3 M&A Risks to Consider

Written by

One crucial component of the merger and acquisitions process is due diligence, which needs to be performed efficiently within a limited amount of time as opportunities arise. Senior management is primarily responsible for this task, but may need assistance from key areas such as compliance, and often uses third-party support. If your bank is considering an acquisition, consider these three risks and document them as part of your due diligence.

1. Credit Risk
Potential acquirers must perform rigorous due diligence on the target bank’s credit portfolio — it’s imperative to the success of any merger. Executives at the acquiring bank need to understand the loan portfolio, including the types of credits offered, underwriting practices and problem loan management. This includes reviewing sample credits, including the top borrowers, adversely classified loans, watch list loans, loans to insiders and a sample of loans of each collateral type, if possible.

While there is no required portfolio coverage for due diligence, executives should have a flavor for the lending practices at the target bank.

2. Financial Risk
As part of due diligence, executives need to gain an understanding of the balance sheet and income statement at the target bank. Consider:

As 2022 unfolds, the Federal Reserve indicated it will continue increasing rates in an attempt to reduce inflation, which has created significant unrealized losses in many bond portfolios. This is after many banks invested the flux of cash generated by pandemic-era programs into their bond portfolios in an effort to achieve some return throughout 2021.

Consider the impact this could have on bond portfolios in acquisitions, including the value in a sale of the full portfolio, the long-term market rate forecast or even hedging strategies.

Review significant on- and off-balance sheet liabilities, including major contracts such as the core system contract, employment contracts, equity plans or stock options. These contracts could result in additional liabilities for the acquiring bank.

Acquirers will need an independent valuation of the target bank, including an estimate of the goodwill, core deposit intangibles, fair value adjustments to loans and other fair value adjustments that will be considered as part of the transaction. This valuation should be fluid, starting with the preliminary stages of the merger discussions, and evolving and refining as the merger proceeds.

Executives should prepare pro forma and projected financial statements to depict what the combined organization will look like at the merger date and going forward. In addition, those financial statements should determine the rate of return on the acquisition and the earn-back period.

3. Reputational Risk
Many banks are heavily involved and invested in their local communities, including deep and long-standing relationships with many bank customers. The art of combining two institutions and selling the “new” institution to the existing customers takes planning and care.

In addition, the employees and branches of the target bank are part of that same community. If the transaction includes retaining all employees and branches, communicate that as part of the press releases. If necessary, consider stay bonuses to retain the talent of the target bank. The new combined entity will want to uphold a positive and strong reputation throughout the community.

Bonus: Cyber Risk
Here’s a bonus tip to consider during your due diligence process: Cyber risk continues to be top of mind for advisors and regulators alike. As part of the transaction, assess the target bank’s information technology environment. That includes reviewing any external reports or assessments, and understanding any findings and the related remediation. In addition, identify material gaps or issues in due diligence so the bank is not surprised by additional costs at merger consummation.

If mergers and acquisitions are part of your bank’s strategic plan, having a proper plan in place to direct due diligence can help you execute the transaction seamlessly and with success. Put together an internal team that can help you review those risks or explore external options to assist.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader.

Combating Complacency Through Strategic and Operational Planning

Written by

For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.

These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.

1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.

Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”

2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.

Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.

Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.

3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.

Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.

4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.

Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.

5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.

We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

What Banks Need to Know About Cyber Resiliency

Written by

In a world full of adversity, there is much to be said about the knowledge and strength it takes to overcome setbacks on an individual and organizational level — in short, resiliency.

That is especially crucial in an environment like cybersecurity, where the landscape is constantly changing. Banks must adapt to stay ahead of cyber threats through cyber resiliency.

The National Institute of Standards and Technology defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Today, organizations are complementing their cyber resilience strategies with security solutions that uphold their posture. While cybersecurity focuses on protecting information, technical devices, and systems, cyber resilience focuses on keeping business and resources intact amid industry failures and threats. Many dangers exist that can have a detrimental impact on your bank’s daily operations and overall reputation. The main three threats to your bank’s cybersecurity posture include:

  • Data Breaches: An unauthorized entry into an organization’s database that allows cybercriminals to access customer data.
  • Cybercrime: Organized crimes to steal, abuse, or misuse personal and confidential information.
  • Human Error: Employees fail to follow data privacy protocol and policies and accidentally sharing, leaking or exposing confidential information.

