In the wake of high-profile cyberattacks and data breaches last year at JPMorgan Chase & Co., Sony Pictures Entertainment Inc., Home Depot Inc., Kmart and eBay Inc., bank leaders say that cybersecurity is the risk category that concerns them most, according to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS. Eighty-two percent of respondents, which include bank chief executives, chief risk officers and directors, cite this as a top concern for the second year in a row, and anxiety about the issue is even more heightened: When asked the same question in last year’s survey, 51 percent of respondents cited cybersecurity.
Half say that preparing for a potential cyberattack is one of the biggest risk management challenges facing their bank. But while high profile attacks may be raising the blood pressure of bank CEOs, other senior executives and individual directors, this hasn’t yet translated into more focus by bank boards. Less than 20 percent say cybersecurity is reviewed at every board meeting, and 51 percent of risk committees do not review the bank’s cybersecurity plan. Most banks allocated less than 1 percent of revenues to cybersecurity in 2014.
In addition to cybersecurity, the 2015 Risk Practices Survey explores how bank leaders govern risk and address the related challenges they face. A total of 149 directors and senior executives of U.S. banks with more than $500 million in assets participated in the survey, which was conducted online in January.
- Risk expertise matters, and respondents from institutions with a chief risk officer, indicated by 90 percent, and at least one risk expert on the board, by two-thirds, report a higher return on equity and return on assets.
- Eighty-two percent believe there is room for improvement in the bank’s enterprise risk management (ERM) program.
- Fifty-eight percent report their bank has a risk appetite statement, and an additional 27 percent plan to implement one within the next 12 months. Of those who have one, 84 percent say the board reviews the risk appetite statement just once a year.
- Creating a culture that supports bank-wide risk communication and assessment is a key challenge, according to 43 percent, up 18 percentage points from last year’s survey. Sixty-two percent provide regular board training on risk issues, and a little more than half train all employees on risk. Just 21 percent communicate the risk appetite statement to all employees.
- Seventy-three percent believe their board needs more training and education on emerging risks, such as cybersecurity or Unfair, Deceptive or Abusive Acts or Practices (UDAAP) risks.
- Almost two-thirds report that their bank employs a full-time chief information security officer. For those banks that don’t, the role often falls on the chief information officer.
- A significant percentage of banks rely on their vendors to keep themselves—and their customers—safe: 44 percent of respondents reveal a heavy dependence, and half a moderate dependence, on vendors for cybersecurity.
- Seventy-nine percent say their bank increased its cybersecurity budget for fiscal year 2015, most by less than 10 percent. The majority of banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in FY 2014.
View the video: Risk Management Best Practices for 2015