Seventy-seven percent of respondents to Bank Director’s 2016 Risk Practices Survey identified cybersecurity as their number one risk concern—and yet the great majority of them discuss cybersecurity only infrequently during board meetings. This surprising result was confirmed during a presentation at Bank Director’s Bank Audit and Risk Committees Conference, when only 23 percent of the attendees said they discuss cybersecurity at every board meeting during an audience response survey.
“The majority of boards still do not review cybersecurity at every board meeting and only a minority do,” said Sai Huda, senior vice president and general manager risk, information security and compliance solutions at FIS Global. “The majority of boards do not review their cybersecurity plan on a regular basis.”
The audit and risk conference was held June 14-15 in Chicago and attracted over 300 bank directors and risk management professionals.
Huda also questioned whether the attendees were spending enough money on cybersecurity. Over 29 percent of the audience said their bank had increased the cybersecurity budget from 10 percent to 25 percent, and roughly 15 percent had increased the cybersecurity budget more than 25 percent. But nearly 56 percent of the respondents had either increased their cybersecurity budgets by less than 10 percent, had made no increase at all or didn’t know what their budgeting practices were in this area.
The nature of cybersecurity spending is expected to change significantly over the next five years, according to Huda. Until recently most of the money has been spent on building secure defenses against intruders, and yet by Huda’s estimate more than 90 percent of all U.S. companies have been successfully penetrated. “A breach is going to happen,” he said. “It’s a questions of when, not if.” Going forward more of the cybersecurity budget will be spent on reacting to intrusions than preventing them. “Timely detection and response are the keys to success,” he said.
When asked during the audience survey which threats they thought their bank was the least prepared for, 40 percent said they were ill prepared to detect malicious insider activity, 21 percent felt they were not receiving the latest intelligence on cyber threats, 19 percent said they were ill prepared to detect anomalous or abnormal activity, 12 percent worried about their ability to block denial of service attacks and roughly 8 percent thought that detecting malware was a deficiency of their bank.
The nature of cyber security attacks has also changed in recent years, according to Huda. Today, the attacks are stealthier, more targeted in that the hackers are after something very specific, and persistent in that the hackers keep at it until they have broken through a bank’s defenses. Today’s threats also tend to be multi-pronged, in that hackers will attack bank systems at a variety of access points simultaneously, and the hackers themselves have evolved over time. Where once they were often individuals acting on their own, “today they tend to be well funded crime syndicates and nation states,” he said. “The whole cybersecurity ballgame has changed.”