Do Banks Walk the Talk on Cybersecurity?

Did a week pass in 2014 without reports of a major cyberattack or data breach? In July, JPMorgan Chase & Co. discovered more than 80 million customer accounts were breached by hackers, and attacks on retailers such as Home Depot and Target cost the financial services industry hundreds of millions of dollars. This year doesn’t promise to be any better. Are bank boards taking the threat seriously?

Bank Director’s 2015 Risk Practices Survey, sponsored by banking and payments technology firm FIS, focused on how banks are managing risk, including the board’s role in oversight and creating a culture to promote and support risk management throughout the organization. Respondents included 149 bank CEOs, chief risk officers, board members and other senior executives from U.S. banks with more than $500 million in assets, providing insight into smaller institutions that aren’t subject to many regulations that dictate the bank’s approach to risk.

Cybersecurity risk is certainly top of mind for bank executives and board members. Eighty-two percent identify cybersecurity as the category of risk that concerns them most, far outpacing more traditional compliance (52 percent), credit (37 percent) and operational risk (35 percent) issues. This anxiety over cybersecurity risk has increased significantly since the 2014 survey, when 51 percent said cybersecurity distresses them most.

Regulators are taking notice, too. In a December 2014 memorandum, New York Superintendent of Financial Services Benjamin Lawsky announced an expanded examination process for banks chartered in that state, broadening the department’s focus on cybersecurity. The updated procedures will include a look at these institutions’ corporate governance structures as relates to cybersecurity. As a result of a cybersecurity assessment of community banks conducted the previous summer, the Federal Financial Institutions Examination Council (FFIEC), in November 2014, expressed a “need for engagement by the board of directors and senior management,” which would include a thorough understanding of the bank’s cybersecurity risk and routine discussion of cybersecurity issues within board meetings.

However, board practices for many financial institutions haven’t caught up to today’s threats. Cybersecurity may be top of mind, but a whopping 82 percent of respondents say their directors don’t discuss the issue at each board meeting. Just half believe that preparing for a cyberattack rates as one of their bank’s top risk management challenges. Within the committee tasked to focus on risk-whether that’s a separate risk committee, as reported by 47 percent, a combined audit/risk committee (27 percent) or the audit committee (14 percent)-less than half review the bank’s cybersecurity plan.

“I think this reflects the quick catch-up that the industry needs to do,” says Sai Huda, senior vice president and general manager of enterprise governance, risk and compliance solutions with FIS.

Evidence of that lack of focus on cybersecurity is reflected by the cybersecurity budget at many banks. Sixty percent indicate that less than 1 percent of their bank’s revenue was dedicated to cybersecurity in fiscal year 2014, with just more than half planning an increase of less than 10 percent. “Unfortunately today, the board isn’t talking about it [at] every single board meeting, they’re not reviewing the plan and so naturally the budget reflects that,” says Huda. He notes that banks often increase cybersecurity budgets after a data breach occurs, realizing a little too late that the cost of a data breach far exceeds the cost of investment in cybersecurity.

A data breach can cost an organization, on average, $5.85 million, according to a 2014 Ponemon Institute study commissioned by IBM, which also found that, should the inevitable occur, companies can reduce that cost by beefing up security measures. Employing a chief information security officer (CISO) and having an incident response plan in place are two factors that can have a profound impact on bank security.

More than one-third of survey participants reveal that their bank does not have a full-time CISO-particularly institutions with less than $5 billion in assets. For banks without a CISO, respondents say the task often falls on the chief information officer (CIO). However, a CISO is very different from a CIO, and possesses a more specialized skill set. “A CISO’s job as part of the second line of defense is to help prevent a cyberdisaster,” says Huda. Due to this focus on risk as well as technology, the CISO should report to the bank’s chief risk officer (CRO).

Many regulators agree. Lawsky wrote that his department “encourages all institutions to view cybersecurity as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” Karen Casey, chief risk officer at $2.2 billion Amboy Bank, a subsidiary of Amboy Bancorp., based in Old Bridge, New Jersey, was informed by the bank’s regulator that the CISO should report to her, instead of reporting jointly to the CRO and the CIO, as the bank originally planned. “The information security officer should be totally independent of the IT system,” she says.

The CISO “is a critical role in this day and age. He brings an expertise that is unique and valuable,” says Mike McCurdy, who pulls double duty as chief risk officer and general counsel at Brookline Bancorp, a multi-bank holding company headquartered in Boston, Massachusetts, with $5.8 billion in assets. The CISO understands both the technology within the bank as well as the procedures and processes throughout the organization. For Brookline, the role includes not only monitoring and testing, but also creating and implementing a training program for all bank employees on information security.

Today’s rapidly changing technological environment guarantees banks that it’s not a matter of if a cyberattack or data breach will occur, but when. In addition to daily management of the information security program, the CISO at Walla Walla, Washington-based Banner Corp., with $4.7 billion in assets, leads the company’s incident response team. Seventy-six percent of survey respondents indicate their bank has a cyber incident management and response plan.

