Cybersecurity Practices for the Board

Several high-profile data breaches in 2019 assured that cybersecurity remains a top concern for bank boards and executive teams. Capital One Financial Corp. and Facebook revealed significant breaches last year — 106 million and over 500 million, respectively — so it’s no wonder that 87% say their anxiety over the issue has increased, according to Bank Director’s 2020 Risk Survey.

In response, more than three-quarters of directors and executives say they’ve increased oversight of cybersecurity and data privacy.

It’s a thorny issue for banks to manage. This isn’t a typical risk like credit that leverages bank leaders’ expertise and knowledge to ensure their practices are safe and sound. With cybersecurity, the threat level changes almost constantly, and the hacker trying to infiltrate your organization could be a world away.

Yet, the buck stops with the board. While management is charged with the implementation of the bank’s cyber risk program, it’s the board’s duty to ensure the bank is protected.

Unfortunately, board oversight is too often taken seriously only after an incident occurs, rather than before.

Basic Responsibilities
In its IT Examination Handbook, the Federal Financial Institutions Examination Council outlines responsibilities for bank boards. They include:

  • Overseeing the development, implementation and maintenance of the information security program
  • Communicating expectations to management and holding them accountable
  • Approving policies, plans and programs
  • Ensuring the program’s effectiveness by reviewing assessments and reports, and discussing management’s recommendations for improvement

How boards fulfill these duties varies. Most oversee cybersecurity within a committee; 19% as a full board.

Further, the frequency with which the board as a whole reviews cybersecurity can be as often as every meeting or as infrequent as annually (or less). The size of the bank appears to have little bearing on how often boards address this issue.

Regulators expect, at minimum, an annual review. But given the pace of change in the cyber threat landscape, meeting the minimal standard isn’t adequate. Bank boards need to take cybersecurity more seriously.

“If you’re talking cybersecurity less frequently than quarterly, I don’t think you can truly manage that risk to your institution,” says Craig Sanders, a partner at survey sponsor Moss Adams. “You can’t get enough data points to really understand what the risk profile is or isn’t doing in your institution in terms of [protecting the bank].”

At a minimum, the FFIEC says management should report to the board annually on the risk assessment process, risk management and control decisions, third-party arrangements, testing results, security breaches and management response, and recommendations for updates to the program. A designated information security officer should report directly to the board, as well.

In the survey, 76% indicate that the bank’s chief information security officer meets regularly with the board.

Next-Level Oversight
The FFIEC’s Cybersecurity Assessment Tool (CAT) has been made available by the interagency body to evaluate all facets of a bank’s cybersecurity program, including the activities the board engages in as part of its oversight capacity.

Annie Goodwin, the risk oversight chair at $13.7 billion Glacier Bancorp, says the CAT is among the tools in the Kalispell, Montana-based bank’s cybersecurity arsenal. “It’s valuable in assessing cybersecurity preparedness,” she says. “During the safety and soundness exam, the CAT tool is often reviewed, and our board is very familiar with it.”

The CAT provides a list of attributes that indicates a bank’s maturity within each domain: threat intelligence and collaboration, cybersecurity controls, external dependence management, cyber incident management and resilience, and cyber risk management and oversight, including the board’s role. Maturity levels are rated from baseline — a bare-minimum standard indicating the lowest level of maturity, intended for banks exhibiting minimal inherent risk — to advanced and innovative, the two highest levels.

Given the continued prominence of cybersecurity as a threat to the industry, the survey asked directors and executives about some of the advanced and innovative activities for board oversight. The results confirm that some practices are more common than others.

Almost three-quarters of respondents indicate their board participates in training to better understand the cyber threats facing the bank.

Cybersecurity has become a more frequent topic of discussion for the board at Cross Plains, Wisconsin-based SBCP Bancorp. “Rightly so,” says CEO Jim Tubbs, given increased threats to the $1.3 billion bank and its customers. “The first step is informing and educating [the board],” he says. “The second step is having them understand from us — senior management — or from our external auditors, to be able to provide them appropriate reports or knowledge in regards to how we are handling cyber risk, and how [we are] testing our own systems and how our audit function is working.”

