Banking & Finance IT —
FFIEC · SOX · GLBA Safeguards Rule

The FTC’s updated GLBA Safeguards Rule (effective June 9, 2023) requires every covered financial institution to: designate a qualified individual to oversee the information security program; conduct and document a risk assessment; implement specific technical safeguards including encryption at rest and in transit, multi-factor authentication, and access controls; oversee service providers with written contracts; maintain a written and tested incident response plan; and deliver an annual information security report to the board. Institutions with 500 or more customers must also notify the FTC within 30 days of discovering a qualifying security breach. IT Center manages all of these requirements as part of your flat-rate managed service agreement.

SOX IT General Controls apply to publicly reporting companies — including bank holding companies with publicly traded securities and banks subject to SEC reporting. Private community banks not subject to SEC reporting are not directly covered by SOX. However, even private institutions are increasingly asked by investors, counterparties, and auditors to maintain ITGC-equivalent documentation. Institutions planning a public offering or acquisition should establish ITGC documentation well in advance. IT Center can assess your specific situation and implement the appropriate level of controls documentation regardless of your current reporting obligations.

The FFIEC Cybersecurity Assessment Tool is a voluntary but widely expected self-assessment that helps institutions identify their inherent cybersecurity risk profile and evaluate cybersecurity maturity across five domains: Cyber Risk Management, Threat Intelligence, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management. While technically voluntary, federal and state examiners routinely ask whether institutions have completed the CAT and expect them to demonstrate awareness of their risk profile and maturity gaps. Completing the CAT and maintaining a remediation roadmap is considered baseline practice for any examined institution. IT Center completes and maintains the CAT as part of your managed service.

When a core banking system outage occurs, IT Center immediately differentiates between infrastructure failures (within our scope) and core application failures (within your core provider’s scope). Our team isolates the failure domain, coordinates with your core provider’s support team, restores connectivity and infrastructure components within our managed scope, and activates your business continuity plan if manual processing fallback procedures are required. We maintain a dedicated escalation path with all major core providers including FIS, Jack Henry, and Fiserv. Post-incident, we deliver a written root cause analysis and any documentation required for regulatory notification or board reporting.

OCC-supervised institutions are examined against the FFIEC IT Examination Handbook, which covers information security, business continuity, and operations. OCC examiners expect documented risk management processes, board-level oversight of IT and cybersecurity risks, evidence of vendor due diligence, and demonstrable testing of business continuity and incident response plans. At the community bank level, the OCC primarily expects evidence-based answers: you know your risks, you have controls in place, and you can demonstrate they work. IT Center prepares and maintains this evidence continuously so that when your exam team arrives, every document is current and every control is operating as intended.

Yes — unambiguously and regardless of institution size. The GLBA Safeguards Rule requires every covered financial institution to maintain a written information security program administered by a qualified individual. The FFIEC Information Security Booklet expects documented security policies and procedures as a baseline. FDIC Part 364 expects information security policies. Your examiners will ask for this document. If you cannot produce it, or if it is outdated and does not reflect actual practices, that is an examination finding. IT Center develops, maintains, and keeps current your written information security program as part of your managed service, ensuring it matches your actual security posture and satisfies examiner expectations at every review cycle.