CMS Case Study

C loyd Bank and Trust Risk Assessment Summary 2020-2021

Audit Area

Information Systems & Technology

Definition (score range)

Risk Factor

Score

High (21-30)

Moderate (11-20)

Low (0-10)

Rationale

The IT function is subject to the requirements of the FFIEC guidelines, information security program requirements, and the various regulations as information systems help facilitate other banking areas. Additionally, Gramm-Leach-Bliley Act impacts the information systems and technology of the Bank. The Bank has a designated Cyber Security Officer who is responsible for IT activities. The FDIC Safety and Soundness Exam in January 2019 found no compliance issues related to IT activities.

Regulatory requirements are limited to low-profile regulations and law issues that warrant action but have significantly lower levels of risk. Impact on accurate timely financial reporting is minimal. Likelihood of material financial reporting effect is negligible.

Significant regulatory requirements are evident; however, regulatory expectations are clear, seasoned, and considered routine. Violations if any will be technical in nature. Material financial effect is possible; however, activity is routine and noncomplex and errors would be readily evident in normal operations. Seasoned and complex manual or automated systems are important to management decision making or product delivery; however, collaborating or alternative back-up systems exist. There is no basis for control assessment, or they are thought to be weak.

Potential violations of high profile regulations with potential fines, legal liability or costly corrective action are possible. Material financial misstatement is possible due to incorrect handling of infrequent, complex transactions or estimates. Critical management decisions may be based on these financial areas. Complex manual or automated systems are new, critical to management

Compliance

13

Information technology serves as the foundation for the majority of the Bank's functions, processes, and transactions. Although the IT environment is dynamic, it is well controlled and the processes are routine in nature.

Nature of Transactions

19

Noncomplex systems and operations are seasoned, with well established back up routines.

Due to the complexity of the overall IT environment and the importance of the function, the level of risk associated with the nature of IT operations is comparatively higher than that of some other banking functions. Cypersecurity continues to be an important risk.

Nature of Operations

20

decision making, or important to product delivery.

Controls are nonexistent or known to be weak.

Controls are strong or adequate.

Control activities are in place within the IT function. As mentioned above, the Bank has a designated Cyber Security Officer that oversees the IT function. The Bank has formed an IT Steering Committee, completed and implemented an IT Strategic Plan and an IT Risk Assessment. Additionally, IT has developed a disaster recovery plan. The most recent IT internal audit resulted in five recommendations. The most recent FDIC Safety and Soundness Examination (January 2019) rated IT as satisfactory with no recommendations.

Internal Controls

10

Minor changes since last audit are anticipated this year.

No changes since last audit are planned this year.

The IT environment is very dynamic and subject to frequent changes. The Bank has selected a new core platform, FIS D&A, expected implementation is 2Q2022.

Major changes since last audit are anticipated this year or not recently reviewed. Management lacks experience or places low priority on internal controls.

Changes to systems, processes, or procedures

20

Management has average experience.

Management is experienced and has high priority on controls.

Members of management have achieved their positions within the Bank because of their level of knowledge, demonstrated skills, and experience within the IT and banking industry. A strong emphasis will be placed on maintaining a sound control environment.

Management

10

92

Risk Score

- 17 -