Community bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.
“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”
As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.
And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.
“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.
Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.
The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.
Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.
The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.
Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).
However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.
Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.
Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.
Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.
Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.
Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.
When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.
How frequently should boards be talking about cybersecurity?
“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.
Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.
Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.
But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.
The survey indicates there’s good reason for this.
Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.
Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.
“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”
Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.
For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”