Operational risk is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk includes the risks posed by a financial institution's use of information technology (IT), which encompasses social media.
The identification, monitoring, and management of IT-related risks are addressed in the FFIEC Information Technology Examination Handbook, as well as other supervisory guidance issued by the FFIEC or individual agencies. A financial institution should pay particular attention to the booklets "Outsourcing Technology Services" and "Information Security" when using social media, and include social media in existing risk assessment and management programs.
Social media is one of several platforms vulnerable to account takeover and the distribution of malware. A financial institution should ensure that the controls it implements to protect its systems and safeguard customer information from malicious software adequately address social media usage. Financial institutions' incident response protocol regarding a security event, such as a data breach or account takeover, should include social media, as appropriate.