One Tool To Get a Better Grasp on Cybersecurity Risk Oversight


cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

Cybersecurity: What You Need To Know


cybersecurity-10-29-18.pngAsk most top bankers one thing that keeps them up at night, and many of them will say cyber threats and risks to their company’s cybersecurity is chief among them.

Even the biggest banks wrestle with this important issue, and breaches can have serious financial, reputational and regulatory ramifications.


security-10-29-18-tb.pngBasic Cybersecurity Protections
For most companies, the question of a cyber-attack is when or how many, not if. There are basic protections to have in place to prepare and defend against the risk of an event, but with ongoing and persistent risk of threats, its best to have a strategy practice for any potential event.

data-10-29-18-tb.pngUse Data To Protect Data
To mitigate the risks of cyber events and threats, using data-based model can be effective. Data can quantify the risk to the institution and make regulatory reporting more efficient. It can also make the threat identification process more efficient by highlighting areas of risk more easily.

cyber-10-29-18-tb.pngWhat is “Threat Intelligence?”
One of the toughest challenges in cybersecurity is maintaining an edge against potential attackers who are continually making their attempts more sophisticated and difficult to defeat. One way many companies maintain that edge is to collect and use “threat intelligence,” which is information that can help prepare and preempt potential incoming cyberattacks. But, you have to use the intelligence effectively.

talent-10-29-18-tb.pngThe Cybersecurity Talent Threat
Research, including that conducted by Crowe and Bank Director, has indicated that bank executives and boards have concerns about the capability and readiness of the bank and its employees to identify, prevent and respond to cyberattacks. Regardless of asset size, there are ways to find and prepare your employees for real and perceived threats.

finances-10-29-18-tb.pngFinancial implications
Just one breach can cost a company millions of dollars and untold more in other areas, potentially wiping out any projected revenue gains for the quarter, or longer. Analyses conducted my major firms have estimated a wide range of potential per-record costs for data breaches, making it difficult to truly project what any single event could carry in terms of financial impact. But some have been estimated to cost tens of millions of dollars, making the threat highly worrisome.

Cybersecurity should be if it is not already among the pinnacle talking points and areas of focus for your board. Without that preparation and ongoing discussion, your institution can find itself at risk that can harm your customers and your institution. But remember there is plenty of opportunity to prepare, secure yourselves and respond in the event of a cyber event.

What’s At Stake In A Tech-Driven World


technology-10-2-18.pngTechnology is driving a wave of disruption across the entire financial services landscape. Financial services companies are increasingly finding themselves both competing with and working alongside more agile, highly entrepreneurial technology-based entities in a new and evolving ecosystem.

There are a number of global trends creating opportunities for financial services companies:

  • China’s population is growing at about 7 percent annually, roughly the equivalent of creating a country the size of Mexico every year.
  • At the same time, China and other emerging, fast-growing economies are raising many of their people above the poverty line, creating a new class of financial services consumer.
  • In more developed countries, people are retiring later and living longer.

These trends are driving a growing need for financial services. However, the story does not end with demographics and economics. Changes in technology are reshaping the ways these services are being delivered and consumed.

Consumers expect simplicity and mobility. Smartphones provide a wide range of financial services at our fingertips. With the rapid growth in artificial intelligence and machine learning applications, savvy financial services companies are adapting to the new ecosystem of digital service delivery and customer relationship providers. Gone are the days when customers have to visit the local bank branch to get most of the services and products they needed. The shakeup in providers will make for a vastly different landscape for competing financial services organizations in the near future.

While the adoption of blockchain technology is still in its infancy, it will potentially reshape the financial services landscape. Much of the transaction processing, matching, reconciliation and the movement of information between different parties will be a thing of the past. Once regulation has caught up, blockchain, or distributed ledger technology, will become ubiquitous.

Financial services companies need to understand where they fit in this digitally fueled, rapidly evolving environment. They need to decide how to take advantage of digital transformation. Many are starting to use robotic process automation to reduce their costs. But the reality is the spread of automation will soon level the playing field in terms of cost, and these companies will once again need to look for competitive advantage, either in the products and services they offer or the way they can leverage their relationships with customers and partners.

When companies leverage technology and data to achieve their business goals in this new environment, they also introduce new risks. Cybersecurity and data governance are two areas where financial services companies continue to struggle. The safety of an ecosystem will be dependent on its weakest link. For instance, if unauthorized breaches occur in one entrepreneurial technology company with less mature controls, those breaches can put all connected institutions and their customer information at risk. Further, automation can result in decisions based solely on data and algorithms. Without solid data governance, and basic change controls, mistakes can rapidly propagate and spiral before they can be detected, with dramatic consequences for customer trust, regulatory penalty and shareholder value.