While these three are among the most prevalent risks, they are not alone. Your organization should educate employees about the malicious actors that exist in the cyberworld.

Pillars of Cyber Resilience
Your bank’s cyber resiliency posture cannot be assessed until you consider all the pillars that make up a proper strategy. Below are the five pillars of an ideal cyber resilience framework according to Security Intelligence:

  • Identify: Banks should have a strong understanding of all the resources that support the organization’s critical functions from both a business and cybersecurity standpoint.
  • Protect: Banks should safeguard all critical infrastructure services and information by implementing cybersecurity policies and solutions to create a robust layer of protection.
  • Detect: Banks should constantly monitor their enterprise network traffic for malicious activity, searching for any signs of data breaches or other significant threats. A cybersecurity solution will create a more effortless process for scanning your network.
  • Respond: Banks should respond to any significant threats or unsuspected activity in real-time.
  • Recover: Banks should implement disaster recovery and business continuity plans in case of a data breach or comprising cybersecurity incident.

By considering these five pillars, your bank will be well-suited to perfecting its cyber resiliency posture and ensuring it has all the resources and strength to bounce back from any potential setback quickly.

Taking Control of Your Cybersecurity Experience
The patterns of cyberattacks are evolving in response to changes in the cyber environment and the Internet of Things. For a more practical experience, your bank must consider the social and capital investments necessary to develop a cybersecurity strategy.

According to the Ponemon Institute, “organizations are making investments in technology that do not strengthen their cybersecurity budget based on the wrong metrics. Fifty percent of respondents say their organizations are wasting limited budgets on investments that don’t improve their cybersecurity posture. The primary reasons for the failure are system complexity, personnel and vendor support issues.”

It is not uncommon for security-related responsibilities to fall on employees. Ultimately, it is the company and the employees’ responsibility to protect their networks, servers, and personal and professional information. The key to building a better cybersecurity toolbox is rooted in the relationship between a cybersecurity solution and its users. An ideal cybersecurity solution should include elite features like one-touch compliance reporting and automation tools, integrated threat intelligence, around-the-clock monitoring search for leaked accounts on the deep and dark web, managed compliance, detection, and response, and fast deployment (90 minutes or less).

Prioritizing Cybersecurity
Having a strategy and system in place that continues running smoothly despite adversities directly reflects an institution’s cyber resilience. Your bank should be able to identify, protect, detect and react when facing cyberattacks. Investing your time, resources, and capital into cybersecurity solutions is an essential measure of success. It will ensure network security and protection. As stated in Security Magazine, information technology “should enable businesses to make informed decisions on how to manage cyber risk while continuing their growth agenda. Most directors or CEOs today realize the consequences on the bottom line apart from the damage to reputation caused by a breach or an attack.”

Proper growth always begins internally. Banks that normalize and implement security best practices can achieve cyber resilience. If your organization can adapt its traditional approaches to cybersecurity, it will be better equipped to recover from difficulties it may face. In the end, a quick bounce back is better than a long-term setback. So, what better time than now to act?

Cybersecurity Practices for the Board

Written by

Several high-profile data breaches in 2019 assured that cybersecurity remains a top concern for bank boards and executive teams. Capital One Financial Corp. and Facebook revealed significant breaches last year — 106 million and over 500 million, respectively — so it’s no wonder that 87% say their anxiety over the issue has increased, according to Bank Director’s 2020 Risk Survey.

In response, more than three-quarters of directors and executives say they’ve increased oversight of cybersecurity and data privacy.

It’s a thorny issue for banks to manage. This isn’t a typical risk like credit that leverages bank leaders’ expertise and knowledge to ensure their practices are safe and sound. With cybersecurity, the threat level changes almost constantly, and the hacker trying to infiltrate your organization could be a world away.

