Managing risk and satisfying examiners can be difficult for any bank. It’s particularly hard for community banks that want to manage their limited resources wisely.
One bank that balances these challenges well is Bryn Mawr Bank Corp., a $4.6 billion asset based in Bryn Mawr, Pennsylvania, on the outskirts of Philadelphia.
Bank Director Vice President of Research Emily McCormick recently interviewed Chief Risk Officer Patrick Killeen about the bank’s approach to risk for a feature story in our second quarter 2019 issue. That story, titled “Banks Regain Sovereignty Over Risk Practices,” dives into the results of Bank Director’s 2019 Risk Survey. (You can read that story here.)
In the transcript of the interview—available exclusively to members of our Bank Services program—Killeen goes into detail about how his bank approaches stress testing, cybersecurity and credit risk, and explains how the executive team and board have strengthened the organization for future growth.
The top risks facing his community bank
Hiring the right talent to balance risk and growth
Balancing board and management responsibilities in lending
Conducting stress tests as a community bank
Managing cyber risk
Responding to Bank Secrecy Act and anti-money laundering guidance
The interview has been edited for brevity, clarity and flow.
Download transcript for the full exclusive interview
Community bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.
“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”
As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.
And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.
“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.
Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.
The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.
Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.
The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.
Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).
However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.
Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.
Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.
Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.
Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.
Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.
When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.
How frequently should boards be talking about cybersecurity?
“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.
Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.
Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.
But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.
The survey indicates there’s good reason for this.
Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.
Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.
“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”
Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.
For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”
Bank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.
The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.
The survey also examines how banks oversee cybersecurity risk.
More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.
How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.
A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.
Three-quarters of respondents reveal enhanced concerns around interest rate risk.
Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.
To view the full results of the survey, click here.
It wasn’t in response to a cybersecurity event or a nudge from regulators that prompted Huntington Bancshares’ board to create a Significant Events Committee in early 2018.
Instead, says Dave Porteous, lead director at the $108 billion bank based in Columbus, Ohio, it was old-fashioned governance principles that drove Huntington’s board to establish the ad hoc committee responsible for responding to the biggest risk faced by banks today: cybersecurity threats.
“Particularly over the last 10 years, the world is changing so quickly it has really become incumbent upon all boards, in my view, to continually be evaluating their governance structure and whether or not they need to make adjustments … to how the world is changing,” Porteous says.
Ask any bank executive or director right now to name the things that cause them to lose sleep at night and cybersecurity will almost invariably be at the top of the list.
Millions of personal records have already been compromised globally, and it can cost even a small bank millions of dollars to rectify a single cyber event. Yet, while it is a common topic in boardrooms, it hasn’t yielded widespread governance restructuring at banks across the United States.
Bank Director’s 2018 Technology Survey found that 93 percent of the 161 chief bank executives, senior technology officers and directors said cybersecurity is an issue of focus by their board.
But a 2018 analysis by Harvard Law School found that just 7 percent of all S&P 500 companies have separate technology committees, though 29 percent of large public bank holding companies above $10 billion in assets have set up just such a thing. This is significant because, as the study noted, cybersecurity is often the responsibility of the technology committee.
Significant events have over time produced mandated changes in corporate structure, like the requirement in Dodd-Frank requiring banks above $10 billion in assets to have a separate risk committee, or the requirement in Sarbanes-Oxley that an audit committee oversee a bank’s independent auditor.
But Porteous argues that banks should not wait for changes in the law to force them into structural changes. The changes should emerge instead from ongoing conversations at institutions about new trends and threats.
“To me the critical thing is constantly be assessing and challenging yourself as a board on the way in which you govern and not to be afraid to make adjustments,” Porteous says. “In other words, create committees to address the current or upcoming issues that enhance the focus (of the board).”
For Huntington, the establishment of the Significant Events Committee was years in the making, but finally came after the board realized it was having similar discussions about the same topic at the board level and in separate committees.
