Banks continue to meet unprecedented challenges of the Covid-19 pandemic, geopolitical cyberthreats and increasing public awareness of environment, social and governance (ESG) issues.
With the current landscape posing ever-evolving risks for banks, Moss Adams collaborated with Bank Director to conduct the 2022 Risk Survey and explore what areas are front of mind for bank industry leaders. Top insights from Bank Director’s 2022 Risk Survey include that the vast majority of survey respondents reported that cybersecurity and interest rate risks pose increasing concerns, and they expect these challenges to persist in the second half of the year, due to turbulent economic and geopolitical conditions. The survey also identified that banks increasingly focus on issues related to compliance and regulatory risks.
Concerns about cybersecurity topped the survey responses: 93% of respondents stated that a need for increased cybersecurity grew significantly or somewhat. Bank executives and board members submitted survey responses in January, prior to heightened federal government warnings of increased Russian cyberattacks. Banks’ concerns will likely continue to increase as a result.
Data Breach Rates and Precautions
While only 5% of respondents reported experiencing a data breach or ransomware attack at their own institution in the years 2020 and 2021, 65% reported data breaches at their bank’s vendors. In response, 60% stated they updated their institution’s third-party vendor management policies, processes, or risk oversight.
As a critical U.S. industry, banks follow stringent regulatory requirements for data security. The Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment tool provides a maturity model for banks to assess their cybersecurity maturity as baseline, evolving, intermediate, advanced or innovative. Ninety percent of respondents completed a cybersecurity assessment over the past 12 months; 61% used the FFIEC’s tool in combination with other methodologies, and another 19% only used the FFIEC’s tool. And 83% of respondents said that the maturity of their bank’s cybersecurity program increased in 2021, compared to previous assessments.
Room for Improvement
Banks noted several areas of improvement for their cybersecurity programs, including training for bank staff (83%), technology to better detect and deter cyberthreats and intrusions (64%) and internal controls (43%). Thirty-nine percent believe they need to better attract and retain quality cybersecurity personnel. Banks’ investments in cybersecurity programs remained flat compared to the 2021 survey, with a median budget of $200,000.
As cybersecurity risks increase, banks should focus on researching and making appropriate investments, as well as implementing comprehensive planning for staff training, technology and governance. At the board level, respondents noted several activities as part of that body’s oversight of the cybersecurity risk management program. Key among these is board-level training (79%), ensuring continual improvements by management of their cybersecurity programs (75%) and being aware of any deficiencies in the bank’s cybersecurity program (71%).
Interest Rate Risk Concerns
The prospect of rising interest rates fueled anxiety for our respondents: 71% noted increased concern. As the Federal Open Market Committee combats higher inflation by hiking interest rates, 74% reported hoping that they wouldn’t raise rates by more than one percentage point by the end of 2022 — which is currently below what’s projected.
Faced with likely rate hikes, banks are looking to their own business models to navigate a potential decrease in overall lending volume and potential pressure on profit margins. Respondents also noted that they were increased their focus in sectors such as commercial and industrial, commercial real estate and construction, or with the Small Business Administration or obtaining other small business loans.
Banks are under increasing pressure to adopt ESG initiatives. More than half of respondents don’t yet focus on ESG issues in a comprehensive manner, and regulators have yet to impose ESG requirements for banks. However, more than half of survey respondents say they have set goals and objectives in a variety of ESG-related areas, primarily in the social and governance verticals — employee development and community needs in particular topped the list.
Only 6% said that investors or other company stakeholders currently look for more disclosure around ESG initiatives, with diversity, equity and inclusion topping the list at 88%. Banks that haven’t established ESG strategies could first identify their top priority areas. These priorities may vary for each organization and will need to consider the values of investors, customers and local community.