Using data to facilitate strategic decisions and monitor cyber risk (27%) is one of the least common practices reported by respondents, along with benchmarking cybersecurity staffing against peer institutions (10%).

Sanders says more progressive organizations are asking for benchmarking metrics to better budget for cybersecurity and technology, to gauge whether they’re spending enough to protect their institution.  “What are peer banks spending, and where are they [in terms of] maturity?” he says.

Incorporating more of the practices outlined in the CAT promises to augment the board’s ability to oversee cybersecurity as a risk.

“When you look at the intent of the [regulatory] guidance, and as you move from baseline maturity level to advanced, evolving, innovative — as you move up that chain, the governance piece becomes more heavily focused. They expect more participation” on the part of the board, says Sanders. “A small percentage of banks [say], ‘We want to move to evolving, or we want to move to advanced.’ Those are the ones that are spending more money and committing more to it, [and] their board and management team have a better harmony about what that program should look like and see the value in it.”

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, surveyed 217 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks under $50 billion in assets. The survey was conducted in January 2020 and focused on the top risks facing financial institutions at that time, including cybersecurity, credit and interest rate risks, and emerging issues.

You can read more about the “Cyber War” facing the banking industry in the second quarter issue of Bank Director magazine. Additionally, Bank Director’s Online Training Series contains information on the board’s role in overseeing cybersecurity. Unit 11 covers best practices for the board. Unit 21 addresses further responsibilities, as well as the importance of an incident response plan and employee training.

COVID-19 Poses New Cybersecurity Challenges for Banks

The COVID-19 pandemic has turned the banking world upside down, not the least by requiring a significant number of employees to work remotely.

Social distancing requirements have forced many companies, banks included, to have large numbers of their employees work from home. Not only is this a stark departure from how most banks have traditionally operated, it happened very quickly; the new coronavirus swept across the country like a derecho, giving them little time to prepare.

And while social distancing will hopefully “flatten the curve” of the pandemic’s infection rate, to use a now common expression, it has had the unintended consequence of increasing the industry’s cyber risk by opening banks up to new attacks.

The “core threat,” according to Ron Buchanan, the chief information security officer at $17.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, involves remote access platforms like virtual private networks (VPNs) and video conferencing platforms. This would include companies using VPNs for the first time, or companies that risk exposing services and sensitive or internal communications online.

“There are plenty of companies out there that aren’t used to working remote and are in a rush to enable remote access services and doing that without the knowledge and proper protections,” Buchanan says. “That creates the vulnerable environment for the attackers to go after. And that’s what they’re focused on.”

In some instances, employees who are working remotely are forced to use their home computers because they don’t have a company laptop. “[With s]ome clients of ours, not [every employee] has a company-issued laptop to take home,” says Shawn Connors, a principal in PwC’s cybersecurity and privacy practice.

In that scenario, the employee may have to use a home computer that is operating outside of the bank’s security framework. The bank’s challenge is to understand “what information is potentially leaving the confines of the organization, where is it going and do those machines that are accessing or manipulating that data, are they at the corporate standard of what one would expect to put into appropriately managed cyber risk?” Connors says.

Larger banks generally have had less trouble meeting the demands of a distributed workforce because they have a more robust technology infrastructure to begin with, as well as more employees working from remote locations. Many smaller banks, on the other hand, have been challenged by the sudden shift to a work-from-home policy.

“We have definitely had a number of clients where, not only is the capacity not there, but they have a security concern on top of it because they don’t have control of the device that’s actually going to be accessing data in these corporate environments,” Connors says. “Overnight, some really bad hygiene practices have been put back in place, just because they got caught flat-footed.”

For its part, Atlantic Union has been able to handle the sudden shift to a distributed workforce in stride. “It hasn’t had too much of an impact on us because we already had a large number of laptop users with the right security protections on those laptops,” says Buchanan. “So really, it was just a slight tuning adjustment to scale up that coverage and keeping a close eye on the increased load on the VPN infrastructure.”

Buchanan has sent out communications reminding employees who are working from home that they are required to use the bank’s VPN and must abide by restrictions such as a prohibition against printing out documents at home.

