Why Your Board’s Risk Committee Structure Matters

Written by


committee-4-18-19.pngCommunity bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.

“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”

As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.

And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.

“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.

Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.

The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.

Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.

CISO.png

The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.

Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).

However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.

Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.

Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.

Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.

cybersecurity.png

Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.

Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.

review.png

When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.

How frequently should boards be talking about cybersecurity?

“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.

Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.

Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.

But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.

The survey indicates there’s good reason for this.

Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.

Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.

“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”

Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.

For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”

What CEOs and Directors Need to Know About Their Bank’s Cyber Risks

Written by


cybersecurity-8-21-17.pngCybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.

In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.

The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.

Role of the CISO
The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.

To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.

Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.

The CISO regularly should brief executives on the following:

Status of Security Controls
Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.

Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).

Status of Regulatory Compliance
Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.

Upcoming Security Initiatives
The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.

Risk Management
Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.

Know What You Know—And What You Don’t
No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.

How to Respond to a Major Cyber Incident

Written by


cyber-8-17-17.pngFor many bank chief executive officers and their boards, it could be one of their worst nightmares: Hackers have penetrated their bank’s computer systems and possibly made off with highly sensitive customer information, and a series of decisions will have to be made very quickly under a great deal of pressure. What remedial action should be taken, and by whom? Who else should be involved as the bank responds to the situation? And what should the bank tell its customers and its regulators?

The author J.R.R. Tolkien once mused in his popular novel “The Hobbit” that “It does not do to leave a live dragon out of your calculations if you live near him.” The metaphorical dragon that bankers need to include in their calculations is a global army of hackers—some representing nation states, some just crooks and some a combination of the two—that has emerged as one of the greatest threats facing the banking industry today. As even the smallest, most conservative banks in the country continue to adopt an increasing array of digital strategies, the industry’s cyber risk exposure has increased accordingly. And that’s why when the cyber dragon attacks, bankers need a remediation plan that they can activate quickly.

It doesn’t have to be an enormously complex plan—and in fact, the simpler the better. Jena Valdetero, a partner at the law firm Bryan Cave who has lots of experience working with companies, including banks, that have been the target of cyber attacks, says she has seen incident response plans that were 35 pages long that become an encumbrance when responders have to move quickly. “We always say that it’s better to have a three- to five-page incident response plan that hits the highlights and that your team can easily learn, remember, absorb and train on than to have a much larger plan,” she says.

Dave McKnight, a senior manager who leads consulting firm Crowe Horwath’s incident management services, says that he follows the National Institute of Standards and Technology’s Computer Security Incident Handling Guide, which was issued in 2012. “Basically, what this says is, the lifecycle of an incident response program should be preparation, detection and analysis, containment, recovery and then a post-incident review,” McKnight says.

How a bank responds to an incident often depends on its size. Large banks will probably rely on an in-house cybersecurity team, possibly augmented by resources from an outside consulting team that it has on retainer. Most smaller banks that lack the necessary funding to support an in-house response team will rely more on outside firms to handle any incidents that occur. Typically, the response team would operate from what McKnight calls a “playbook,” which is essentially a set of reference materials that would lay out the steps that the response team should take depending on what kind of incident has occurred—ransomware versus denial of service, for example—guiding the team through the various stages including containment, removal and recovery.

“Then there should be some type of look-back activity on how that was handled,” says McKnight. “Was there an opportunity for improvement in either our documentation or our skill set? How do we enrich the rest of our process so that next time around, we do it better, faster and more inclusively?”

If the bank does expect to rely on outside consultants to assist in the remediation effort, McKnight says it’s important to have those arrangements made well in advance, in part because the bank can’t necessarily count on having immediate access those firms when an incident occurs. “Without a retainer, you don’t have a guarantee that someone is going to be available because these aren’t scheduled events,” he says of an attempted or successful hack. But merely having an outside firm on retainer isn’t enough, adds McKnight. The outside firm also needs to be thoroughly familiar with the bank’s operations, networks and cybersecurity defenses before an incident occurs. “I want [them] to understand what our plan and program and capabilities are,” he says. “That way [they’re] addressing my problems… [they’re] doing so swiftly and accurately and you’re not asking for stuff that you should know I don’t have. You’re asking for things I do have as soon as you need them.”

For banks that have a chief information security officer (CISO), this individual would typically quarterback the remediation effort, or, in the absence of a CISO, that role might be assigned to the chief information officer. But in a situation where a hacker has gained access to a bank’s computer systems, the remediation effort entails more than simply kicking them out, assessing the damage (including any loss of data) and putting a recovery plan in place. There often are stakeholders and customers to inform, as well, and possible impacts on the bank’s business. This means that the incident response team should include a wide range of executives throughout the organization.

In addition to the data personnel, members of the remediation team would typically include the bank’s chief executive officer and possibly the chief operating and chief financial officers, as well as members of the public relations team since it will most likely be necessary to communicate with the media in the event of a serious incident. “It really depends on how your organization is set up, but you want key stakeholders in the room—people with senior-level decision-making ability,” Valdetero says.

The board of directors typically does not have a hands-on role in the remediation effort, although the non-executive chairman (or lead director if the CEO also serves as board chairman) should be kept apprised of the remediation efforts as they unfold. Serious data breaches that involve the loss of funds or significant amounts of customer data can pose both a financial and reputational risk to the bank, which is of primary concern to the board of directors.

I think the role [of the board] is typically overseeing from a high level the management team and making sure they are responding adequately,” Valdetero says. This would include making sure the investigation is being conducted in a thorough manner, that the team has adequate resources and the bank is complying with all applicable laws.