Yet, the buck stops with the board. While management is charged with the implementation of the bank’s cyber risk program, it’s the board’s duty to ensure the bank is protected.

Unfortunately, board oversight is too often taken seriously only after an incident occurs, rather than before.

Basic Responsibilities
In its IT Examination Handbook, the Federal Financial Institutions Examination Council outlines responsibilities for bank boards. They include:

  • Overseeing the development, implementation and maintenance of the information security program
  • Communicating expectations to management and holding them accountable
  • Approving policies, plans and programs
  • Ensuring the program’s effectiveness by reviewing assessments and reports, and discussing management’s recommendations for improvement

How boards fulfill these duties varies. Most oversee cybersecurity within a committee; 19% as a full board.

Further, the frequency with which the board as a whole reviews cybersecurity can be as often as every meeting or as infrequent as annually (or less). The size of the bank appears to have little bearing on how often boards address this issue.

Regulators expect, at minimum, an annual review. But given the pace of change in the cyber threat landscape, meeting the minimal standard isn’t adequate. Bank boards need to take cybersecurity more seriously.

“If you’re talking cybersecurity less frequently than quarterly, I don’t think you can truly manage that risk to your institution,” says Craig Sanders, a partner at survey sponsor Moss Adams. “You can’t get enough data points to really understand what the risk profile is or isn’t doing in your institution in terms of [protecting the bank].”

At a minimum, the FFIEC says management should report to the board annually on the risk assessment process, risk management and control decisions, third-party arrangements, testing results, security breaches and management response, and recommendations for updates to the program. A designated information security officer should report directly to the board, as well.

In the survey, 76% indicate that the bank’s chief information security officer meets regularly with the board.

Next-Level Oversight
The FFIEC’s Cybersecurity Assessment Tool (CAT) has been made available by the interagency body to evaluate all facets of a bank’s cybersecurity program, including the activities the board engages in as part of its oversight capacity.

Annie Goodwin, the risk oversight chair at $13.7 billion Glacier Bancorp, says the CAT is among the tools in the Kalispell, Montana-based bank’s cybersecurity arsenal. “It’s valuable in assessing cybersecurity preparedness,” she says. “During the safety and soundness exam, the CAT tool is often reviewed, and our board is very familiar with it.”

The CAT provides a list of attributes that indicates a bank’s maturity within each domain: threat intelligence and collaboration, cybersecurity controls, external dependence management, cyber incident management and resilience, and cyber risk management and oversight, including the board’s role. Maturity levels are rated from baseline — a bare-minimum standard indicating the lowest level of maturity, intended for banks exhibiting minimal inherent risk — to advanced and innovative, the two highest levels.

Given the continued prominence of cybersecurity as a threat to the industry, the survey asked directors and executives about some of the advanced and innovative activities for board oversight. The results confirm that some practices are more common than others.

Almost three-quarters of respondents indicate their board participates in training to better understand the cyber threats facing the bank.

Cybersecurity has become a more frequent topic of discussion for the board at Cross Plains, Wisconsin-based SBCP Bancorp. “Rightly so,” says CEO Jim Tubbs, given increased threats to the $1.3 billion bank and its customers. “The first step is informing and educating [the board],” he says. “The second step is having them understand from us — senior management — or from our external auditors, to be able to provide them appropriate reports or knowledge in regards to how we are handling cyber risk, and how [we are] testing our own systems and how our audit function is working.”

Using data to facilitate strategic decisions and monitor cyber risk (27%) is one of the least common practices reported by respondents, along with benchmarking cybersecurity staffing against peer institutions (10%).

Sanders says more progressive organizations are asking for benchmarking metrics to better budget for cybersecurity and technology, to gauge whether they’re spending enough to protect their institution.  “What are peer banks spending, and where are they [in terms of] maturity?” he says.

Incorporating more of the practices outlined in the CAT promises to augment the board’s ability to oversee cybersecurity as a risk.

