The Newest Exposure Facing Community Bank Boards


cyberattack-8-30-19.pngCybercrimes continue to pose the greatest significant risk to the banking sector, ranging from standard phishing attack to a newer ATM jackpotting schemes that manipulate a machine to dispense larger amounts of money.

Many of the losses originate through human error, so it is critical to ensure all employees are trained on the newest phishing schemes and how to best avoid them. Cyber liability insurance claims represented the largest increase in the percentage of total liability claims, according to data from the American Bankers Association, rising from 19% in 2017 to 26% in 2018.

Several of the most-recent examples of covered cyber claims began when a bank employee succumbed to a phishing attack. This is where the employee clicks on a link provided by what is perceived to be a trusted source, which downloads malware. The malware often causes a breach of network security, providing the perpetrators with complete access to a bank’s networks. In some scenarios, the malware freezes the bank’s systems, and extorts executives for a “consulting fee” to return access of the internal systems. The fee is often in the form of bitcoin or another form of untraceable cryptocurrency.

While that can be a significant expense to the bank, the more-common claim scenario includes the expenses associated with the breach of network security. These can include, but are not limited to:

  • Notification costs
  • Forensics expenses
  • Credit monitoring costs
  • Establishing of a call center
  • Hiring a public relations firm
  • Obtaining legal advice, ensuring all discovery is protected by attorney-client privilege

Most cyber liability policies will cover to both breach remediation expenses, as well cyber extortion costs, as long as the third-party providers are approved by the carrier.

However, the loss scenario does not have to be limited to extortion or post-breach remediation expenses. As reported in 2018, a regional Virginia bank fell victim to an ATM heist for a total loss of $2.35 million. The fraud was initially caused by an employee who fell victim to a targeted phishing email, which allowed culprits to install malware on bank servers. The malware allowed thieves to disable the anti-theft and anti-fraud protections, including 4-digit PIN numbers and daily withdrawal limits thresholds. The bank succumbed to two separate instances of ATM thefts from this intrusion into their computer systems. The first resulted in a loss of $550,000 over a holiday weekend; the second resulted in a loss of over $1.8 million.?

Recommendations:

  • Make sure your employees are trained, and retrained, on how to detect a phishing e-mail and what to do if they suspect the e-mail may not be legitimate.
  • If you have any network security third-party providers, confirm if they are already included under the cyber carrier’s panel counsel list, which is a list of pre-approved vendors with pre-negotiated rates. If not, try to get them added on a pre-approved basis. This would typically occur during the renewal of the cyber policy, not during a claim.
  • If there is a breach of network security, make sure the cyber carrier approves all third-party expenses in writing, in advance, to ensure they will indemnify the bank for those expenses.
  • If cybersecurity, cyber risk or cyber insurance is discussed during a board meeting, make sure to document that in the minutes of the meeting. We suggest that boards show that such discussions take place on a quarterly basis, which can result in those boards being viewed in a better light in the event of a cyber-attack.

The Strategic Side of Cybersecurity Governance


cybersecurity-8-7-19.pngWithout a comprehensive cyber risk governance strategy, banks risk playing Whac-A-Mole with their cybersecurity.

Most financial institutions’ cybersecurity programs are tactical or project-oriented, addressing one-off situations and putting out fires as they arise. This piecemeal approach to cybersecurity is inefficient and increasingly risky, given the growing number of new compliance requirements and privacy and security laws. Institutions are recognizing that everyone in the C-suite should be thinking about the need for a cyber risk governance strategy.

There are three key advantages to having a cyber risk governance strategy:

  • Effectively managing the audit and security budget: Organizations that address current risks can more effectively prepare for cybersecurity threats, while meeting and achieving consistent audit results. A thorough risk assessment can highlight real threats and identify controls to evaluate on an ongoing basis through regular review or testing.
  • Reducing legal exposure: Companies and their officers can reduce the potential for civil and criminal liability by getting in front of cybersecurity and demonstrating how the institution is managing its risk effectively.
  • Getting in front of cybersecurity at an organizational level: Strategic planning is an important shift of responsibility for management teams. It proactively undertakes initiatives because it’s the right thing to do, versus an auditor instructing a company to do them.

So what’s required to set up a cyber risk governance strategy? Most organizations have talented individuals, but not necessarily personnel that is focused on security. Compounding the industry shortage of cybersecurity professionals, banks may also lack the resources necessary to do a risk assessment and ensure security practices are aligned to the cyber risk governance. As a result, banks frequently bring in vendors to help. If that’s the case, they should undertake a cyber risk strategy assessment with the help of their vendor.

