Why end-of-life management is crucial and how to approach it
In 2015, information technology (IT) research firm Gartner predicted that, “6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020.” Consider the amount of software and applications housed on each of those 6.4 billion pieces of hardware (not to mention 2020’s predicted 20.8 billion devices), and the technology in use exponentially multiplies.
Now, look at your particular world. How much hard and soft technology is in use at your institution? This isn’t a rhetorical question; it’s a regulatory one that too many institutions cannot answer adequately. Nor do they have a satisfactory handle on the amount of their hardware and software reaching obsolescence—the process of becoming obsolete or outdated—which is an escalating condition due to the increasingly rapid pace of technology innovation.
Seven months ago, the Federal Financial Institutions Examination Council (FFIEC) revised its Information Security (IS) Booklet, which among other things provided more granular guidance regarding the inventory, classification and lifecycle management of technology assets. Institutions that haven’t addressed this guidance are risking more than they may realize.
Technology obsolescence has reached a tipping point where those not paying attention to approaching end-of-life hardware and software are going to find themselves in serious trouble. Eureka Magazine, which reports on technology innovation, calls today’s atmosphere a “fourth industrial revolution, a time where smart factories will be run with minimal human intervention and more reliance on intelligent, connected devices to run industrial systems. The consequence of this is that hardware and software is now going obsolete faster and faster, far before it has outlived its usefulness.”
4 Significant Reasons Why End-Of-Life Management Is Crucial
Our industry is no different; bank technology is reaching obsolescence at a record pace. Despite that trend, IT departments struggle to convince senior management of the need for end-of-life strategies and new technology investments when existing systems still appear useful to bank leadership. Unfortunately, and too often unbeknown to leadership, that assumed remaining usefulness of obsolescent technology carries with it a very high degree of risk.
Here are four compelling reasons to start looking into more concrete and robust end-of-life management:
Your customers expect it: Today’s consumers have grown accustomed to at-their-fingertips technology that handles nearly any task for them. And the more technology they acquire, the more they desire. This insatiable consumer demand is one of the key drivers of technology innovation, and consequently of technology obsolescence. The app or device du jour is passé tomorrow.
Given this appetite, consumers have little patience or interest in financial institutions that do not keep pace. After one institution experienced multiple, well-publicized online banking outages and other serious IT glitches caused by outdated technology, ComputerWeekly called it “a shadow of its former self,” explaining that, “the digitization of customer services at banks is not only putting huge pressure on legacy systems but exposing every failure in near real time. Even news of a small failure that lasts only minutes can be spread to millions via social media.” Few institutions can afford that kind of viral hit job on their reputation.
Your cybersecurity demands it: In addition to consumer demand for evolving technology, the increasing speed of hardware and software development also is being driven by cybercrime. As each new device or application is introduced to the marketplace, cyber criminals immediately seek out its possible vulnerabilities. Technology companies answer with patches and updates to maintain a secure environment, but new technology eventually becomes the more (or only) effective solution, thus pushing existing technology into obsolescence.
Financial institutions that don’t pay attention to deployed technology that is reaching obsolescence face a much greater risk of cyberattack than those who do. Tech firm Rackspace explains why: “Security risks are the number one danger of older technology. The older your operating system or application, the longer the bad guy hackers have to find and exploit vulnerabilities. This is especially true when the manufacturer is no longer actively maintaining support.” Institutions that continue to use hardware or software that is obsolete or no longer supported are only making it easier for cybercriminals to gain access to their systems and data.
Your regulatory examiners require it: Verizon’s 2016 Data Breach Investigations Report noted that, “no locale, industry or organization is bulletproof when it comes to the compromise of data,” and PwC’s Global Economic Crime Survey 2016 reported that cybercrime was the second-most-reported economic crime last year. So, given the growing threat of cybercrime, regulatory interest in the cybersecurity measures of financial institutions has become a significant focus.
