FFIEC Warns Institutions, Providers and Third Parties of Potential Operational Risks

FFIEC Warns Institutions, Providers and Third Parties of Potential Operational Risks

Time is running out for financial institutions that are still using Microsoft’s 12-year-old XP operating system (OS). Microsoft will stop supporting XP as of April 8, 2014, meaning users will no longer receive security patches or technical support. The Federal Financial Institutions Examination Council (FFIEC) is warning federally insured depository institutions to act quickly or face potential security breaches, software incompatibility and noncompliance with the Payment Card Industry Data Security Standard (PCI DSS). Bottom line, failing to upgrade could lead to disruption of critical applications and impact customers.

Remarkably, nearly one in three PC users still runs XP. 1 Issue Given this large percentage of systems still on XP, time and resources to manage the transition are likely to be limited. Immediate action is required.


As Microsoft warns on its website, “If your organization has not started the migration to a modern desktop, you are late.”

For financial institutions, this boils down to security, compliance and functionality. With no vendor patches or stress tests in the offing, XP’s retirement means desktops utilizing this moribund operating system will be widely susceptible to hacking and malware. Designing and installing patches internally is an option, but this would require both vendor-level access to source code and considerable time and effort to push updates to affected workstations.

Enterprises with PCI DSS compliance requirements for point-of-sale and other payment systems have an additional concern. Failure to migrate is a breach of PCI DSS Requirement 6.1, which mandates that merchants “ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.”

Aside from the risk of intrusion, financial institutions that ignore the deadline may experience outright system failure or incompatibilities with mission-critical applications, the FFIEC warns.

According to the FFIEC, financial institutions should follow their risk management processes to address the risks from the continued use of XP, consistent with the risk management guidance contained in the FFIEC Information Technology (IT) Examination Handbook. Important considerations include:

  1. Performing assessments to determine the risk of continuing to use XP
  2. Selecting appropriate mitigations in light of costs and potential risks
  3. Conducting planning to ensure appropriate changes related to third-party migration
  4. Monitoring and reporting the risk mitigation to ensure incurred risks are acceptable

Challenges and Opportunities

Potential pitfalls

Companies will find many of their tertiary applications – less complex applications created to facilitate specific and/or critical business tasks – to be incompatible with Windows 7 or Windows 8. This is particularly a problem with legacy Microsoft functions or programs that do not use the latest operating systems. The same goes for certain intranet programs written for XP’s Internet Explorer 6 – these may not work on later versions of Internet Explorer.

In addition, some native applications on XP are unavailable on Windows 7, such as Windows Mail, Messenger, Address Book, Photo Gallery and MovieMaker. Institutions that depend on any of these to perform key business activities will have to find an alternative. Additionally, at these institutions there also is a significant chance the broader workforce will be unfamiliar with the new OS. Both Windows 7 and Windows 8 make important distinctions in the look and feel of the OS.

And finally, because XP is so advanced in age, many institutions’ existing terminals may not be able to support an upgrade to Windows 7 or Windows 8. Things as simple as drivers, for example, could be unable to utilize key peripherals, such as printers and monitors.


Upgrading to Windows 7 or Windows 8 not only will enable user desktops to achieve better and faster performance, but also will deliver stronger security. This upgrade is an opportunity for administrators to implement controls that will further protect the institution’s IT environment.

The upgrade also provides an opportunity to review or establish an accurate IT systems inventory and to evaluate program licenses. Enterprise users may be overpaying for licenses – or, even worse, underpaying, with the potential for significant fines from software vendors. Migrating will enable IT staff to inventory software by user, rationalize uses, and either purchase or discontinue licenses.

