Financial Institution Pandemic Plans in Action

Those of us in the business of community banking know all too well the impact a pandemic can have on our companies’ reputation, our customers, our employees and the nation as a whole.  At least, we thought we knew!

For close to 15 years, financial institutions, including banks and credit unions, were required to perform pandemic planning as part of their overall disaster recovery and business continuity planning.  Many of us produced a pandemic plan document that followed regulatory guidance issued in 2007. Some of us finally got our plans into place several years later pursuant to an audit or exam finding. Many of us at this point have only performed tabletop testing of our plans.

But did we really take those tests and scenarios seriously?  How could we? The magnitude of this most recent worldwide pandemic hasn’t happened since the 1960s. How could we imagine that more than a few people would need remote access, or that there would be a worldwide shortage of hand sanitizer and surgical masks?

As a career banker and now a consultant working with banks and credit unions, I wanted to share with you a few early lessons learned. These are based on real-time situations we are working through with our bank and credit union clients, as well as real-time communications by regulators and auditors.

Remote Work Considerations

By far the biggest challenge our clients are facing is addressing the work-from-home needs of a much larger percentage of their employee base than previously planned. Whether it’s due to kids being home from school, sickness or social distancing measures, it is clear that going forward our Pandemic Plans should build in considerations for a much greater impact. Consider the following:

• Laptops – Increased demand caused the supply of laptops to dry up quickly. Revisit your Pandemic Plans to ensure enough hardware will be available for remote workers. Also, remember that laptops that have never been connected to the network – or have not for some time – will need to be updated, as well as have current patching and anti-virus solutions installed. As a last resort, some of our clients are allowing limited use of personal home devices. In these cases, it is imperative that appropriate measures are taken to secure the environment, such as the use of a mobile device management solution.
• Remote Connectivity / VPN – Banks and credit unions have historically limited remote access to network and core to a small pre-approved list of essential personnel, usually at the senior level. Now, they are adding layers of personnel found to be essential at all levels. Consider revisiting your Pandemic Plan to include tranches of remote access in line with expected government actions amidst the progression of the pandemic.
• Meetings / Workgroups – In keeping with the traditional culture at many community banks and credit unions, department meetings, executive meetings and board meetings are still primarily in-person events. Some of our clients had limited phone conferencing and even then did not use it often. The current pandemic has swiftly changed that with board meetings being held as remote events. Companies around the world, including financial institutions, are looking to solutions like All Covered’s Managed Voice, Zoom Meetings and Microsoft Teams to facilitate everything from board meetings to employee collaboration activities. Your Pandemic Plan should incorporate the use of such technology.
• Telecommunications – The sudden increase in remote workers can cause traffic and bandwidth issues. If your bank or credit union has not invested recently in upgrading your network infrastructure, you may encounter issues with slowness and connectivity. Additionally, clients are realizing that personal cell phones, often covered by BYOD policies, are not suitable for longer term work from home options. Work with All Covered to address these issues, from telephony to network infrastructure. Consider options to optimize performance and include them in your Pandemic and Business Continuity Plans.

Information Security

Now more than ever, financial institutions are being bombarded by malicious threat actors trying to take advantage of the heightened employee anxiety and rapidly changing technology implementations caused by a remote workforce.  While our bank and credit union clients are swiftly implementing remote access for employees, keep in mind these important security considerations:

• Employee Cyber-awareness – Keep employees on their guard by regularly sharing information on current threats, such as:
• FBI Fraud Alert I-032020-PSA: https://www.ic3.gov/media/2020/200320.aspx
• U.S. Attorney Advisory: https://www.justice.gov/usao-or/pr/us-attorney-shares-tips-avoiding-covid-19-scams-targeting-vulnerable-populations
• Security Controls and Monitoring:

1. Remote Access Security: Remote access to your bank or credit union network should be secured via a secure, encrypted virtual private network (VPN) tunnel with multi-factor authentication.  Other options are solutions like GotoMyPC and VNC, as long as you can document that adequate security and encryption are in place.  Unique to the All Covered Finance Vertical is our ability to leverage Solarwind’s N-Central Remote Control technology, which provides secure remote access, with the controls mentioned earlier, as well as reporting.

2. Remote Access Reporting: No matter what remote access method you choose to use, be sure that reports are available to monitor remote user activity, and that these reports are regularly reviewed (recommended weekly) by your Information Security Officer.
Servicing Customers

Community banks and credit unions have a long history of partnering with the community in a time of crisis; weather related or otherwise. Here are some actions being taken by our clients to make sure customers are supported while keeping their employees safe. Consider building these into your Pandemic Plan:

• Online and Mobile Banking – Remind customers they can use these methods to conduct their routine banking, including remote deposit. Hold your website provider accountable for accommodating increased traffic to your website and online banking.
• Strategic Branch Closures – Our clients who have branches quite close to each other (within 5 miles) are closing locations and directing branch traffic to alternate locations.
• Lobby Closure – Several clients have closed lobbies to protect their customers and employees. Drive-throughs remain open and in some cases offer extended hours. Tellers who typically work the window are now manning additional drive-through lanes.
• Automated Teller Machines (ATMs) – Consider increasing the total amount and denominations where appropriate to accommodate potential increase in customer cash needs.
• Lending Considerations – The FFIEC has released guidance requesting that banks and credit unions work with their customers who may be temporarily unemployed due to the crisis. Consider this scenario in your company’s Pandemic Plan.

Employee Well-being

Perhaps the most important item to consider in dealing with a pandemic is the health and well-being of your employees. While most of the workforce remains healthy, the burden of home schooling children and the constant bombardment by the media can lead to anxiety and depression. Your Human Resources department should play an important role in calming and reassuring the employee base, leading to enhanced productivity.  Some of our clients are extending PTO in advance of the spread of the infection to give their employees peace of mind that should they fall ill, they will still receive a paycheck.

We hope you find this information helpful both in dealing with the coronavirus pandemic and also in strengthening your existing Pandemic Plan. All Covered is here to assist you with your Business Continuity and Pandemic Planning needs. From remote access and cybersecurity solutions, to policies, procedures and testing, our talented information security and compliance professionals are here to help.

reach out to us