The updated FFIEC IS Booklet is clear: It requires appropriate end-of-life management for hardware and software assets, calling on management to “plan for a system’s life cycle, eventual end of life, and any corresponding security and business impacts. Security risks related to reaching a system’s end-of-life include a) the increased potential for vulnerabilities because the third party no longer provides patches or supports, b) incompatibility with other systems in the institution’s environment, and c) limitations in security features in older and obsolete systems.”
Your bottom line depends on it: Institutions invest in new technology to increase efficiency, a smart way to strengthen the bottom line. Failing to seek new solutions or alternatives for outdated technology results in limited efficiency gains along with the customer attrition, cybersecurity vulnerability, and regulatory trouble discussed above, all of which negatively affect the bottom line.
4 Important Tasks for Improving End-Of-Life Management
Institutions should undertake these tasks before their next IT examination in order to show they are addressing technology obsolescence.
Review and revise the end-of-life management section of IT policy: Regulatory examiners want to see that institutions are aware of and addressing technology obsolescence. In addition to identifying which department or individual owns end-of-life management, show your institution’s commitment to it by addressing these end-of-life directives, deemed necessary by the FFIEC, in your IT policy:
- Develop and maintain an inventory of all technology assets
- Create and adhere to a board-approved “sunset” policy for older technology
- Track technology changes, availability of updates and vendors’ end-of-life plans
- Conduct risk assessments on technology to determine approximate life expectancy
- Devise a plan for replacing technology approaching obsolescence
- Develop procedures for securely erasing data from hardware being returned to vendors
Update your technology inventory: After calling for it in your IT policy, your institution needs to ensure that its existing technology inventory is up to date and contains all the necessary information about its various technology assets. The updated IS Booklet indicates the inventory should be comprehensive, capturing all technology assets, and must classify “the sensitivity and criticality of those assets, including hardware, software, information, and connections.” Make sure your inventory includes every hardware device, including servers, computers and printers, along with every software application in use, even those that are cloud based.
Start this update by requesting a list of all technology-related vendors and purchases from the accounting department since the date of your most recent inventory. From those records, update your inventory to include the vendor, manufacturer or developer name; the age; and the serial or license number of all assets not included on your existing inventory. Then conduct a physical or digital inspection of all assets on the inventory to determine what is still in use and the criticality to your operations.
Keep in mind, enterprise-wide software solutions will be easy to detect and verify; however, one-off software programs used by individual departments can be more difficult to identify. As a cross-check, request a list from every department of all the software being used in their areas.
Create an end-of-life schedule for all existing inventory: Once your institution has a comprehensive inventory of its technology assets, assess the lifecycle status of each and note it on an end-of-life schedule. Start this assessment with the oldest assets deemed most critical during your inventory and go down the list from there.
For each asset, consult the contract or purchase agreement, as well as the vendor’s website to determine its lifecycle status. Most hardware manufacturers and software developers provide ample notice when phasing out a product. During this investigation, make sure the owner of end-of-life management is set up to receive those notices rather than individual departments. And finally, initiate a plan for replacement for soon-to-be obsolete assets.
Incorporate a standard process for identifying and assessing all new technology purchases: Accounts payable should generate a notice to the owner of the technology inventory and end-of-life schedule for any new purchases made, so that these assets can be appropriately assessed, classified and monitored for future end-of-life management.
Take Control of Technology Obsolescence
For good reason, financial institutions have steadily built up their technology assets over the last several decades with hardware and software solutions that can help solve issues, streamline processes or simplify compliance. It’s time to realize, also for good reason, that institutions must pay more attention to the lifecycle of these assets. This includes replacing assets beyond their usefulness in functionality and/or security, as well as developing a plan to replace assets nearing end-of-life.
Technology obsolescence runs rampant in today’s environment, but it doesn’t have to run your institution. Awareness among the board of directors and senior leadership that translates into the end-of-life actions described above will put your institution back in full control of its technology assets–a posture federal regulators expect and require.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.