A cyber incident plan can be patterned after the bank’s disaster recovery or business continuity plan, but with a focus on cyber risks. Vulnerable areas should be identified, and the plan should include how the bank would respond if there was a breach. And the plan should be updated and tested regularly. “Cyberthreats change all the time, new cyber vectors and actors emerge fast,” says Huda. Banks should assume that a breach will happen, and create scenarios to see how the plan would really work. Do employees respond appropriately and in a timely manner? “The testing part is really key, and that needs to happen,” he says. Three-quarters of survey participants say their institution regularly tests its cyber incident management and response plan.

Despite having safeguards in place, the management team at Brookline recognizes that a cybersecurity incident will likely occur. “If it does happen, you have to have a plan to react [and] respond,” says McCurdy. Brookline’s board reviewed the incident response plan and how it was tested with the bank’s CISO, along with the head of information technology, who also provided the board with examples of data breaches and their potential impact, as well as what is being done to manage those risks and how the bank is staying on top of cyberthreats.

Sixty-eight percent indicate that their bank has performed a cybersecurity risk assessment and gap analysis in line with FFIEC expectations, a self-evaluation of the institution’s cybersecurity preparedness focusing on areas such as board oversight, cybersecurity risk management and controls, cyber-incident planning and third-party dependence. Nineteen percent plan to perform the assessment soon.

Forty-three percent of respondents indicate that creating a culture that supports bank-wide risk communication and assessment is a top challenge-a significant increase from 2014. But respondents don’t reveal a consensus on the elements included in their bank’s culture to support risk management.

Huda stresses that risk culture comes from the top, and regular conversations between line management and the bank’s chairman or risk committee chairman, as indicated by 44 percent of respondents, can have an impact. “That sets the tone, and serves as the foundation for creating the risk culture, because then the people that are actually running the business, dealing with customers, get the right message: ‘Risk management is everyone’s business, and managing risk is critical to the success of the organization,’” says Huda.

Banner has a strong risk culture-one it plans to preserve following its merger with Seattle-based SKBHC Holdings LLC, says Chief Risk Officer Tyrone Bliss. After the merger expected to be completed in the second quarter of 2015, Banner will more than double in size, to $9.7 billion in assets. Risk culture trickles down from the top, from the board of directors as well as the CEO and top executives, according to Bliss. Maintaining a moderate risk profile is one of the bank’s five strategic pillars. “We spend considerable time and resources to embed our desired risk culture within our company,” he says.

Part of this cultivation at Banner includes investment in employee training and orientation. Key bank policies are reviewed with each new hire. Also, management regularly leads discussions on strategic objectives, including the risk profile, and communicates to the staff quarterly so they can see how strategic goals were achieved. The bank also invests in ongoing training on a variety of risk-related topics. Many banks aren’t making this sort of investment in their bank’s risk culture: Just 51 percent of respondents report that their institution trains all employees on risk.

Less than one-third link risk management performance to compensation, something Huda says is a key weakness industry-wide, as linking compensation to sound risk practices provides an incentive for risk management.

Banner’s incentive compensation plan includes well-defined rewards and the risk parameters around each, which are communicated to all eligible employees. “That awareness, especially when it gets down to dollars and cents, is another key aspect of embedding the culture,” Bliss says. The bank doesn’t overlook employees in non-production areas. “Our overall performance management process incorporates consideration of risk management that’s appropriate to the position.”

Risk appetite also continues to confuse many bank boards-42 percent cite oversight of risk appetite as an area where the board could use additional training, down slightly from 49 percent in 2014’s survey. Almost 60 percent of respondents say their bank has a risk appetite statement, a practice significantly more prominent at banks with more than $5 billion in assets, and an additional 27 percent plan to implement one within the next 12 months. For those that have a risk appetite statement, the vast majority, at 84 percent, review it annually.

Most banks use the risk appetite statement as a guide for board and management, according to 74 percent of respondents, but less than half use the risk appetite statement to set true limits. Huda says that boards shouldn’t fear constraining the bank’s management team. If management desires to exceed the guardrails set within the risk appetite statement, this should prompt a discussion with the board about why management wants to go beyond the boundaries set within the risk appetite statement, and what the benefits could be for the bank. The risk appetite statement reflects “the board’s view as the fiduciary for shareholders on how we’re going to grow, how we’re going to make money but within certain boundaries of risk.”

Just 41 percent use the risk appetite statement to monitor compliance, and one-third analyze how risk appetite impacted the bank’s performance and strategic objectives for the year. Eleven percent admit that risk appetite is just an annual exercise for the board, and isn’t fully used.

Seventy-nine percent reveal that the bank does not communicate its risk appetite statement to all employees. “How is everybody going to get on the same page?” says Huda.

McCurdy says Brookline is working towards better employee communication on risk, including planned company-wide presentations on risk management. The bank also established risk councils to improve communication on areas that may be risk-related and better inform different business units on the tolerances around certain risks, such as credit and operations.

The survey reveals a continuing trend toward more risk expertise within financial institutions, and the overall value of knowledge and training for their boards. Chief risk officers aren’t required of banks with less than $50 billion in assets, but 94 percent of institutions with $1 billion in assets or greater that participated in the survey have one. Seventy-one percent of participating institutions below $1 billion in assets report their bank has a CRO.