“When you look at the intent of the [regulatory] guidance, and as you move from baseline maturity level to advanced, evolving, innovative — as you move up that chain, the governance piece becomes more heavily focused. They expect more participation” on the part of the board, says Sanders. “A small percentage of banks [say], ‘We want to move to evolving, or we want to move to advanced.’ Those are the ones that are spending more money and committing more to it, [and] their board and management team have a better harmony about what that program should look like and see the value in it.”

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, surveyed 217 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks under $50 billion in assets. The survey was conducted in January 2020 and focused on the top risks facing financial institutions at that time, including cybersecurity, credit and interest rate risks, and emerging issues.

You can read more about the “Cyber War” facing the banking industry in the second quarter issue of Bank Director magazine. Additionally, Bank Director’s Online Training Series contains information on the board’s role in overseeing cybersecurity. Unit 11 covers best practices for the board. Unit 21 addresses further responsibilities, as well as the importance of an incident response plan and employee training.

COVID-19 Poses New Cybersecurity Challenges for Banks

Written by

The COVID-19 pandemic has turned the banking world upside down, not the least by requiring a significant number of employees to work remotely.

Social distancing requirements have forced many companies, banks included, to have large numbers of their employees work from home. Not only is this a stark departure from how most banks have traditionally operated, it happened very quickly; the new coronavirus swept across the country like a derecho, giving them little time to prepare.

And while social distancing will hopefully “flatten the curve” of the pandemic’s infection rate, to use a now common expression, it has had the unintended consequence of increasing the industry’s cyber risk by opening banks up to new attacks.

The “core threat,” according to Ron Buchanan, the chief information security officer at $17.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, involves remote access platforms like virtual private networks (VPNs) and video conferencing platforms. This would include companies using VPNs for the first time, or companies that risk exposing services and sensitive or internal communications online.

“There are plenty of companies out there that aren’t used to working remote and are in a rush to enable remote access services and doing that without the knowledge and proper protections,” Buchanan says. “That creates the vulnerable environment for the attackers to go after. And that’s what they’re focused on.”

In some instances, employees who are working remotely are forced to use their home computers because they don’t have a company laptop. “[With s]ome clients of ours, not [every employee] has a company-issued laptop to take home,” says Shawn Connors, a principal in PwC’s cybersecurity and privacy practice.

In that scenario, the employee may have to use a home computer that is operating outside of the bank’s security framework. The bank’s challenge is to understand “what information is potentially leaving the confines of the organization, where is it going and do those machines that are accessing or manipulating that data, are they at the corporate standard of what one would expect to put into appropriately managed cyber risk?” Connors says.

Larger banks generally have had less trouble meeting the demands of a distributed workforce because they have a more robust technology infrastructure to begin with, as well as more employees working from remote locations. Many smaller banks, on the other hand, have been challenged by the sudden shift to a work-from-home policy.

“We have definitely had a number of clients where, not only is the capacity not there, but they have a security concern on top of it because they don’t have control of the device that’s actually going to be accessing data in these corporate environments,” Connors says. “Overnight, some really bad hygiene practices have been put back in place, just because they got caught flat-footed.”

For its part, Atlantic Union has been able to handle the sudden shift to a distributed workforce in stride. “It hasn’t had too much of an impact on us because we already had a large number of laptop users with the right security protections on those laptops,” says Buchanan. “So really, it was just a slight tuning adjustment to scale up that coverage and keeping a close eye on the increased load on the VPN infrastructure.”

Buchanan has sent out communications reminding employees who are working from home that they are required to use the bank’s VPN and must abide by restrictions such as a prohibition against printing out documents at home.

There has also been a surge in video conferencing, which may not be the most secure communications platform for sensitive meetings. “The biggest risk is if you’re having a confidential conversation and someone eavesdrops on that call, and they’re eavesdropping on that confidential conversation,” Buchanan says. “If you’ve turned on the security settings, which means turning on the password and all the encryption settings, it increases the security of the call. And if you don’t recognize someone and you can’t figure out who it is, then you should assume the call has been compromised and either kick that connection off or change calls.”

The Financial Services Information Sharing and Analysis Center, an industry consortium focused on cybersecurity, offers home security resources for institutions that are managing a distributed workforce.

