Banking Industry Still Lags on Cybersecurity
BRENTWOOD, TENN., March 21, 2016 –More than three-quarters of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS™, indicate that cybersecurity is their top risk concern, for the second year running. More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.
However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Fewer than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.
The 2016 Risk Practices Survey examines risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.
The survey also reveals concerns about a low level of board engagement with the CRO. Eighty-six percent of respondents say their bank employs a CRO or someone responsible for oversight of the bank’s risk management program. However, more than half indicate that the board never meets with that individual privately.
Key findings include:
- Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. Bank regulators have started to use the tool in exams, and some states are mandating its use.
- Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.
- The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.
- Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.
- Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.
- Almost half report that the bank has a CRO exclusively focused on risk, while 37 percent have an executive who oversees the risk management function but is also focused on other areas of the bank.
- Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
- Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
- Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs for senior management or the board.
- Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.
Full survey results are available online at BankDirector.com, and will be featured in the 2nd quarter 2016 issue of Bank Director magazine.
ABOUT BANK DIRECTOR
Since 1991, Bank Director has served as a leading information resource for the directors and officers of financial institutions. Through its quarterly Bank Director magazine, executive-level research, annual conferences, and its website, BankDirector.com, Bank Director reaches the leaders of the institutions that comprise America’s banking industry. Bank Director is headquartered in Brentwood, Tennessee.
ABOUT FIS
FIS is a global leader in financial services technology, with a focus on retail and institutional banking, payments, asset and wealth management, risk and compliance, consulting, and outsourcing solutions. Through the depth and breadth of our solutions portfolio, global capabilities and domain expertise, FIS serves more than 20,000 clients in over 130 countries. Headquartered in Jacksonville, Fla., FIS employs more than 55,000 people worldwide and holds leadership positions in payment processing, financial software and banking solutions. Providing software, services and outsourcing of the technology that empowers the financial world, FIS is a Fortune 500 company and is a member of Standard & Poor’s 500® Index. For more information about FIS, visit www.fisglobal.com.
FIS is ranked # 1 in Chartis 2016 RiskTech 100® and provides clients a 360-degree solution set of products and services that enable enterprise risk management, information security, enhance overall compliance programs and mitigate risk through a best practices-based model that ensures regulatory compliance proficiencies now and in the future.
Source: BankDirector.com
Contact: Michelle King, chief brand officer, (615) 777-8465, [email protected]