Understanding the Board’s Role in Cybersecurity


cybersecurity-3-7-16.pngUnfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.

Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.

Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.

As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.

The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.

The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.

Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.

Captive Insurance Subsidiaries Proliferate Among Bank Holding Companies


captive-insurance-3-2-16.pngBanking is the business of managing risk. Be it credit risk, interest rate risk or technological risk, bankers are trying to control a highly leveraged earnings engine while avoiding risks that can result in sudden reversals of fortune.

Yet many of the biggest risks faced by bankers today are both uninsurable and unreserved for on the bank’s books, such as certain cyber risks and reputational risks. Even where third-party insurance policies may be available, they may provide coverage that bankers feel is cost-prohibitive. That’s where a captive insurance company may present a cost-effective, tax-efficient solution. A captive insurance company is the insurance company that you own. It allows you to insure the risks that your bank, holding company and the holding company’s other operating subsidiaries may face, writing real insurance policies against which you can make claims for losses.

While a variety of structures may be used to create captive insurance companies, so-called “small” captives provide a number of unique tax advantages for owners of small to mid-sized bank holding companies. They often are referred to as 831(b) captives, named after the Internal Revenue Code section that provides tax incentives for the creation and use of such entities.

Potential benefits of 831(b) captives are well-documented and will be enhanced in coming years by recent amendments made under the Protecting Americans from Tax Hikes Act of 2015 (the PATH Act). These include:

  • Insurance for risks that you already have on your books and for which policies in the marketplace are either prohibitively expensive or nonexistent;
  • Up to $1.2 million ($2.2 million beginning in 2017) in deductible premium expenses for your bank or bank holding company; and
  • Up to $1.2 million ($2.2 million beginning in 2017) in tax-free premium income to the captive insurance company.

While the changes under the PATH Act are new, the legislation facilitating small captives has been in place since 1986, which begs the question, why aren’t more bankers using them? The short answer is that, until recently, implementation of captives was very expensive and the legal underpinnings for them were somewhat shaky.  

However, the number of captives across the county has increased rapidly in recent years according to examiners we’ve spoken with from the Federal Reserve. This increase has resulted in part from a proliferation of “turnkey” providers who have developed proven models and technical solutions to reduce the costs of creating and administering a captive insurance company.

At the same time, the legal underpinnings of captive insurance companies have matured. Once a business relegated to exotic, typically offshore jurisdictions, captive insurance companies now may be formed in any one of the many states that have adopted comprehensive captive insurance company legislation, such as Delaware, Vermont, Nevada and Tennessee.

Furthermore, changes implemented by the PATH Act provide much-needed clarity on the types of captive structures that will be permitted under the Internal Revenue Code and therefore eligible for the tax advantages conferred by Section 831(b). While the types of tax avoidance structures that were targeted by the PATH Act probably would never have been permissible in banking due to affiliate transaction restrictions, the legislation provided clarity as to the types of diversification and/or ownership criteria that must be met to pass muster under IRS rules.

Finally, bank holding companies are allowed to underwrite any type of insurance for affiliated or unaffiliated entities. In addition, some state banking regulators have signaled their willingness to permit the formation of captive insurance companies in light of the activities that have been authorized for national banks by the Office of the Comptroller of the Currency.

Turnkey captive insurance providers have designed solutions that capitalize on this guidance to create compliant captives that can be taken “off the shelf” and plugged into your bank holding company structure. Altogether, this means that forming a captive is now cheaper and less risky from a legal and regulatory perspective than it has been in the past.

So, is your bank holding company a good candidate for a captive? Historically, forming a captive required owners to engage and work extensively with a team of attorneys, actuaries, accountants and other professionals. This resulted in customized solutions that were tailor-made for the company’s overall objectives. As it has become easier to form a captive using turnkey solutions, the customization and optimization of the captive for the sponsor’s overall business can be lost.

That’s why we recommend working with a team of advisers who are familiar with captives and can assist your turnkey provider in integrating a captive as part of your overall business and risk-management goals.

How Banks Can Improve Crisis Planning


We discovered last month that cyber risk was the thing most directors worried about when we informally polled members of our bank services program. This month, we decided to poll experts on what banks could do to improve crisis planning. Not surprisingly, cyber risk planning came up often as an area that could use some improvement. Several of the people polled think banks could benefit from role playing exercises that would walk employees and the board through possible scenarios. The Federal Deposit Insurance Corp. has a few videos that help banks imagine some scenarios. Although planning documents are widely recommended, one consultant says they are pretty useless in a real emergency. Below are their responses.

How Could Banks Improve Crisis Planning?

Mills-Scott.pngCrisis planning is getting more attention these days because we are constantly reminded of events that could not only impact our business, but have significant impact on our reputations. One data breach and we stand to lose faith in our ability to safeguard our clients’ money. While planning is expected, bankers could really get value from practice in two areas: 1) tabletop exercises and 2) media training. Tabletop exercises are role playing crisis scenarios whereby bank management gets on a conference call and develops responses, assigns roles, identifies tasks and develops timelines. Banks would benefit from doing this on a quarterly basis. Media training allows bank executives to learn how to look and respond appropriately to a tense situation only after they learn how to answer questions and the ground rules for working with the media. Turn on a video camera and see how well your team does. Crisis planning is better if treated as an ongoing discipline.

—Scott Mills is president of the William Mills Agency, a public relations and marketing firm specializing in financial services

Taylor-Nathan.pngTesting, testing and more testing! Banks typically have multiple plans that can be triggered in the event of a significant cyber-related “crisis,” including, for example, a business continuity plan, incident response plan and crisis communication plan. Multiple groups within a bank likely have responsibility for these plans. And, the plans may not be aligned from a response standpoint with respect to significant cyber events. In the event of such a crisis, it is critical for a bank to be able to respond in a uniform and effective way at the enterprise level. Bringing a bank’s various teams together to test or tabletop a significant cyber event can shed light on how the bank’s various plans (and teams) will work together. This will also provide a valuable opportunity for refinement and alignment of the bank’s related response plans.

—Nathan Taylor is an attorney and cybersecurity expert at Morrison Foerster LLP

Miller-RaeAnn.pngBusiness continuity and disaster recovery considerations are an important component of a bank’s business model. In addition to preparing for natural disasters and other physical threats, continuity also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks. For this reason, the FDIC  encourages banks to practice responses to cyber risk as part of their regular disaster planning and business-continuity exercises. They can use the FDIC’s cyber challenge program, which is available on the FDIC website. Cyber challenge was designed to encourage community bank directors to discuss operational risk issues and the potential impact of information technology disruptions.

—Rae-Ann Miller is associate director of the FDIC’s Division of Risk Management Supervision

Sacks-Jeff.pngBanks can improve planning by developing a crisis plan ahead of a data breach or cybersecurity issue. These action plans should include:

  1. Determining data to be protected along with the protection level required.
  2. Classifying incidents or scenarios into categories.
  3. Understanding threats the bank may face, starting with known threats, then creating on-going monitoring for emerging threats.
  4. Determining the stakeholders and defining the incident response team.
  5. Setting up a command center and appointing a command center leader.
  6. Developing an incident plan, including a containment and investigation strategy.
  7. Executing a communication plan to customers, media and agencies.
  8. Testing and training end users in the application of the incident response plan.
  9. Conducting a “lessons learned” session and updating [Incident Response Plan] procedures.

—Jeff Sacks is a principal in Risk Consulting for Crowe Horwath LLP, specializing in technology risk

McBride-Neil.pngThough banks understand the risk of cyberattacks, many are unprepared to act quickly and effectively to mitigate damage when faced with a serious cyber breach. To improve crisis planning, banks should consider conducting simulated cybersecurity exercises involving key personnel. Moving quickly following a cyber breach is critical to limiting unauthorized access to sensitive data and the resulting harm. Such exercises demonstrate why an effective cybersecurity program is more than an “tech issue,” and requires coordinated institutional mobilization across business segments, with oversight from senior management. Most banks will eventually find themselves in a hacker’s crosshairs no matter how advanced their defenses, and a coordinated, rapid response will not only limit short-term data loss and legal exposure, but will also help preserve a bank’s reputation and customer relationships.

—Neil MacBride is a partner at Davis Polk & Wardwell

Carroll-Steve.pngPlanning activities generate lots of documents, which are fascinating to auditors but useless in an emergency. You don’t have to give planning reports to your response team. Your phone is a perfect emergency communications console. Social media, including Twitter, YouTube and even Facebook, are indispensable as communications tools. You can monitor events as they unfold or push messages out to staff and public. Cyber is the new disaster. Compare today’s threat assessment with one from 2010. Notice that blizzards and hurricanes have dropped out of the top ten, replaced by data breaches and identity theft.

—Steve Carroll is a director with Cornerstone Advisors, a consulting firm specializing in bank management, strategy and technology advisory services

What Bank Directors Are Worried About Now


Apparently, bank directors are a very worried bunch. Nearly 20 members of Bank Director’s membership program responded to the question posed in last month’s newsletter: “What worries you most about the future?” We’ve compiled a word cloud that shows which words came up most often in bank directors’ responses, followed by direct quotes.


The Board’s Role in Confronting Cyberrisk


Heart bleed, DDoS, zero day, malware, NIST, phishing, FS-ISAC. The cybersecurity challenges that banks face today are new, complex, constantly evolving and often confusing to a bank’s board of directors. Tackling these challenges feels daunting. The role of the the directors in cybersecurity defense is not to get involved in technical controls and defenses, but one of oversight and certain calculated steps to comply with their fiduciary duties and to protect themselves, their customers and their employees from a cyberattack. Gary R. Bronstein, a partner, and Kevin M. Toomey, an associate, with Kilpatrick Townsend & Stockton LLP in Washington, D.C., explore the various steps that bank boards should take to protect themselves against a cyberattack.

What are the three things banks and their directors must know when it comes to cybersecurity?
From both a strategic and regulatory perspective, it is imperative that boards become educated on the topic of cybersecurity. How can you possibly ask the right questions and provide the necessary oversight if you don’t have a firm grasp of the underlying issues?

The board should establish a specialized cybersecurity risk committee. With the significant increase in data breach-related shareholder derivative suits, potential D&O liability, the growing threat of cyberattacks and an increase in scrutiny from the regulators, it is imperative that banks establish a board committee specifically designed to address and oversee cyber-related issues and developments.

The board must set the institution’s tone for cybersecurity compliance. Not unlike other areas of risk management, the board is expected to demonstrate attention to and compliance with the particular risk, serving as the example to the rest of the institution.

We do not have a board member with relevant cybersecurity or IT experience. Do we need a director with this particular skill set?
Although IT expertise is not yet required by the regulators, retaining a director with such experience is a prudent, developing corporate governance best practice that will aid the board in understanding this new, complex area. Moreover, for public companies, this topic is likely to receive increased interest from shareholders and proxy advisory firms.

Some banks are establishing cyberrisk committees at the board level. What should these committees look like and how should they structure the charter?
A cyberrisk committee should be structured similarly to your institution’s other committees. Importantly, the charter should: clearly define cyberrisk and the scope of the committee’s responsibilities; articulate the level of oversight required by the board and the committee; and establish reporting lines for cybersecurity issues and developments.

What other steps may a bank take to limit its liability? Does a cyber-specific insurance product exist for banks?
It is imperative that financial institutions review their cybersecurity insurance policies carefully to ensure that the scope, limits, and sublimits of the coverage are appropriate. Consistent with other areas of risk mitigation, the amounts of such cybersecurity insurance coverage should be commensurate with the level of risk involved with the bank’s operations and the type of activities the bank provides. Banks should also understand that not all cyber-insurance products are the same—the scope of coverage can vary dramatically among products offered by insurance carriers. We advise banks to work with their brokers, coverage attorneys and IT professionals to analyze their risks and whether they have sufficient insurance to cover them.

My bank just experienced a data breach–now what?
If your bank experiences a data breach, the board, senior management and employees must work together quickly and collectively in carrying out their response. Simultaneously, the institution must initiate an investigation, consult with counsel, contact law enforcement, hire consultants and determine required notice obligations; evaluate remedial options; comply with insurance coverage policies; and distribute notices and press releases.

Thinking about these questions before a breach occurs reduces compliance costs and headaches for companies and their boards. Establishing sufficient controls at the board level will help mitigate reputational and monetary damages to your bank, board, employees and customers. Do not wait until the breach occurs. Having sound policies and plans in place should help minimize risk.

2015 Risk Practices Survey: Cyberanxiety for Bank Boards


3-23-15-Risk2.pngIn the wake of high-profile cyberattacks and data breaches last year at JPMorgan Chase & Co., Sony Pictures Entertainment Inc., Home Depot Inc., Kmart and eBay Inc., bank leaders say that cybersecurity is the risk category that concerns them most, according to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS. Eighty-two percent of respondents, which include bank chief executives, chief risk officers and directors, cite this as a top concern for the second year in a row, and anxiety about the issue is even more heightened: When asked the same question in last year’s survey, 51 percent of respondents cited cybersecurity.

Half say that preparing for a potential cyberattack is one of the biggest risk management challenges facing their bank. But while high profile attacks may be raising the blood pressure of bank CEOs, other senior executives and individual directors, this hasn’t yet translated into more focus by bank boards. Less than 20 percent say cybersecurity is reviewed at every board meeting, and 51 percent of risk committees do not review the bank’s cybersecurity plan. Most banks allocated less than 1 percent of revenues to cybersecurity in 2014.

In addition to cybersecurity, the 2015 Risk Practices Survey explores how bank leaders govern risk and address the related challenges they face. A total of 149 directors and senior executives of U.S. banks with more than $500 million in assets participated in the survey, which was conducted online in January.

Key Findings:

  • Risk expertise matters, and respondents from institutions with a chief risk officer, indicated by 90 percent, and at least one risk expert on the board, by two-thirds, report a higher return on equity and return on assets.
  • Eighty-two percent believe there is room for improvement in the bank’s enterprise risk management (ERM) program.
  • Fifty-eight percent report their bank has a risk appetite statement, and an additional 27 percent plan to implement one within the next 12 months. Of those who have one, 84 percent say the board reviews the risk appetite statement just once a year.
  • Creating a culture that supports bank-wide risk communication and assessment is a key challenge, according to 43 percent, up 18 percentage points from last year’s survey. Sixty-two percent provide regular board training on risk issues, and a little more than half train all employees on risk. Just 21 percent communicate the risk appetite statement to all employees.
  • Seventy-three percent believe their board needs more training and education on emerging risks, such as cybersecurity or Unfair, Deceptive or Abusive Acts or Practices (UDAAP) risks.
  • Almost two-thirds report that their bank employs a full-time chief information security officer. For those banks that don’t, the role often falls on the chief information officer.
  • A significant percentage of banks rely on their vendors to keep themselves—and their customers—safe: 44 percent of respondents reveal a heavy dependence, and half a moderate dependence, on vendors for cybersecurity.
  • Seventy-nine percent say their bank increased its cybersecurity budget for fiscal year 2015, most by less than 10 percent. The majority of banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in FY 2014.

Download the summary results in PDF format.

View the video: Risk Management Best Practices for 2015

When a Bank Should Disclose a Cyber Attack


11-27-13-Bryan-Cave.pngAs cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.

Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access the systems of the bank’s outside service providers can also leave the bank at risk. Which of these attacks or potential attacks merit disclosure?

In October of 2011, the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2, which described disclosure obligations for cyber security risks and cyber incidents for public companies. While there is no explicit disclosure requirement regarding cyber security risks or incidents, the guidance from the SEC highlights areas that may require disclosure of cyber security risks or incidents, including:

  • Risk Factors – Like other operational and financial risks, the risk of a cyber incident should be disclosed if it is among the most significant factors that make an investment in the company speculative or risky. The disclosure should be specific to the company and sufficient to allow investors to appreciate the nature of the risk without compromising the company’s cyber security.
  • Management Discussion & Analysis – MD&A disclosure should include any known incident or risk or potential incident that represents “a material event, trend or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition” or cause reported information not to be indicative of future results.
  • Description of Business – Disclosure should be provided where a cyber incident may affect products, services, relationships with customers or suppliers or the company’s competitive position.
  • Legal Proceedings – Any material pending legal proceeding related to cyber incidents should be disclosed.
  • Financial Statements – Financial statement disclosure may include material costs of an incident or incurred to prevent cyber incidents or mitigate damages, including incentives to maintain business relationships related to an incident.
  • Disclosure Control and Procedures – Cyber risks should be disclosed to the extent there is a risk to the company’s ability to record, process, summarize and report information required in SEC filings.

For banks and financial institutions that are not subject to the reporting requirements of the Securities Act of 1934, there are no applicable federal banking regulations that require disclosure to shareholders regarding cyber attacks or incidents. However, shareholder requests for information regarding cyber security from both private and public companies could become more common as banks, large and small, use more smart phones, tablets and other technology to deliver products and services and as cyber attacks become more frequent with increasing sophistication in techniques. In responding to such shareholder requests, companies should review and ensure that the shareholder request complies with applicable state corporate laws regarding shareholder inspection of corporate records. These statutes often require, generally, that a request for such information be made in good faith for a proper purpose that is reasonably relevant to a legitimate interest of the shareholder.

In the end, the key to good disclosure is first understanding the company’s “cyber business” and where the company’s risks lie. This includes understanding the company’s cyber risks from third party vendors and any contractual obligations to reimburse vendors for losses related to an attack on the vendor’s or other third party systems. Often, even when the company has cyber insurance, the policy will only cover incidents where the attack is on the bank’s systems, which may leave the bank holding the bag if an attack occurs indirectly through a vendor’s or customer’s systems. We recommend a review of such policies by counsel or an insurance professional to ensure a good understanding of the risks covered by the policies.

Be Prepared: The Board’s Role in Monitoring Fraud


For Banker, By Banker Video Series
Knowing the bank’s risks, including the potential for internal and cyber fraud, is an important responsibility for board members.  As part of our For Banker, By Banker video series, Mary Beth Vitale outlines steps the board can take to identify and prepare for potential fraud. She is the nominating and governance committee chairman for Denver-based CoBiz Financial Inc., the $2.6-billion asset financial services company offering commercial banking and other services.