Briefly Noted

Cybersecurity, by far, is one of the most worrisome topics for bank boards. Quantifying the risks is a challenge, especially since they are continually evolving, which makes it difficult for directors to keep pace with the changes. This issue’s Briefly Noted takes you through a few trends and news items to keep in mind as you keep learning about the cybersecurity risks and security posture of your bank.

Malicious Attacks No. 1 Cause of Breaches

The biggest causes of data breaches are malicious or criminal attacks, according to Ponemon Institute’s 2016 Cost of a Data Breach report, which is a global study of more than 300 companies in a variety of sectors. Forty-eight percent of breaches were caused by such attacks. Twenty-seven percent involved loss of data because of a system glitch, and another 25 percent were caused by human error.

Cybersecurity Guidance Piles On

To add to the list of recommendations about cybersecurity, the Group of Seven industrialized nations (formerly known as the Group of Eight, which includes the U.S., Canada, much of Europe and Japan) came out late last year with a short document outlining good practices for financial institutions. Still another issue is joint regulators’ advance notice they they are creating new cybersecurity standards for boards of banks with more than $50 billion in assets. Already in use at many financial institutions are the standards developed by the National Institute of Standards and Technology and the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. One of the more contentious standards are mandatory, and went into effect this month for New York-state chartered banks.

What Banks Spend on Cybersecurity

Is your bank spending enough on cybersecurity? Forty-two percent of bank executives and directors say their institution’s cybersecurity budget totaled between 1 percent and 5 percent of revenues in fiscal year 2016, according to Bank Director’s soon-to-be published 2017 Risk Practices Survey, sponsored by FIS. Fifty-six percent spent less than 1 percent of revenues. The survey will appear online at BankDirector.com in late March.

Breached and Waiting Nearly a Year to Find Out

How long does it take to discover a cybersecurity breach? A pretty long time, it turns out, and it makes a big difference whether the breach is discovered internally or not. It took an average of 56 days for breaches to be discovered internally. If someone outside the organization notified the company, the average delay was 320 days from the date of the breach, according to cybersecurity firm Mandiant Consulting’s M-Trends 2016 report. And 53 percent of organizations impacted discovered the breach through an external source. Ouch.


Naomi Snyder


Editor-in-Chief Naomi Snyder is in charge of the editorial coverage at Bank Director. She oversees the magazine and the editorial team’s efforts on the Bank Director website, newsletter and special projects. She has more than two decades of experience in business journalism and spent 15 years as a newspaper reporter. She has a master’s degree in journalism from the University of Illinois and a bachelor’s degree from the University of Michigan.

Join OUr Community

Bank Director’s annual Bank Services Membership Program combines Bank Director’s extensive online library of director training materials, conferences, our quarterly publication, and access to FinXTech Connect.

Become a Member

Our commitment to those leaders who believe a strong board makes a strong bank never wavers.