Banks with risk expertise on the board or dedicated personnel reveal stronger financial performance metrics. Banks with a chief risk officer boast an above median return on equity (ROE) at 9.2, compared to a median of 7.3 for those banks without someone in that role, and a median return on assets (ROA) of 1.0, compared to 0.8 for those banks without a CRO. For the board, those with a risk expert report a median ROE of 9.2, compared to 9.0 for those without, and a median ROA of 1.0, compared to 0.9 for banks lacking a risk expert. Banks with less than $1 billion in assets are much less likely to report a risk expert on the board. Almost three-quarters of respondents from banks with more than $1 billion in assets report their bank’s board has a risk expert as relates specifically to financial institutions. This drops to 39 percent for banks under $1 billion.

A lack of risk expertise on smaller bank boards could contribute to the choice of many to not establish a separate board-level risk committee. Twenty-seven percent of respondents from institutions with less than $1 billion assets indicate that their bank has a separate risk committee of the board. Thirty percent at these smaller banks govern risk within a combined audit and risk committee, and 21 percent through the board’s audit committee. Twenty-one percent oversee risk as a board. For Roy Harmon, CEO of Bank of Tennessee, a $917 million asset bank based in Kingsport, Tennessee, splitting audit and risk into separate committees would stretch board expertise, as the current audit committee chairman would be a likely candidate to chair a risk committee. “We really don’t have enough experts on the board to drive a need to separate those committees,” he says, adding that the bank’s risk experts are embedded within the bank’s loan and asset-liability committees, as well as the audit/risk committee. However, as the bank grows larger, “the expectation is that we would begin to bring elements of risk management into the bank as we cross over the $1 billion threshold,” says Harmon.

Many smaller institutions may feel that risk expertise is hard to find, but Huda says banks that think outside the box can find the right person for the task. “Ideally, you want to look for folks that have a broader understanding of risk management,” says Huda. Bank boards could look at former regulators, or chief risk officers or risk committee members from other industries.

More than one-third of respondents report that their board does not receive regular training on risk issues, and respondents that rate their board’s overall knowledge of risk management as strong report a median ROE of 10.0, compared to 8.6 for those who see a need for improvement.

Less than half say their board meets with the CRO at each board meeting, but Huda says less frequent contact with the CRO could result in a board that is behind the curve on risk matters. Regulators “expect the CRO to be a true balance for the business,” he says. “The CRO should serve as a credible challenge if need be and voice concern if strategies or approaches are going to create undue risk.”

As Banner’s CRO, Bliss attends board meetings, and regularly recommends changes to policies and programs in addition to providing reports to the board on topics such as fair lending, information security and consumer compliance. He also works with the risk committee chairman and CEO on the agenda for that committee, which includes a regular update on emerging risk issues identified by regulators.

Vendor management is another risk-related area that is top of mind for regulators. In a 2013 bulletin, the Office of the Comptroller of the Currency said that the use of vendors does not reduce the bank’s responsibility if something goes awry, and effective risk management involves proper vendor oversight. The FFIEC stressed the same in a February 2015 update to its examination handbook on business continuity, recommending that institutions have alternatives in place should their vendor fail.

Yet banks are increasingly reliant on vendors, particularly when it comes to technology. Survey respondents say that their bank is moderately (50 percent) or heavily (44 percent) dependent on vendors for cybersecurity protection. “Vendor management obviously is a very big issue right now, and within cyber[security], how does that fit in with our business continuity plan,” says Amboy’s Casey. Banks have to worry not only about getting hacked themselves, but whether their vendors are safe, too. “Are we comfortable that our vendors have sufficient security so that they don’t get hacked, and how do we make sure contractually…that what happens to them doesn’t have a trickle-down effect,” says Casey.

Regulatory updates, particularly from the Consumer Financial Protection Bureau, leave not only banks but their vendors struggling to keep pace, according to Casey. “We’re running to our vendors and saying, are you ready for all these changes? And they’re saying no,” she says. “They’re scrambling as well.”

Bankers continue to cite regulatory expectations as a top challenge for risk management, at 61 percent. Regulations that impact larger banks are trickling down to smaller institutions via their examiners, who often will tell a bank that while certain practices may not be required, it’s something the bank should do. “All of a sudden that’s the expectation, and then you have to manage to that,” says Huda. But entities that already have risk management best practices in place-a chief risk officer, a separate risk committee, a risk appetite statement that provides limits throughout the organization and a culture focused on risk and proper cybersecurity oversight-will be one step ahead of the regulators, and ready to face the challenges ahead.

About the Survey
In January, 149 chief risk officers, chief executive officers, independent directors and senior executives of U.S. banks with more than $500 million in assets participated in an online survey on risk, conducted by Bank Director. Respondents answered questions related to risk governance and cybersecurity, and explored the risk-related challenges facing bank boards today. Forty-three percent of the participants serve as an independent director or chairmen at their bank. Twenty-one percent are CEOs, and 17 percent serve as the bank’s chief risk officer. Eighty percent of responses represent institutions with between $500 million and $5 billion in assets. Full summary results of the survey are available in the research section at BankDirector.com.