Another important member of the team is the bank’s general counsel if it has one, or outside counsel if it doesn’t. This is critically important if the incident involves the loss of customer information. Valdetero says it’s desirable that banks conduct their investigation under the protection of attorney-client privilege, and a lawyer will provide that protection. “I approach these types of breaches… from my background as a litigator, and as a litigator you’re always thinking worst case scenario,” she explains. “If we are sued down the road as a result of this breach… what do you want to be able to protect from disclosure, if at all possible?” Valdetero adds that while underlying factual information cannot be protected from disclosure, “you can protect legal advice and specific communications that took place for the purpose of getting legal advice, and you need legal advice in these situations because there is a myriad of laws that might be implicated by a breach.”

The bank’s remediation team may also want to reach out to law enforcement agencies such as the Federal Bureau of Investigation or Secret Service in the event of a serious data breach. Phyllis Schneck, managing director and global leader of cyber solutions at Promontory Financial Group, advises banks to establish a relationship with these agencies in advance so a communication link already exists when an incident occurs. “Typically, you want your law enforcement relationships [established] ahead of time,” Schneck says. “You want to know who to call by first name, and they’ll do that for you. You do not want to be calling 1-800-law enforcement when your hair is on fire.”

Banks are required to inform their primary federal regulator when “the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information…,” according to interagency guidance on data security issues. The guidance defines sensitive customer information as a customer’s name, address or telephone number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.

Banks also have a legal obligation under the guidance to inform their customers when a serious data breach has occurred. “Financial institutions have an affirmative duty to protect their customer’s data against unauthorized access or use,” the guidance states. “Notifying customers of a security incident involving the unauthorized access or use of the customer’s information… is a key part of that duty.”

What should customers be told and when should they be told it? “In my opinion, you should tell them exactly what’s going on and if you’ve run a good cybersecurity program that will be a good message,” Schneck says. “Everybody understands that these events will happen and that we can’t prevent them 100 percent. If you have a good program, you’ll be able to bounce back.” However, in the event of a serious data breach, the bank may find itself trying to balance the need to communicate to customers quickly that an incident has occurred that could negatively impact them, with the need to communicate the correct information.

When Target Corp. was hit with a massive data breach in December 2013, it originally estimated that approximately 40 million customers had been effected. But as Target dug deeper into the breach it was forced to announce later that approximately 70 million customers had been impacted, which suggested that the company was not in full control of the situation. Says Valdetero, “We usually advise clients, if they’re going to make public-facing statements, that generally you should not commit to a specific number of affected individuals.”

New Rules for Financial Firms in New York Put New Onus on Boards

Written by


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Are Directors Tone Deaf on Cybersecurity?

Written by


cybersecurity-3-27-17.pngAre the boards of directors at U.S. banks taking the cybersecurity threat seriously enough?

In Bank Director’s 2017 Risk Practices Survey, 85 percent of the 167 respondents—a group that includes bank directors, CEOs, chief risk officers, and chief information and chief technology officers—identify cybersecurity as the risk category they are the most concerned about. And that heightened level of concern is evident across all sizes of institutions in the survey, from banks under $1 billion in assets to those greater than $10 billion.

After all of the high profile, highly successful and highly publicized cyberattacks that have occurred over the last several years, surely every bank director understands the serious nature of cyber risk today. Hackers are incredibly creative and persistent in their efforts to penetrate bank security systems and steal sensitive customer data, money—or both. A successful intrusion can be costly to the bank, damage its reputation with customers, and become an issue with regulators if they believe the bank has a weak cybersecurity program.

Twenty-six percent of the respondents say their bank has experienced a data breach or some other type of cyberattack since 2015, and another 4 percent were the victims of a breach prior to 2015. In other words, nearly one-third of the respondents have already experienced a breach—an incident rate that should get all directors’ attention regardless of whether their banks have been victmized or not.

So, what is being done about this? Over the past two years, the survey participants’ banks have made a number of improvements to their cybersecurity programs, including:

  • Eighty-two percent have invested in technology to better detect and deter cyber threats and intrusions.
  • Eighty-one percent have improved training for staff.
  • Eighty percent have increased their focus on cybersecurity at the board level.
  • Seventy-five percent have improved their internal controls related to cybersecurity.
  • Seventy-five percent have improved and tested their bank’s cyber-incident management and response plan.

But there is still more that can be done to protect against hackers. According to the survey, 38 percent of the respondents still don’t employ a full-time chief information security officer (CISO). As one might expect, this deficiency is most evident at banks under $1 billion is assets, even though they are still likely targets for a cyberattack. The benefit of having a CISO, rather than giving this responsibility to the chief risk officer or chief information officer, is that cybersecurity has become so specialized that it should be handled full-time by one individual with experience in the field. Fifty-one percent of the survey participants say their bank won’t be hiring a CISO in 2017, and 43 percent say they are unsure. Banks under $1 billion are already less likely to employ a CISO, and the survey data suggests that they’re unlikely to hire one this year.

Most surprising of all is that only 17 percent of the respondents say cybersecurity is discussed at every board meeting. Thirty-six percent say the board reviews the issue quarterly, 19 percent say they discuss it semi-annually and 10 percent talk about cybersecurity just once a year. If cybersecurity is truly the most pressing risk management issue facing bank boards today, then why isn’t it being discussed at every board meeting, at every bank?

If it’s the board’s responsibility to set the tone at the top when it comes to risk governance throughout the bank, then it would seem that a lot of boards are tone-deaf when it comes to cybersecurity.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance

Written by


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.