“It was a natural thing for us to take these discussions we were having, both at the board meeting and various committee-level meetings, and then decide that we were spending a significant amount of time in those discussions that it was going to be critically important,” Porteous says.
When formed, the committee included Huntington CEO Stephen Steinour, who chaired the committee; the lead director; the chairs of the technology, risk and audit committees and the “lead cyber director,” the 2018 company proxy said. The committee has since been folded into the broader Technology Committee because of overlapping skill sets, Porteous says, but the bank can reestablish it or other ad hoc committees as necessary.
One such committee was Huntington’s Integration Committee, created when the bank acquired FirstMerit Corp. in 2016. The committee met three times in 2017 after the acquisition and was later dissolved.
But it’s not just cybersecurity or M&A that should qualify as a significant event worthy of a board’s attention. Recurring natural disasters, for instance, including hurricanes in the Southeast and wildfires in the West are examples that might merit a similar response.
Whatever the issue, Porteous suggests boards continually assess their governance structure through annual board-level assessments or just paying attention to what’s in the newspaper every day.
“It’s critical to make those adjustments or adapt to the changing world,” Porteous says.
As new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.
This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.
Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.
To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.
The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.
Asking the right questions In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.
The questions are organized into four groups:
Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.
Starting the conversation The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.
Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.
Expanding CPAs’ capabilities As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.
The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.
As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.
Ask most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.
Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.
Basic Cybersecurity Protections For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.
Use Data To Protect Data To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.
What is “Threat Intelligence?” One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.
The Cybersecurity Talent Threat Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.
Financial implications Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.
Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.
Technology is driving a wave of disruption across the entire financial services landscape. Financial services companies are increasingly finding themselves both competing with and working alongside more agile, highly entrepreneurial technology-based entities in a new and evolving ecosystem.
There are a number of global trends creating opportunities for financial services companies:
China’s population is growing at about 7 percent annually, roughly the equivalent of creating a country the size of Mexico every year.
At the same time, China and other emerging, fast-growing economies are raising many of their people above the poverty line, creating a new class of financial services consumer.
In more developed countries, people are retiring later and living longer.
These trends are driving a growing need for financial services. However, the story does not end with demographics and economics. Changes in technology are reshaping the ways these services are being delivered and consumed.
Consumers expect simplicity and mobility. Smartphones provide a wide range of financial services at our fingertips. With the rapid growth in artificial intelligence and machine learning applications, savvy financial services companies are adapting to the new ecosystem of digital service delivery and customer relationship providers. Gone are the days when customers have to visit the local bank branch to get most of the services and products they needed. The shakeup in providers will make for a vastly different landscape for competing financial services organizations in the near future.
While the adoption of blockchain technology is still in its infancy, it will potentially reshape the financial services landscape. Much of the transaction processing, matching, reconciliation and the movement of information between different parties will be a thing of the past. Once regulation has caught up, blockchain, or distributed ledger technology, will become ubiquitous.
Financial services companies need to understand where they fit in this digitally fueled, rapidly evolving environment. They need to decide how to take advantage of digital transformation. Many are starting to use robotic process automation to reduce their costs. But the reality is the spread of automation will soon level the playing field in terms of cost, and these companies will once again need to look for competitive advantage, either in the products and services they offer or the way they can leverage their relationships with customers and partners.
When companies leverage technology and data to achieve their business goals in this new environment, they also introduce new risks. Cybersecurity and data governance are two areas where financial services companies continue to struggle. The safety of an ecosystem will be dependent on its weakest link. For instance, if unauthorized breaches occur in one entrepreneurial technology company with less mature controls, those breaches can put all connected institutions and their customer information at risk. Further, automation can result in decisions based solely on data and algorithms. Without solid data governance, and basic change controls, mistakes can rapidly propagate and spiral before they can be detected, with dramatic consequences for customer trust, regulatory penalty and shareholder value.
Strategically, financial services companies will need to decide if they want to be curators of services from various providers—and focus on developing strong customer relationships—or if they want to provide the best product curated and offered by others. Investing in one of these strategies will be a key to success.