There has also been a surge in video conferencing, which may not be the most secure communications platform for sensitive meetings. “The biggest risk is if you’re having a confidential conversation and someone eavesdrops on that call, and they’re eavesdropping on that confidential conversation,” Buchanan says. “If you’ve turned on the security settings, which means turning on the password and all the encryption settings, it increases the security of the call. And if you don’t recognize someone and you can’t figure out who it is, then you should assume the call has been compromised and either kick that connection off or change calls.”

The Financial Services Information Sharing and Analysis Center, an industry consortium focused on cybersecurity, offers home security resources for institutions that are managing a distributed workforce.

The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Rodge Cohen: Are We Preparing to Fight the Last War?


risk-3-1-19.pngHis name might not command the same recognition on the world stage as the mononymous Irish singer and song-writer known simply as Bono, but in banking and financial services just about everyone knows who “Rodge” is.

H. Rodgin Cohen–referred to simply as Rodge—is the unrivaled dean of U.S. bank attorneys. At 75, Cohen, who is the senior chairman at the New York City law firm Sullivan & Cromwell, is still actively involved in the industry, having recently advised SunTrust Banks on its pending merger with BB&T Corp.

Cohen has long been considered a valued advisor within the industry.

In the financial crisis a decade ago, he represented corporate clients like Lehman Brothers and worked closely with the federal government’s principal players, including Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke. His character even made an appearance in the movie “Too Big To Fail,” based on a popular book about the crisis by Andrew Ross Sorkin.

Eleven years later, Cohen says the risk to the banking industry is no longer excessive leverage or insufficient liquidity—major contributing factors to the last crisis.

The Dodd-Frank Act of 2010, passed nearly a decade ago, raised bank capitalization levels substantially compared to pre-crisis levels. In fact, bank capitalization levels have been rising for 40 years, going back to the thrift crisis in the late 1980s. Dodd-Frank also requires large banks to hold a higher percentage of their assets in cash to insure they have enough liquidity to weather another financial storm.

The lesson from the last crisis, says Cohen, revolves around the importance of having a fortress balance sheet. “I think that was the lesson which has been thoroughly learned not merely by the regulators, but by the banks themselves, so that banks today have exponentially more capital, and the differential is even greater in terms of having more liquidity,” says Cohen.

But does anyone know if these changes will be enough to help banks survive the next crisis?

“I don’t think it is possible to calculate this precisely, but if you look at the banks that did get into trouble, none of them had anywhere near the level of capital and liquidity that is required now,” says Cohen. “Although you can’t say with certainty that this is enough, because it’s almost unprovable, there’s enough evidence that suggests that we are at levels where no more is required.”

It is often said that generals have a tendency to fight the last war even though advances in weaponry—driven by technology—can render that war’s tactics and strategies obsolete. Think of the English cavalry on horseback in World War I charging into German machine guns.

It can be argued that regulators, policymakers and even customers in the United States still bear the emotional scars of the last financial crisis, so we all find comfort in the fact that banks are less leveraged today than they have been in recent history, particularly in the lead up to the last crisis.

But what if a strong balance sheet isn’t enough to fight the next war?

“I think the biggest risk in the [financial] system today is a successful cyberattack,” says Cohen. While a lot of attention is paid to the dangers of a broad attack on critical infrastructure that poses a systemic risk, Cohen worries about something different.

“That is a very serious risk, but I think the more likely [danger] is that a single bank—or a group of banks—are hit with a massive denial of service for a period of time, or a massive scrambling of records,” he says. This contagion could destabilize the financial system if depositors begin to worry about the safety of their money.

Cohen believes that financial contagion, where risk spreads from one bank to another like an infectious disease, played a bigger role in the financial crisis than most people appreciate. And he worries that the same scenario could play out in a crippling cyberattack on a major bank.

“Until we really understand what role contagion played in 2008, I don’t think we’re going to appreciate fully the risk of contagion with cyber,” he says. “But to me, that is clearly the principal risk.”

And herein lays the irony of the industry’s higher capital and liquidity requirements. They were designed to protect against the risk of credit bubbles, such as the one that precipitated the last crisis, but they will do little to protect against the bigger risk faced by banks today: a crippling cyberattack.