Bank boards can perform a cyber risk governance strategy assessment in three phases:

  1. An assessment of the current cyber risk governance strategy. In phase one, a vendor’s team will review a bank’s current organizational and governance structure for managing information security risk. They’ll also review the information technology strategic plan and cybersecurity program to understand how the bank implements information security policies, standards and procedures. This provides a baseline of the people and processes surrounding the organization’s cyber risk governance and information security risk tolerance.
  2. Understand the institution’s cyber risk footprint. Here, a vendor will review the technology footprint of customers, employees and vendors. They’ll look at internal and external data sources, the egress and ingress flow of data, the data flow mapping, the technology supporting data transport and the technology used for servicing clients, employees, and the third parties who support strategic initiatives.
  3. Align information security resources to cyber governance goals. In phase three, a vendor will help the bank’s board and executives understand how its people, process and technology are aligned to achieve the company’s institution’s cyber governance goals. They’ll review the bank’s core operations and document the roles, processes and technology surrounding information security. They’ll also review the alignment of operational activities that support the bank’s information security strategic goals, and document effective and ineffective operational activities supporting the board’s cyber governance goals.

Once the assessment is complete, a bank will have the foundation needed to follow up with an operational analysis, tactical plan and strategic roadmap. With the roadmap in place, a bank can craft a cyber risk strategy that aligns with its policies, as well as an information security program that addresses the actual risks that the organization faces. Instead of just checking the boxes of required audits, bank boards can approach the assessments strategically, dictating the schedule while feeling confident that its cyber risks are being addressed.

Rodge Cohen: Are We Preparing to Fight the Last War?


risk-3-1-19.pngHis name might not command the same recognition on the world stage as the mononymous Irish singer and song-writer known simply as Bono, but in banking and financial services just about everyone knows who “Rodge” is.

H. Rodgin Cohen–referred to simply as Rodge—is the unrivaled dean of U.S. bank attorneys. At 75, Cohen, who is the senior chairman at the New York City law firm Sullivan & Cromwell, is still actively involved in the industry, having recently advised SunTrust Banks on its pending merger with BB&T Corp.

Cohen has long been considered a valued advisor within the industry.

In the financial crisis a decade ago, he represented corporate clients like Lehman Brothers and worked closely with the federal government’s principal players, including Treasury Secretary Hank Paulson and Federal Reserve Chairman Ben Bernanke. His character even made an appearance in the movie “Too Big To Fail,” based on a popular book about the crisis by Andrew Ross Sorkin.

Eleven years later, Cohen says the risk to the banking industry is no longer excessive leverage or insufficient liquidity—major contributing factors to the last crisis.

The Dodd-Frank Act of 2010, passed nearly a decade ago, raised bank capitalization levels substantially compared to pre-crisis levels. In fact, bank capitalization levels have been rising for 40 years, going back to the thrift crisis in the late 1980s. Dodd-Frank also requires large banks to hold a higher percentage of their assets in cash to insure they have enough liquidity to weather another financial storm.

The lesson from the last crisis, says Cohen, revolves around the importance of having a fortress balance sheet. “I think that was the lesson which has been thoroughly learned not merely by the regulators, but by the banks themselves, so that banks today have exponentially more capital, and the differential is even greater in terms of having more liquidity,” says Cohen.

But does anyone know if these changes will be enough to help banks survive the next crisis?

“I don’t think it is possible to calculate this precisely, but if you look at the banks that did get into trouble, none of them had anywhere near the level of capital and liquidity that is required now,” says Cohen. “Although you can’t say with certainty that this is enough, because it’s almost unprovable, there’s enough evidence that suggests that we are at levels where no more is required.”

It is often said that generals have a tendency to fight the last war even though advances in weaponry—driven by technology—can render that war’s tactics and strategies obsolete. Think of the English cavalry on horseback in World War I charging into German machine guns.

It can be argued that regulators, policymakers and even customers in the United States still bear the emotional scars of the last financial crisis, so we all find comfort in the fact that banks are less leveraged today than they have been in recent history, particularly in the lead up to the last crisis.

But what if a strong balance sheet isn’t enough to fight the next war?

“I think the biggest risk in the [financial] system today is a successful cyberattack,” says Cohen. While a lot of attention is paid to the dangers of a broad attack on critical infrastructure that poses a systemic risk, Cohen worries about something different.

