Time was when a bank could consider itself a fortress, its valuables protected by guards, physical security systems, and vaults. But the analogy is hardly apt anymore.
The data in a banku00e2u20acu2122s computers is as important as the cash in its vaults, yet this prized possession is increasingly in danger of leaking out. It can be exposed when outsourced to a vendor, when an employee mistakenly leaves a company laptop on an airplane, or when a fraudster coaxes it out through the Internet.
u00e2u20acu0153The perimeter is no longer what it used to be,u00e2u20ac says Roland L.Trope, a partner in the New York law office of Trope and Schramm LLP.
At the same time, more laws are governing customer data and regulators are more stringently enforcing them. It all adds up to a heady situation for bank boards, which are charged with making sure reasonable measures have been taken to protect valuable company assets.
u00e2u20acu0153As risks climb, the standard for whatu00e2u20acu2122s reasonable starts to creep up as well,u00e2u20ac notes Trope, who is also coauthor of Sailing in Dangerous Waters: A Directoru00e2u20acu2122s Guide to Data Governance, published by the American Bar Association.
The situation can come to a head during IT compliance exams, which, according to Susan Orr, an independent consultant in Naperville, Illinois, increasingly focus on how companies protect their data and the related responsibilities of the board. Directors do not need to be security or technical experts, says Orr, who spent 14 years as a bank examiner. u00e2u20acu0153But they do need to at least understand that threats are increasing, understand what the threats are, and have a base of knowledge so they can ask questions,u00e2u20ac she says.
Regular communication between technology and compliance executives and the banku00e2u20acu2122s directors is instrumental to the boardu00e2u20acu2122s keeping up to date on pertinent technology issues.Though the Gramm-Leach-Bliley Act regulates the protection of confidential customer data and requires executives to present a review of the banku00e2u20acu2122s information security program to the board annually, many banks choose to make presentations more frequently.
u00e2u20acu0153We felt an annual review was not enough,u00e2u20ac says Jim Bedsole, chief risk officer at Tidelands Bank, a $350 million institution in Mount Pleasant, South Carolina, which recently instituted quarterly updates. u00e2u20acu0153The board needs to be more aware, with the potential liability being so high.u00e2u20ac In addition to increasing the frequency of reports,Tidelands added some new agenda items to its reports, such as quarterly updates on Bank Secrecy Act compliance.
Banks can also take advantage of monthly board meetings to make presentations aimed at educating board members on new technologies. At $1.2 billion Canandaigua National Bank & Trust Co., for example, management has briefed the board on voice-over Internet protocol, or VOIP, an Internet-based telephony product, as well as secure e-mail systems, both of which it uses, said Steven Swartout, executive vice president of corporate risk and general counsel at the bank, based in upstate New York.
If and when there is a security incident that threatens the reputation or security of the bank, communication with the board should be swift. When the laptop of a subcontractor of one of Canandaiguau00e2u20acu2122s processors was stolen from an employeeu00e2u20acu2122s apartment, the bank contacted the board immediately with particulars of the situation and how it was responding, Swartout says.
Premier Bank, a $1.2 billion institution based in Jefferson City, Missouri, has found it useful to formalize communications with the board. Every quarter, the bank presents what it calls an u00e2u20acu0153issue status report,u00e2u20ac aimed at keeping directors abreast of compliance items that may need attention.
The creator of the report, Keith E. Monson, a senior vice president and the audit and compliance manager at Premier, uses it to rank the banku00e2u20acu2122s compliance in various areas as either outstanding, satisfactory, needs improvement, or significant noncompliance.
The issue status report reflects managersu00e2u20acu2122 self-imposed deadlines for meeting certain compliance goals and determines whether they have been achieved. u00e2u20acu0153No executive manager wants their name on that report,u00e2u20ac Monson says. u00e2u20acu0153This gets things done.u00e2u20ac
Equally important, the report serves to efficiently communicate compliance issues to the board and steer its attention to matters that warrant it. Premier began using the report two years ago when Monson started working there, and he says directors have received it with open arms. u00e2u20acu0153They think itu00e2u20acu2122s an excellent tool for monitoring our progress,u00e2u20ac Monson says.
Some banks struggle with how much information to give their board. Executives at Leaders Bank, a $350 million institution in Oak Brook, Illinois, present technology reports at least quarterly to the board, says Elizabeth Snyder, the chief compliance officer. But Snyder admits she wrestles with just how much operational information to pass along to the board, given that it is charged with setting the strategic direction of the bank.