The Newest Exposure Facing Community Bank Boards

Written by


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

The Strategic Side of Cybersecurity Governance

Written by


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Rodge Cohen: Are We Preparing to Fight the Last War?

Written by


risk-3-1-19.pngHis name might not command the same recognition on the world stage as the mononymous Irish singer and song-writer known simply as Bono, but in banking and financial services just about everyone knows who “Rodge” is.

H. Rodgin Cohen–referred to simply as Rodge—is the unrivaled dean of U.S. bank attorneys. At 75, Cohen, who is the senior chairman at the New York City law firm Sullivan & Cromwell, is still actively involved in the industry, having recently advised SunTrust Banks on its pending merger with BB&T Corp.

Cohen has long been considered a valued advisor within the industry.

In the financial crisis a decade ago, he represented corporate clients like Lehman Brothers and worked closely with the federal government’s principal players, including Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke. His character even made an appearance in the movie “Too Big To Fail,” based on a popular book about the crisis by Andrew Ross Sorkin.

Eleven years later, Cohen says the risk to the banking industry is no longer excessive leverage or insufficient liquidity—major contributing factors to the last crisis.

The Dodd-Frank Act of 2010, passed nearly a decade ago, raised bank capitalization levels substantially compared to pre-crisis levels. In fact, bank capitalization levels have been rising for 40 years, going back to the thrift crisis in the late 1980s. Dodd-Frank also requires large banks to hold a higher percentage of their assets in cash to insure they have enough liquidity to weather another financial storm.

The lesson from the last crisis, says Cohen, revolves around the importance of having a fortress balance sheet. “I think that was the lesson which has been thoroughly learned not merely by the regulators, but by the banks themselves, so that banks today have exponentially more capital, and the differential is even greater in terms of having more liquidity,” says Cohen.

But does anyone know if these changes will be enough to help banks survive the next crisis?

“I don’t think it is possible to calculate this precisely, but if you look at the banks that did get into trouble, none of them had anywhere near the level of capital and liquidity that is required now,” says Cohen. “Although you can’t say with certainty that this is enough, because it’s almost unprovable, there’s enough evidence that suggests that we are at levels where no more is required.”

It is often said that generals have a tendency to fight the last war even though advances in weaponry—driven by technology—can render that war’s tactics and strategies obsolete. Think of the English cavalry on horseback in World War I charging into German machine guns.

It can be argued that regulators, policymakers and even customers in the United States still bear the emotional scars of the last financial crisis, so we all find comfort in the fact that banks are less leveraged today than they have been in recent history, particularly in the lead up to the last crisis.

But what if a strong balance sheet isn’t enough to fight the next war?

“I think the biggest risk in the [financial] system today is a successful cyberattack,” says Cohen. While a lot of attention is paid to the dangers of a broad attack on critical infrastructure that poses a systemic risk, Cohen worries about something different.

“That is a very serious risk, but I think the more likely [danger] is that a single bank—or a group of banks—are hit with a massive denial of service for a period of time, or a massive scrambling of records,” he says. This contagion could destabilize the financial system if depositors begin to worry about the safety of their money.

Cohen believes that financial contagion, where risk spreads from one bank to another like an infectious disease, played a bigger role in the financial crisis than most people appreciate. And he worries that the same scenario could play out in a crippling cyberattack on a major bank.

“Until we really understand what role contagion played in 2008, I don’t think we’re going to appreciate fully the risk of contagion with cyber,” he says. “But to me, that is clearly the principal risk.”

And herein lays the irony of the industry’s higher capital and liquidity requirements. They were designed to protect against the risk of credit bubbles, such as the one that precipitated the last crisis, but they will do little to protect against the bigger risk faced by banks today: a crippling cyberattack.

“That’s why I regard [cyber] as the greatest threat,” says Cohen, “because a fortress balance sheet won’t necessarily help.”

What CEOs and Directors Should Know About Cybersecurity

Written by


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

How Poor Communication Practices by Directors Increase Cyber Risk

Written by


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.