“That is a very serious risk, but I think the more likely [danger] is that a single bank—or a group of banks—are hit with a massive denial of service for a period of time, or a massive scrambling of records,” he says. This contagion could destabilize the financial system if depositors begin to worry about the safety of their money.

Cohen believes that financial contagion, where risk spreads from one bank to another like an infectious disease, played a bigger role in the financial crisis than most people appreciate. And he worries that the same scenario could play out in a crippling cyberattack on a major bank.

“Until we really understand what role contagion played in 2008, I don’t think we’re going to appreciate fully the risk of contagion with cyber,” he says. “But to me, that is clearly the principal risk.”

And herein lays the irony of the industry’s higher capital and liquidity requirements. They were designed to protect against the risk of credit bubbles, such as the one that precipitated the last crisis, but they will do little to protect against the bigger risk faced by banks today: a crippling cyberattack.

“That’s why I regard [cyber] as the greatest threat,” says Cohen, “because a fortress balance sheet won’t necessarily help.”

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

How Poor Communication Practices by Directors Increase Cyber Risk


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Nine Strategic Areas Critical to Your Bank’s Future


strategy-6-30-17.pngHow should banks determine the best way to proceed over the upcoming quarters? While no one can predict the future, there are several critical developments that anyone can keep an eye on. These are the areas that are most impactful to banks and for which they need to strategize and position themselves.

Rising Rates: Obviously, rates are rising but by how much? Banks should position for moderate hikes and a slower pace of hikes than the Fed predicts. The Fed predictions on rate hikes have been overstated for several years running. The yield curve for the 10-year Treasury is flattening as of late, which also indicates fewer hikes are needed. A reduced duration for assets and reduced call risk makes the most sense; but practice moderation and don’t overdo it. Too many banks had their net interest margin crushed by being too asset sensitive and waiting for rates to increase while we had eight years of low rates. Check your bond portfolio against a well-defined national peer group of banks with similar growth rates, loan deposit rates and liquidity needs. Very few banks perform this comparison. They just use uniform bank performance reports or a local peer group. Every basis point matters, and there is no reason to not be a top quartile performer.

Deposits: Buy and/or gather core deposits now. Branches provide the best value. Most banks overestimate what deposits are core deposits, meaning they won’t leave your bank when rates rise. Like capital, gathering core deposits is best done when it is least needed.

Mergers and Acquisitions: If you are planning on selling in the next three years, sell right now, as optimism and confidence are at 10-year highs. If you are a long-term player, go buy core deposits, as they are historically cheap and you are going to need them. They are worth more now than perhaps ever before.

Get Capital While You Still Can: Solve your capital issues now. Investors are probably overconfident, but banks have done well the last seven years and finally, they aren’t taboo anymore. Investors want to invest in banks. That always happens before something bad in the economy occurs, so get it while you can.

Real Estate Carries Risk: With regulators mindful of capital exposure and real estate deal availability being spotty, it’s best that banks be wary of deals in this area. Commercial real estate linked to retail is more and more being viewed as extremely risky. There is an all-out war being waged on store retailers by online retailers. Since retail is a huge sector of the U.S. economy, investment will follow the online trend. Industrial real estate has become “retail extended” with the least amount of real estate risk.

Beware of Relying on Credit Scores: Banks need to be careful of the credit cycle. Consumers are loaded full of debt. Cars and homes are too expensive relative to wages and affordability. Credit scores probably don’t capture the downside risk to the consumer.

Get Ahead of Your Risks: Cyber-risk is a major and very real risk. Get ahead of the curve. Two other areas bearing risk are 401(k) plans and wealth management areas as they are especially exposed to litigation and are a nightmarish mess to be addressed. 401(k)s are overloaded with too many choices, fiduciary risk, performance issues, excessive fees and conflicts of interest. Get help now or you may be painfully surprised.

Marketing: Your bank had better get creative with digital marketing opportunities for your website as well as mobile devices. Why? Billions are being invested into financial technology companies and it’s easier for fintech to learn about banking than it is for bankers to learn about fintech.

Millennials: Surveys from The Intelligence Group and others show that finding young, motivated workers, and then retaining them, may be a challenge.

  • 45 percent of millennials believe a decent paying job is a right, not a privilege.
  • 64 percent would rather make $40,000 at a job they love versus $100,000 at a boring job.
  • 71 percent don’t obey social media work policies.
  • Millennials are proving to be more loyal to employers than previous generations, and are better at multi-tasking than previous generations.

Hopefully, some of these items provide bankers strategic ideas to incorporate over the next two or three years.

