Start With the Right Questions to Examine Top IT Risks

In today’s banking environment, three IT risk categories present the most immediate concerns for directors and senior management. Fortunately, examining the risk areas appropriately can empower board members to steer their organization’s risk management in the right direction.

Bank directors should understand the latest status of these areas, how they can address the risks and key questions every board should have on the docket.

Risk 1: Cybersecurity Threats

Few would dispute that cybersecurity breaches — and the costs and risks associated with them — are growing rapidly. The national Identity Theft Resource Center reports that there was a more than fivefold increase in the number of data compromises in the U.S. financial sector between 2020 and 2023. Facing this reality, the basic question on most directors’ minds is, “Do we have the right safeguards in place?”

No one-size-fits-all answer exists, of course, but the cybersecurity disclosure rule adopted by the Securities and Exchange Commission in mid-2023 spells out some parameters board members can use to assess preparedness. Beyond the SEC rule, directors should understand the cybersecurity incident notification requirements published jointly by the Federal Deposit Insurance Corp., Federal Reserve Board and Office of the Comptroller of the Currency in late 2021. Some states have also issued their own notification requirements, adding another layer of complexity.

Banks should provide a fundamental level of cybersecurity training for directors, with direct access to more in-depth expertise as needed. General staff cybersecurity training and awareness should also be a board priority along with the establishment of a specialized cyber incident response team with qualified personnel and effective communication strategies.

The board should review the bank’s cybersecurity insurance coverage, verify its security operational control (SOC 1 and SOC 2) examinations and review the SOC validations and monitoring of third parties.

Questions for the Board:

• When did we last perform data and security risk assessments? What were the results?
• Are we using the right metrics and reporting standards?
• Do we have the right people in the right positions?
• What specific cyber controls have we implemented? How do we know they are effective?
• How strong is our incident response plan? When was it last updated? How does it correlate with our overall business continuity planning?

Risk 2: Technological Disruptions

There’s a reason so many businesses now market themselves as technology companies. Artificial intelligence, machine learning, robotic process automation and application programming interfaces (APIs) are revolutionizing how many organizations, including banks, do business.

While boards are naturally sensitive to the competitive risks associated with falling behind their tech-oriented competitors, they must be alert to the hidden risks that can be introduced when technology eliminates critical manual controls and checkpoints. At a strategic level, directors should see that management is carefully analyzing the business use cases for proposed technology tools.

Questions for the Board:

• How actively are we embracing technology? How does technology align with our strategic direction?
• Are we using available tools to their full extent?
• Do we have the right oversight and monitoring in place?
• Do we clearly understand where all our data is stored? What relevant security protocols are in place?
• Does a proposed technology open new areas of cyber risk? How will it affect our resilience and business continuity planning?

Risk 3: Regulatory Compliance

If history is a guide, banks can expect that any current IT advances soon will be reflected in updated regulatory guidance. The challenge is to avoid falling into a reactionary mode by anticipating and preparing for potential changes.

One way around this problem is to be mindful about turning IT, risk management and the individual business lines into their own silos. Transparency and coordination among all stakeholders can help prevent unexpected surprises or unanticipated regulatory complications as new technology tools are developed and launched.

Questions for the Board:

• Do we expect a continued increase in regulatory guidance on IT issues? If so, how will this affect our technology strategy?
• Who is directly responsible for monitoring new IT-related regulatory guidance? How are we staying on top of evolving guidance?
• What new technology tools are we adding? How do our controls relate to them?
• Who is responsible for maintaining open communication among the IT team, risk management, and the various business lines?

By understanding these general areas of IT risk — and by asking the right questions about the associated risk management initiatives — directors can take the first steps toward effectively addressing their organizations’ IT risk management priorities.