Jerome Powell’s semi-annual appearance before Congress was perhaps a bit more newsworthy than it has been for past chairmen of the Federal Reserve, and his core message signals a few key moves that will certainly impact how banks manage themselves over the next several months.
Powell’s appearance was overshadowed with questions about trade policy and what was happening further down Pennsylvania Avenue, but the core message from Powell, who has been on the job for less than a year, was that the central bank is continuing on a path toward normalization of interest rates, a place the U.S. economy hasn’t seen in a decade or longer.
Despite the tangents that media-savvy politicians tried to take Powell down, his core messages as it applies to bankers is important and provides signals as to how the Fed will manage the economy over the next several months.
Here’s some takeaways:
Bank profitability likely to remain high. Powell’s comments about the overall tax climate and overall business environment point to good things on the horizon for banks, which have reported strong earnings since the end of last year when tax reforms were passed.
Said Powell: “Our financial system is much stronger than before the crisis and is in a good position to meet the credit needs of households and businesses … Federal tax and spending policies likely will continue to support the expansion.” Second-quarter results have illustrated that, with some banks reporting quarterly earnings per share around 40 percent above last year.
Fed getting back to “normal.” For several years since the crisis, the Fed bought large quantities of U.S. Treasury bonds—known as quantitative easing—to pump cash into the market and boost the economy. With plenty of indicators that the economy is now humming, Powell said the Fed has begun allowing those securities to mature, bringing that practice to an end.
“Our policies reflect the strong performance of the economy and are intended to help make sure that this trend continues,” Powell said.
“The payment of interest on balances held by banks in their accounts at the Federal Reserve has played a key role in carrying out these policies … Payment of interest on these balances is our principal tool for keeping the federal funds rate in the FOMC’s target range. This tool has made it possible for us to gradually return interest rates to a more normal level without disrupting financial markets and the economy.”
Cybersecurity topslist of risks. In his appearance before the House Financial Services Committee, Powell said cybersecurity, and the unexpected threats therein, is what keeps him up at night, aside from what he called “elevated” asset prices that would fall under more traditional concerns, like commercial real estate.
Preparing for the worst-case cybersecurity scenario is top-of-mind, he said, even more than traditional risks. Preventing and preparing should be the focus, he said.
“(Do) as much as possible, and then double it,” he said, a signal of how serious the Fed views the issue. He then tamped that statement down, and said the Fed “does a great deal” with its supervision of banks, and advised them to continually maintain “basic cyber hygiene” by keeping up to date on emerging trends and threats.
“We do everything we can to prevent failure, but then we have to ask what would we do if there were a successful cyberattack,” he said. “We have to have a plan for that too.”
According to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.
Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.
As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.
What the CEO should be doing
The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level.
Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.
What the board should be doing
Consult with cybersecurity professionals to provide education on an annual basis.
Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program.
Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.
What bank CEOs should know
Where is our bank most at risk?
Are our cybersecurity controls improving beyond baseline?
Are we comfortable with residual risk levels?
Are we reviewing the ACAT at least quarterly?
Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?
What the bank should be doing
Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings.
Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
Maximize the use of all currently available controls.
Do not wait on examiners or IT auditors to make you improve. It could be too late.
Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.
Cybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.
As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.
Common Cybersecurity Gaps Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:
Inaccurate monitoring or unattended security information and event monitoring functions
Inadequate system patching procedures
Lack of cyberintelligence (external information gathered on known attacks)
Lack of incident response planning
Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.
The Need for a Tailored Approach Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.
For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.
To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.
Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.
Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.
Critical Steps To adopt an enterprise-wide cybersecurity program, financial services organizations should:
Identify and prioritize sensitive assets.
Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
Educate employees specific to their roles and the associated.
Manage cybersecurity at the enterprise level and on employee devices.
Continuously monitor significant areas and environmental changes.
Keep software and systems up to date.
Multiplying the Benefits Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.