Now is the time to chart your course.

The Risk of Doing Nothing


Al Dominick, President & CEO of Bank Director, shares three major areas of risk facing financial institutions today.  This video, filmed during the 2016 Bank Audit & Risk Committees Conference in Chicago, IL, reflects on his time spent with chief financial officers, chief risk officers, general counsel, audit and risk committee members and various executives from leading professional service and advisory firms.

Top Trends Impacting Audit Committees in 2016


audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.

Understanding the Board’s Role in Cybersecurity


cybersecurity-3-7-16.pngUnfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.

Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.

Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.

As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.

The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.

The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.

Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.

Captive Insurance Subsidiaries Proliferate Among Bank Holding Companies


captive-insurance-3-2-16.pngBanking is the business of managing risk. Be it credit risk, interest rate risk or technological risk, bankers are trying to control a highly leveraged earnings engine while avoiding risks that can result in sudden reversals of fortune.

Yet many of the biggest risks faced by bankers today are both uninsurable and unreserved for on the bank’s books, such as certain cyber risks and reputational risks. Even where third-party insurance policies may be available, they may provide coverage that bankers feel is cost-prohibitive. That’s where a captive insurance company may present a cost-effective, tax-efficient solution. A captive insurance company is the insurance company that you own. It allows you to insure the risks that your bank, holding company and the holding company’s other operating subsidiaries may face, writing real insurance policies against which you can make claims for losses.

While a variety of structures may be used to create captive insurance companies, so-called “small” captives provide a number of unique tax advantages for owners of small to mid-sized bank holding companies. They often are referred to as 831(b) captives, named after the Internal Revenue Code section that provides tax incentives for the creation and use of such entities.

Potential benefits of 831(b) captives are well-documented and will be enhanced in coming years by recent amendments made under the Protecting Americans from Tax Hikes Act of 2015 (the PATH Act). These include:

  • Insurance for risks that you already have on your books and for which policies in the marketplace are either prohibitively expensive or nonexistent;
  • Up to $1.2 million ($2.2 million beginning in 2017) in deductible premium expenses for your bank or bank holding company; and
  • Up to $1.2 million ($2.2 million beginning in 2017) in tax-free premium income to the captive insurance company.

While the changes under the PATH Act are new, the legislation facilitating small captives has been in place since 1986, which begs the question, why aren’t more bankers using them? The short answer is that, until recently, implementation of captives was very expensive and the legal underpinnings for them were somewhat shaky.  

However, the number of captives across the county has increased rapidly in recent years according to examiners we’ve spoken with from the Federal Reserve. This increase has resulted in part from a proliferation of “turnkey” providers who have developed proven models and technical solutions to reduce the costs of creating and administering a captive insurance company.

At the same time, the legal underpinnings of captive insurance companies have matured. Once a business relegated to exotic, typically offshore jurisdictions, captive insurance companies now may be formed in any one of the many states that have adopted comprehensive captive insurance company legislation, such as Delaware, Vermont, Nevada and Tennessee.

Furthermore, changes implemented by the PATH Act provide much-needed clarity on the types of captive structures that will be permitted under the Internal Revenue Code and therefore eligible for the tax advantages conferred by Section 831(b). While the types of tax avoidance structures that were targeted by the PATH Act probably would never have been permissible in banking due to affiliate transaction restrictions, the legislation provided clarity as to the types of diversification and/or ownership criteria that must be met to pass muster under IRS rules.

Finally, bank holding companies are allowed to underwrite any type of insurance for affiliated or unaffiliated entities. In addition, some state banking regulators have signaled their willingness to permit the formation of captive insurance companies in light of the activities that have been authorized for national banks by the Office of the Comptroller of the Currency.

Turnkey captive insurance providers have designed solutions that capitalize on this guidance to create compliant captives that can be taken “off the shelf” and plugged into your bank holding company structure. Altogether, this means that forming a captive is now cheaper and less risky from a legal and regulatory perspective than it has been in the past.

So, is your bank holding company a good candidate for a captive? Historically, forming a captive required owners to engage and work extensively with a team of attorneys, actuaries, accountants and other professionals. This resulted in customized solutions that were tailor-made for the company’s overall objectives. As it has become easier to form a captive using turnkey solutions, the customization and optimization of the captive for the sponsor’s overall business can be lost.

That’s why we recommend working with a team of advisers who are familiar with captives and can assist your turnkey provider in integrating a captive as part of your overall business and risk-management goals.