New Pandemic Guidance Issued

Interagency Memo Details Actions to be Included in Business Continuity Plans
New Pandemic Guidance Issued
The Federal Financial Institutions Examination Council (FFIEC) has just issued an interagency statement on pandemic planning for financial institutions. This guidance lays out the actions and framework that institutions should address in their business continuity plans to minimize the potential impact of a pandemic disaster.

According to Michael Jackson, Associate Director, Division of Supervision and Consumer Protection Technology Supervision Branch of the FDIC, each institution should have as part of its plan a documented pandemic strategy that provides for:

Preventive program;
Events and stages of a pandemic outbreak;
Comprehensive framework to continue critical operations;
Testing and oversight program to ensure regular reviews and updates.

The FFIEC statement on Pandemic Planning supplements the previous guidance from agencies released in March 2006 and late 2007.

Coincidentally, this actions comes on the heels of the release of Information Security Media Group's State of Information Security 2008 survey, which reveals that, of all potential disasters, financial institutions by their own assessment are least prepared for pandemics.

Accounting for Scale

One of the issues the agencies wanted to address in this ongoing supervision is that pandemic plans need to fit the needs and size of an institution.

"For a small bank we're not expecting to see a 100-page plan with a rigorous testing plan in place -- we want it to fit the institution, depending on the footprint of the bank and the needs of the institution and its customers," says Mark O'Dell, Deputy Comptroller of Operational Risk at the Office of the Comptroller of the Currency.

At this time, the FDIC's Jackson sees that institutions' progress on pandemic plans range widely - and this is a disparity that needs to be addressed. "Some are waiting and just making slight changes to their BCP, and some think they have more time to work on their plan."

This statement gives institutions the push to expand their business continuity plans to include more pandemic planning, Jackson notes. "The pandemic plans should be sufficiently flexible to address a wide range of possible effects and outcomes from a pandemic. This statement gives institutions a good start on a framework to either start a pandemic planning program or expand on their existing one."

Starting Points

Jackson suggests that institutions begin by comparing what they have in their existing plan to what is in this FFIEC statement. He also notes that the list of referenced websites in the statement should be checked for new information to update plans.

The boards of directors at institutions should review the statement and pandemic planning guidance, too, as they ultimately will be held responsible for their institution's pandemic plan, Jackson notes. "This has been articulated in the previous guidance and this statement. The board of directors being held accountable is not necessarily a negative, we think. With the proper planning and preparation, each institution will be successful in meeting the guidance's' requirements in having a viable, tested plan in place."

The need to ensure that third-party service providers are able to meet the needs of the institution should also be considered in pandemic plans.

Institutions may also want to consider getting amendments to their existing agreements with vendors that will ensure the vendor will be able to provide at least a minimum level of service or goods to the institution during a pandemic.

Having other vendors in place as back-up to the primary vendors may be a consideration for institutions to pursue. One of the unique differences between a pandemic and other catastrophic events is the staffing challenge presented by potentially high levels of absenteeism due to illness or family members falling ill during the pandemic.

Be Prepared

Although this new guidance does not come accompanied by a hard deadline by which institutions must demonstrate compliance, the interagency message is clear: Be prepared for your next examination.

"Have your plan ready, and tested, have multiple back-up sites and vendors prepared to deliver to those sites," Jackson says.

Because of the multiple "unknowns" that may occur during a pandemic, along with considering that a pandemic would spread across wide geographic areas, institutions may need to have multiple sites for back-up operations.

"The most important part of the pandemic plan is the human element. It has to be considered more in planning for a pandemic," Jackson notes. Institutions may also want to look at possibly using remote deposit capture to help with the social distancing issues that they and their customers may face during a pandemic. "You will be able to have less interaction with the customers and still be able to provide a high level of service."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network