Our Point of View

Financial institutions still using XP should take the following steps to make the transition to a new OS:

  • Perform a detailed inventory to determine what applications exist within the current environment and which are business-critical in nature. Administrators must then decide not only how to migrate to a new OS, but also which new platform to choose and how the migration will be executed.
  • Conduct a thorough review of your hardware – not only to determine upgrade capabilities, but also to assess business needs. Are there opportunities for retirement or consolidation of functionality? Is this the time to add tablets to your operation? If so, Windows 8 may be a better OS choice. Do your users require a number of aging tertiary programs to complete essential functions? If so, Windows 7 may be required, because it offers XP virtualization that would continue to support those applications. Before you make a decision, conduct compatibility testing on your new OS and consult the Payment Application Data Security Standard (PA-DSS) list on essential programs if the PCI Security Standards Council’s (PCI SSC) regulatory burden applies to your organization.
  • Conduct a cost-benefit analysis before making your choice. Your hardware inventory may reveal the opportunity to refresh old machines inexpensively for little more than the cost of a Windows 7 license.
  • Consider user segmentation in imaging your workstations. Organizations often take installation shortcuts by creating a single, all-encompassing image. Save time and computing resources by offering various images custom-crafted for different tiers of users.
  • Based on the assessments and resulting decisions, develop and execute a comprehensive remediation and testing plan to ensure that all critical functionality will perform appropriately in the new environment.
  • Consider the user adoption implications, and implement an appropriate communication and change management plan to shepherd users through the change curve. Windows 7 feels much different from XP, and Windows 8 is even more of a departure. Your IT staff will be too busy dousing (hopefully small) fires to guide dozens or hundreds of users through the change individually.
  • Develop the necessary support structure to deal with the inevitable issues that will arise, and ensure that your IT department is fully staffed and prepared to deal with them. Line up third-party experts and providers, as needed. 

Finally, don’t delay this project. IT system migrations are a tremendous undertaking, and your in-house staff will likely be tied up and unavailable for regular duty as the project is undertaken. If you plan to hire a consultant, act quickly. The demand for assistance with this challenge is vast.

How We Help Companies Succeed

Protiviti’s phased approach to Windows 7 migration is controlled, flexible and transparent. We organize this project in phases to ensure manageable work segments are performed in a logical sequence. Our approach enables clients to participate actively at key decision points to ensure that the engagement is tailored to the organization’s specific needs and to facilitate effective integration and transition.

Our services include:

  • Program management – We ensure executive-level awareness, conduct detailed planning and approvals, perform ongoing status tracking, and undertake issue and risk tracking and resolution
  • Application inventory and rationalization – We identify tertiary applications and rationalize the new Windows 7 environment.
  • Proactive deployment planning – We adopt a realistic approach and timeline to help implement the migration within established time constraints.
  • Scalable project team – Through established relationships with Robert Half Technology, our sister staffing organization, we bring the right team with the right skills, in the optimal quantity, to ensure timely completion.

Benefits our clients gain from these services include:

  • Known costs to manage to and forecast, including resources, hardware and application licensing
  • Cost-saving opportunities with regard to enterprise/bulk licensing for third-party applications
  • Centralized end-user management • Lower costs for help desk and desktop support
  • Standardized and centrally understood application environment
  • Rationalized application inventory and licensing


A large global financial services provider required Windows 7 migration to approximately several thousand workstations in more than 800 locations over a variety of business units with unique deployment and application needs.

Protiviti was engaged early in the effort to scope out and communicate the overall program. We worked with our client to establish a formal structure and used existing processes in the organization to validate the approach, obtain business buy-in, and secure initial and ongoing funding.

Our program management included executive updates, issue resolution, business partnering and integration with other large efforts across the enterprise.

This was a large-scale and extremely complex undertaking. We helped our client inventory workstationlevel application usage and evaluate the compatibility of tertiary applications for Windows 7 deployment. This step, essential to the Windows 7 migration, also provided our client with a process for establishing a more formal, centralized application licensing regimen.

Finally, we addressed residual risk by mitigating certain security vulnerabilities, such as application installation capabilities at the workstation level.

About Protiviti

​Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. 

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Tom Andreesen
​ +1.312.476.6318
Ed Page
Michael Schultz
Andrew Retrum

Ready to work with us?