Every new program needs board approval, Snyder notes. Upcoming identity theft u00e2u20acu0153red flagu00e2u20ac provisions, which require institutions to have a risk-based written ID theft prevention program providing guidance on what to look for in potential ID theft cases, is just one recent example. u00e2u20acu0153Itu00e2u20acu2122s a very tough situation,u00e2u20ac she says.u00e2u20acu0153Weu00e2u20acu2122re trying very hard to give [directors] what they want, but at the same time, not inundate them.u00e2u20ac
A tool like Premieru00e2u20acu2122s issue status report can be useful in addressing that concern, says Monson.The banku00e2u20acu2122s board spends about 10 minutes at each of its meetings going over that report. He agrees that directors should not get caught up in day-to-day operations. u00e2u20acu0153However,u00e2u20ac he says, u00e2u20acu0153they should have a reporting mechanism to alert them to outstanding issues not being taken care of in a timely manner. If board members are not aware of these issues, then that small item [can] become a big item.u00e2u20ac
Consultant Orr says she looks for u00e2u20acu0153the meatu00e2u20ac of the discussions that took place when she examines board minutes. u00e2u20acu0153Is there some type of discussion, even a quick one?u00e2u20ac she asks.
The number one problem most banks encounter when trying to meet their technology compliance obligations, she says, is not performing an adequate risk assessment. u00e2u20acu0153Many are incomplete, or too narrowly focused,u00e2u20ac Orr says. Executives may pull policy documents off the Internetu00e2u20ac”or obtain them from another organizationu00e2u20ac”that have no relevance to their bank, she says.The document, for example, may refer to an informational website when, in fact, the bank has a transactional site.
Bedsole of Tidelands says he sees a lot of bankers getting hung up on the format of a risk assessment document, rather than addressing its contents. u00e2u20acu0153An elaborate spreadsheet or a simple, four-column grid will fare equally well,u00e2u20ac he says. u00e2u20acu0153The bottom line is you have to sit down, brainstorm about what could go wrong, how likely [that] is to happen, what the damage would be, and from that, how to control it.u00e2u20ac
Banks also tend to err when it comes to business continuity planning, Orr says, by putting too much emphasis on recovering computers at the expense of focusing on the business. u00e2u20acu0153Theyu00e2u20acu2122re just focusing on the PCs,u00e2u20ac she says. u00e2u20acu0153But what if the facilities are not here? What if the people are not here?u00e2u20ac
She also advises banks to update and write down their policies and procedures. u00e2u20acu0153Most institutions are doing the right things, but theyu00e2u20acu2122re not documented,u00e2u20ac she says. If procedures exist only in someoneu00e2u20acu2122s head, then chaos could ensue if there is a problem, she adds.
Finally, Orr says, directors need to be engaged enough to ensure all these areas are being addressed. u00e2u20acu0153All this is ultimately their responsibility,u00e2u20ac she says. u00e2u20acu0153They need to ask questions.u00e2u20ac
Another board priority, according to attorney Trope, is to ensure the bank is addressing technology compliance in a comprehensive manner. u00e2u20acu0153Otherwise, youu00e2u20acu2122ll end up with gaps,u00e2u20ac he says. If the chief security officer and the chief privacy officer do not coordinate, then requirements could be missed when problems arise, he explains.
Communication between the board and bank executives is key. Ideally, the bank should identify one person to act as a liaison with the board, keeping it informed of issues that arise.The task is so important, says Monson of Premier, that it should be written into the designated personu00e2u20acu2122s job description. Monson says he worked with Premier executives to write his own job description when he came to the bank. u00e2u20acu0153I had them put that in,u00e2u20ac he says.
If the board feels it is not getting the information it needs, then directors should pick up the phone and ask if there is anything they should be aware of, Monson says. u00e2u20acu0153If Iu00e2u20acu2122m a director and thereu00e2u20acu2122s a cease-and-desist order against my bank, I would want to know about it before it got to that point,u00e2u20ac he says. u00e2u20acu0153I strongly encourage them to take a proactive approach.u00e2u20ac
Bankers agree that directors often bring a consumeru00e2u20acu2122s perspective to an issue, which can be very useful. u00e2u20acu0153Sometimes they can make us think a little differently about something,u00e2u20ac says Snyder of Leaders.
Above all, bankers expect their directors to take data governance and technology compliance seriously. u00e2u20acu0153They need to ask questions and be involved,u00e2u20ac Orr says, u00e2u20acu0153because they ultimately have the responsibility for ensuring the confidentiality and integrity of the banku00e2u20acu2122s data.u00e2u20ac