Letter listing additional items and documents needed. Providing this vital examination information ahead of time will reduce the stress of having to produce documents on demand when the examiners are on site.

• The IT Technology Profile and IT Request Letter responses allow the examiner to take a more risk-based approach to your audit. The information enhances their ability to addresses specific high-risk areas of your bank business and operations. They will use InTREx Core modules and appropriate work papers to assess risk and document procedures, recommendations, and findings.

• For institutions with more complex IT environments, examiners will perform additional procedures, including the use of supplemental work programs and the FFIEC Information Technology Examination Handbook.

• InTREx reports will continue to use the Uniform Rating System for Information Technology (URSIT) to generate an overall composite score for the institution. That report comprises URSIT component ratings, recommendations, findings, management responses, and information on cybersecurity preparedness and the institution’s compliance with standards. 

In our highly digital and rapidly changing environment, banks must be prepared to do more than react to IT issues. World-class institutions are building in measures to anticipate hard and soft trends in cybersecurity, IT systems design, and risk management.  

These new InTREx examination processes and reports are designed to ensure adherence to FDIC guidelines. They also are intended to help banks to be proactive about risk as they design their IT strategy. That said, it bears reminding that while InTREx intends to aid in the process of assessing your risk environment, it should be only one piece of a comprehensive IT plan.

Institutions that limit their risk mitigation efforts to the minimum required by regulation and legislation miss out on the opportunity to transform risk challenges into a competitive advantage. As online banking, mobile deposit, and bill pay become the norm, your institution can only benefit from the ability to communicate that you have a proactive, sweeping approach to securing your systems and data.

The new InTREx audit standards are yet another statement of recognition that innovation brings risk. Progress requires regulators and businesses to enhance their understanding of how to protect the cutting-edge technologies and products driving growth in the banking industry. If you have questions about how these new audit standards will impact your bank, or how to build a richer cybersecurity strategy into your growth plans, contact us anytime. 

Join the conversation and receive updates of new posts: