Addressing the Top Three Risk Trends for Banks in 2019



As banks continue to become more reliant on technology, the risks and concerns around cybersecurity and compliance continue to grow. Bank Director’s 2019 Risk Survey, sponsored by Moss Adams LLP, compiled the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about the current risk landscape. Respondents identified cybersecurity as the greatest concern, continuing the trend from the previous five versions of this report and indicating an industry-wide struggle to fully manage this risk.

Other top trends included the use of technology to enhance compliance and the potential effect of rising interest rates. Here’s what banks need to know as they assess the risks they’ll face in the coming year.

Cybersecurity
Regulatory oversight and scrutiny around cybersecurity for banks seems to be increasing. Agencies including the Securities and Exchange Commission are focused on the cybersecurity reporting practices of publicly traded institutions, as well as their ability to detect intruders. The Colorado legislature recently passed a law requiring credit unions to report data breaches within 30 days. It’s no surprise that 83 percent of respondents said their concerns about cybersecurity had increased over the past year.

Most of the cybersecurity risk for banks comes from application security. The more banks rely on technology, the greater the chance they face of a security breach. Adding to this, hackers continue to refine their techniques and skills, so banks need to continually update and improve their cybersecurity skills. This expectation falls to the bank board, but the way boards oversee cybersecurity continues to vary: Twenty-seven percent opt for a risk committee; 25 percent, a technology committee and 19 percent, the audit committee. Only 8 percent of respondents reported their board has a board-level cybersecurity committee; 20 percent address cybersecurity as a full board rather than delegating it to a committee.

Compliance & Regtech
Utilizing technological tools to meet compliance standards—known as regtech—was another prevalent theme in this year’s survey. This is a big stress area for banks due to continually changing requirements. The previous report indicated that survey respondents saw increased expenses around regtech. This year, when asked which barriers they encountered around regtech, 47 percent responded they were unable to identify the right solutions for their organizations. Executives looking to decrease costs may want to consider whether deploying technology could allow for fewer personnel. When this technology is properly used, manual work decreases through increased automation.

Other compliance concerns for this year’s report included rules around the Bank Secrecy Act and anti-money laundering. Seventy-one percent of respondents indicated they implemented or plan to implement more innovative technology in 2019 to better comply with BSA/AML rules.

Compliance with the current expected credit loss standard was another area of concern. Forty-two percent of respondents indicated their bank was prepared to comply with the CECL standard, and 56 percent replied they would be prepared when the standard took place for their bank.

Interest Rate & Credit Risk
The potential for additional interest rate increases made this a new key issue for the 2019 report. When asked how an interest rate increase of more than 100 basis points, or 1 percent, would affect their banks’ ability to attract and retain deposits, 47 percent of respondents indicated they would lose some deposits, but their bank wouldn’t be significantly affected. Thirty percent indicated an increase would have no impact on their ability to compete for deposits.

However, 55 percent believed a severe economic downturn would have a moderate impact on their banks’ capital. In the event of such a downturn, deposits and lending would slow, and banks could incur more charge-offs, which would impact capital. This fluctuation can be easy to dismiss, but careful planning may help reduce this risk.

Assurance, tax, and consulting offered through Moss Adams LLP. Investment advisory services offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

Exclusive: How This Growing Community Bank Focuses on Risk


risk-5-16-19.pngManaging risk and satisfying examiners can be difficult for any bank. It’s particularly hard for community banks that want to manage their limited resources wisely.

One bank that balances these challenges well is Bryn Mawr Bank Corp., a $4.6 billion asset based in Bryn Mawr, Pennsylvania, on the outskirts of Philadelphia.

Bank Director Vice President of Research Emily McCormick recently interviewed Chief Risk Officer Patrick Killeen about the bank’s approach to risk for a feature story in our second quarter 2019 issue. That story, titled “Banks Regain Sovereignty Over Risk Practices,” dives into the results of Bank Director’s 2019 Risk Survey. (You can read that story here.)

In the transcript of the interview—available exclusively to members of our Bank Services program—Killeen goes into detail about how his bank approaches stress testing, cybersecurity and credit risk, and explains how the executive team and board have strengthened the organization for future growth.

He discusses:

  • The top risks facing his community bank
  • Hiring the right talent to balance risk and growth
  • Balancing board and management responsibilities in lending
  • Conducting stress tests as a community bank
  • Managing cyber risk
  • Responding to Bank Secrecy Act and anti-money laundering guidance

The interview has been edited for brevity, clarity and flow.

download.png Download transcript for the full exclusive interview

Why Your Board’s Risk Committee Structure Matters


committee-4-18-19.pngCommunity bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.

“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”

As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.

And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.

“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.

Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.

The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.

Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.

CISO.png

The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.

Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).

However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.

Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.

Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.

Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.

cybersecurity.png

Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.

Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.

review.png

When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.

How frequently should boards be talking about cybersecurity?

“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.

Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.

Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.

But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.

The survey indicates there’s good reason for this.

Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.

Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.

“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”

Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.

For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”

2019 Risk Survey: Cybersecurity Oversight


risk-3-25-19.pngBank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.

The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.

The survey also examines how banks oversee cybersecurity risk.

More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.

How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.

A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.

Additional Findings

  • Three-quarters of respondents reveal enhanced concerns around interest rate risk.
  • Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
  • The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
  • For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
  • When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
  • Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
  • Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.

To view the full results of the survey, click here.

Will More Banks Form this Uncommon Board Committee?


committee-2-22-19.pngIt wasn’t in response to a cybersecurity event or a nudge from regulators that prompted Huntington Bancshares’ board to create a Significant Events Committee in early 2018.

Instead, says Dave Porteous, lead director at the $108 billion bank based in Columbus, Ohio, it was old-fashioned governance principles that drove Huntington’s board to establish the ad hoc committee responsible for responding to the biggest risk faced by banks today: cybersecurity threats.

“Particularly over the last 10 years, the world is changing so quickly it has really become incumbent upon all boards, in my view, to continually be evaluating their governance structure and whether or not they need to make adjustments … to how the world is changing,” Porteous says.

Ask any bank executive or director right now to name the things that cause them to lose sleep at night and cybersecurity will almost invariably be at the top of the list.

Millions of personal records have already been compromised globally, and it can cost even a small bank millions of dollars to rectify a single cyber event. Yet, while it is a common topic in boardrooms, it hasn’t yielded widespread governance restructuring at banks across the United States.

Bank Director’s 2018 Technology Survey found that 93 percent of the 161 chief bank executives, senior technology officers and directors said cybersecurity is an issue of focus by their board.

But a 2018 analysis by Harvard Law School found that just 7 percent of all S&P 500 companies have separate technology committees, though 29 percent of large public bank holding companies above $10 billion in assets have set up just such a thing. This is significant because, as the study noted, cybersecurity is often the responsibility of the technology committee.

Significant events have over time produced mandated changes in corporate structure, like the requirement in Dodd-Frank requiring banks above $10 billion in assets to have a separate risk committee, or the requirement in Sarbanes-Oxley that an audit committee oversee a bank’s independent auditor.

But Porteous argues that banks should not wait for changes in the law to force them into structural changes. The changes should emerge instead from ongoing conversations at institutions about new trends and threats.

“To me the critical thing is constantly be assessing and challenging yourself as a board on the way in which you govern and not to be afraid to make adjustments,” Porteous says. “In other words, create committees to address the current or upcoming issues that enhance the focus (of the board).”

For Huntington, the establishment of the Significant Events Committee was years in the making, but finally came after the board realized it was having similar discussions about the same topic at the board level and in separate committees.

It was a natural thing for us to take these discussions we were having, both at the board meeting and various committee-level meetings, and then decide that we were spending a significant amount of time in those discussions that it was going to be critically important,” Porteous says.

When formed, the committee included Huntington CEO Stephen Steinour, who chaired the committee; the lead director; the chairs of the technology, risk and audit committees and the “lead cyber director,” the 2018 company proxy said. The committee has since been folded into the broader Technology Committee because of overlapping skill sets, Porteous says, but the bank can reestablish it or other ad hoc committees as necessary.

One such committee was Huntington’s Integration Committee, created when the bank acquired FirstMerit Corp. in 2016. The committee met three times in 2017 after the acquisition and was later dissolved.

But it’s not just cybersecurity or M&A that should qualify as a significant event worthy of a board’s attention. Recurring natural disasters, for instance, including hurricanes in the Southeast and wildfires in the West are examples that might merit a similar response.

Whatever the issue, Porteous suggests boards continually assess their governance structure through annual board-level assessments or just paying attention to what’s in the newspaper every day.

“It’s critical to make those adjustments or adapt to the changing world,” Porteous says.

One Tool To Get a Better Grasp on Cybersecurity Risk Oversight


cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

Cybersecurity: What You Need To Know


cybersecurity-10-29-18.pngAsk most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.

Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.


security-10-29-18-tb.pngBasic Cybersecurity Protections
For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.

data-10-29-18-tb.pngUse Data To Protect Data
To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.

cyber-10-29-18-tb.pngWhat is “Threat Intelligence?”
One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.

talent-10-29-18-tb.pngThe Cybersecurity Talent Threat
Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.

finances-10-29-18-tb.pngFinancial implications
Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.

Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.

What’s At Stake In A Tech-Driven World


technology-10-2-18.pngTechnology is driving a wave of disruption across the entire financial services landscape. Financial services companies are increasingly finding themselves both competing with and working alongside more agile, highly entrepreneurial technology-based entities in a new and evolving ecosystem.

There are a number of global trends creating opportunities for financial services companies:

  • China’s population is growing at about 7 percent annually, roughly the equivalent of creating a country the size of Mexico every year.
  • At the same time, China and other emerging, fast-growing economies are raising many of their people above the poverty line, creating a new class of financial services consumer.
  • In more developed countries, people are retiring later and living longer.

These trends are driving a growing need for financial services. However, the story does not end with demographics and economics. Changes in technology are reshaping the ways these services are being delivered and consumed.

Consumers expect simplicity and mobility. Smartphones provide a wide range of financial services at our fingertips. With the rapid growth in artificial intelligence and machine learning applications, savvy financial services companies are adapting to the new ecosystem of digital service delivery and customer relationship providers. Gone are the days when customers have to visit the local bank branch to get most of the services and products they needed. The shakeup in providers will make for a vastly different landscape for competing financial services organizations in the near future.

While the adoption of blockchain technology is still in its infancy, it will potentially reshape the financial services landscape. Much of the transaction processing, matching, reconciliation and the movement of information between different parties will be a thing of the past. Once regulation has caught up, blockchain, or distributed ledger technology, will become ubiquitous.

Financial services companies need to understand where they fit in this digitally fueled, rapidly evolving environment. They need to decide how to take advantage of digital transformation. Many are starting to use robotic process automation to reduce their costs. But the reality is the spread of automation will soon level the playing field in terms of cost, and these companies will once again need to look for competitive advantage, either in the products and services they offer or the way they can leverage their relationships with customers and partners.

When companies leverage technology and data to achieve their business goals in this new environment, they also introduce new risks. Cybersecurity and data governance are two areas where financial services companies continue to struggle. The safety of an ecosystem will be dependent on its weakest link. For instance, if unauthorized breaches occur in one entrepreneurial technology company with less mature controls, those breaches can put all connected institutions and their customer information at risk. Further, automation can result in decisions based solely on data and algorithms. Without solid data governance, and basic change controls, mistakes can rapidly propagate and spiral before they can be detected, with dramatic consequences for customer trust, regulatory penalty and shareholder value.

Strategically, financial services companies will need to decide if they want to be curators of services from various providers—and focus on developing strong customer relationships—or if they want to provide the best product curated and offered by others. Investing in one of these strategies will be a key to success.

Three Important Things Jerome Powell Said To Congress


strategy-8-9-18.pngJerome Powell’s semi-annual appearance before Congress was perhaps a bit more newsworthy than it has been for past chairmen of the Federal Reserve, and his core message signals a few key moves that will certainly impact how banks manage themselves over the next several months.

Powell’s appearance was overshadowed with questions about trade policy and what was happening further down Pennsylvania Avenue, but the core message from Powell, who has been on the job for less than a year, was that the central bank is continuing on a path toward normalization of interest rates, a place the U.S. economy hasn’t seen in a decade or longer.

Despite the tangents that media-savvy politicians tried to take Powell down, his core messages as it applies to bankers is important and provides signals as to how the Fed will manage the economy over the next several months.

Here’s some takeaways:

Bank profitability likely to remain high. Powell’s comments about the overall tax climate and overall business environment point to good things on the horizon for banks, which have reported strong earnings since the end of last year when tax reforms were passed.

Said Powell: “Our financial system is much stronger than before the crisis and is in a good position to meet the credit needs of households and businesses … Federal tax and spending policies likely will continue to support the expansion.”
Second-quarter results have illustrated that, with some banks reporting quarterly earnings per share around 40 percent above last year.

Fed getting back to “normal.” For several years since the crisis, the Fed bought large quantities of U.S. Treasury bonds—known as quantitative easing—to pump cash into the market and boost the economy. With plenty of indicators that the economy is now humming, Powell said the Fed has begun allowing those securities to mature, bringing that practice to an end.

“Our policies reflect the strong performance of the economy and are intended to help make sure that this trend continues,” Powell said.

“The payment of interest on balances held by banks in their accounts at the Federal Reserve has played a key role in carrying out these policies … Payment of interest on these balances is our principal tool for keeping the federal funds rate in the FOMC’s target range. This tool has made it possible for us to gradually return interest rates to a more normal level without disrupting financial markets and the economy.”

Cybersecurity tops list of risks. In his appearance before the House Financial Services Committee, Powell said cybersecurity, and the unexpected threats therein, is what keeps him up at night, aside from what he called “elevated” asset prices that would fall under more traditional concerns, like commercial real estate.

Preparing for the worst-case cybersecurity scenario is top-of-mind, he said, even more than traditional risks. Preventing and preparing should be the focus, he said.

“(Do) as much as possible, and then double it,” he said, a signal of how serious the Fed views the issue.
He then tamped that statement down, and said the Fed “does a great deal” with its supervision of banks, and advised them to continually maintain “basic cyber hygiene” by keeping up to date on emerging trends and threats.

“We do everything we can to prevent failure, but then we have to ask what would we do if there were a successful cyberattack,” he said. “We have to have a plan for that too.”

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.