“That’s why I regard [cyber] as the greatest threat,” says Cohen, “because a fortress balance sheet won’t necessarily help.”

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

How Poor Communication Practices by Directors Increase Cyber Risk


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Nine Strategic Areas Critical to Your Bank’s Future


strategy-6-30-17.pngHow should banks determine the best way to proceed over the upcoming quarters? While no one can predict the future, there are several critical developments that anyone can keep an eye on. These are the areas that are most impactful to banks and for which they need to strategize and position themselves.

Rising Rates: Obviously, rates are rising but by how much? Banks should position for moderate hikes and a slower pace of hikes than the Fed predicts. The Fed predictions on rate hikes have been overstated for several years running. The yield curve for the 10-year Treasury is flattening as of late, which also indicates fewer hikes are needed. A reduced duration for assets and reduced call risk makes the most sense; but practice moderation and don’t overdo it. Too many banks had their net interest margin crushed by being too asset sensitive and waiting for rates to increase while we had eight years of low rates. Check your bond portfolio against a well-defined national peer group of banks with similar growth rates, loan deposit rates and liquidity needs. Very few banks perform this comparison. They just use uniform bank performance reports or a local peer group. Every basis point matters, and there is no reason to not be a top quartile performer.

Deposits: Buy and/or gather core deposits now. Branches provide the best value. Most banks overestimate what deposits are core deposits, meaning they won’t leave your bank when rates rise. Like capital, gathering core deposits is best done when it is least needed.

Mergers and Acquisitions: If you are planning on selling in the next three years, sell right now, as optimism and confidence are at 10-year highs. If you are a long-term player, go buy core deposits, as they are historically cheap and you are going to need them. They are worth more now than perhaps ever before.

Get Capital While You Still Can: Solve your capital issues now. Investors are probably overconfident, but banks have done well the last seven years and finally, they aren’t taboo anymore. Investors want to invest in banks. That always happens before something bad in the economy occurs, so get it while you can.

Real Estate Carries Risk: With regulators mindful of capital exposure and real estate deal availability being spotty, it’s best that banks be wary of deals in this area. Commercial real estate linked to retail is more and more being viewed as extremely risky. There is an all-out war being waged on store retailers by online retailers. Since retail is a huge sector of the U.S. economy, investment will follow the online trend. Industrial real estate has become “retail extended” with the least amount of real estate risk.

Beware of Relying on Credit Scores: Banks need to be careful of the credit cycle. Consumers are loaded full of debt. Cars and homes are too expensive relative to wages and affordability. Credit scores probably don’t capture the downside risk to the consumer.

Get Ahead of Your Risks: Cyber-risk is a major and very real risk. Get ahead of the curve. Two other areas bearing risk are 401(k) plans and wealth management areas as they are especially exposed to litigation and are a nightmarish mess to be addressed. 401(k)s are overloaded with too many choices, fiduciary risk, performance issues, excessive fees and conflicts of interest. Get help now or you may be painfully surprised.

Marketing: Your bank had better get creative with digital marketing opportunities for your website as well as mobile devices. Why? Billions are being invested into financial technology companies and it’s easier for fintech to learn about banking than it is for bankers to learn about fintech.

Millennials: Surveys from The Intelligence Group and others show that finding young, motivated workers, and then retaining them, may be a challenge.

  • 45 percent of millennials believe a decent paying job is a right, not a privilege.
  • 64 percent would rather make $40,000 at a job they love versus $100,000 at a boring job.
  • 71 percent don’t obey social media work policies.
  • Millennials are proving to be more loyal to employers than previous generations, and are better at multi-tasking than previous generations.

Hopefully, some of these items provide bankers strategic ideas to incorporate over the next two or three years.

Now is the time to chart your course.

The Risk of Doing Nothing


Al Dominick, President & CEO of Bank Director, shares three major areas of risk facing financial institutions today.  This video, filmed during the 2016 Bank Audit & Risk Committees Conference in Chicago, IL, reflects on his time spent with chief financial officers, chief risk officers, general counsel, audit and risk committee members and various executives from leading professional service and advisory firms.

Top Trends Impacting Audit Committees in 2016


audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.