Strategically, financial services companies will need to decide if they want to be curators of services from various providers—and focus on developing strong customer relationships—or if they want to provide the best product curated and offered by others. Investing in one of these strategies will be a key to success.

Three Important Things Jerome Powell Said To Congress


strategy-8-9-18.pngJerome Powell’s semi-annual appearance before Congress was perhaps a bit more newsworthy than it has been for past chairmen of the Federal Reserve, and his core message signals a few key moves that will certainly impact how banks manage themselves over the next several months.

Powell’s appearance was overshadowed with questions about trade policy and what was happening further down Pennsylvania Avenue, but the core message from Powell, who has been on the job for less than a year, was that the central bank is continuing on a path toward normalization of interest rates, a place the U.S. economy hasn’t seen in a decade or longer.

Despite the tangents that media-savvy politicians tried to take Powell down, his core messages as it applies to bankers is important and provides signals as to how the Fed will manage the economy over the next several months.

Here’s some takeaways:

Bank profitability likely to remain high. Powell’s comments about the overall tax climate and overall business environment point to good things on the horizon for banks, which have reported strong earnings since the end of last year when tax reforms were passed.

Said Powell: “Our financial system is much stronger than before the crisis and is in a good position to meet the credit needs of households and businesses … Federal tax and spending policies likely will continue to support the expansion.”
Second-quarter results have illustrated that, with some banks reporting quarterly earnings per share around 40 percent above last year.

Fed getting back to “normal.” For several years since the crisis, the Fed bought large quantities of U.S. Treasury bonds—known as quantitative easing—to pump cash into the market and boost the economy. With plenty of indicators that the economy is now humming, Powell said the Fed has begun allowing those securities to mature, bringing that practice to an end.

“Our policies reflect the strong performance of the economy and are intended to help make sure that this trend continues,” Powell said.

“The payment of interest on balances held by banks in their accounts at the Federal Reserve has played a key role in carrying out these policies … Payment of interest on these balances is our principal tool for keeping the federal funds rate in the FOMC’s target range. This tool has made it possible for us to gradually return interest rates to a more normal level without disrupting financial markets and the economy.”

Cybersecurity tops list of risks. In his appearance before the House Financial Services Committee, Powell said cybersecurity, and the unexpected threats therein, is what keeps him up at night, aside from what he called “elevated” asset prices that would fall under more traditional concerns, like commercial real estate.

Preparing for the worst-case cybersecurity scenario is top-of-mind, he said, even more than traditional risks. Preventing and preparing should be the focus, he said.

“(Do) as much as possible, and then double it,” he said, a signal of how serious the Fed views the issue.
He then tamped that statement down, and said the Fed “does a great deal” with its supervision of banks, and advised them to continually maintain “basic cyber hygiene” by keeping up to date on emerging trends and threats.

“We do everything we can to prevent failure, but then we have to ask what would we do if there were a successful cyberattack,” he said. “We have to have a plan for that too.”

What CEOs and Directors Should Know About Cybersecurity


cybersecurity-8-6-18 (1).pngAccording to Javelin’s 2018 Identity Fraud Report, identity theft reached an all-time high in 2017 with more than 16 million consumers being affected. On top of this, 24 percent of network breaches target financial institutions, according to Verizon’s 2017 Data Breach Investigations Report. This 1-2 punch combination is affecting banks of all sizes. The days of cybersecurity attacks only affecting the largest financial institutions are gone.

Criminal tactics are evolving and becoming more sophisticated. Increasingly, smartphones are targeted through spam text messages and a myriad of social media scams. These tactics could compromise the phone of a customer that may be accessing a mobile banking application or a bank employee accessing internal bank systems, such as email. The Internet of Things, or IoT, is the network of physical devices, vehicles, home appliances, and other items that can connect and exchange data. Criminals are compromising IoT to launch sophisticated cyberattacks against financial institutions and their customers.

As a bank executive or board member, there are steps you can take to fight back. It starts by recognizing your bank and your customers are targets and can become victims. As leaders, it is important to understand your responsibility to oversee the bank’s cybersecurity program and educate yourself on the current threats and trends. The following recommendations are the first steps to take as you oversee your bank’s cybersecurity program.

What the CEO should be doing

  1. The Financial Services Sector Coordinating Council has an Excel-based Automated Cyber Assessment Tool (ACAT) available for download at https://www.fsscc.org/. Ensure it is completed by management and updated at least annually.
  2. Management should develop a cybersecurity risk appetite and understand where the bank is exposed to the greatest risk.
  3. Oversee and monitor the bank’s cybersecurity program. Ensure a strategic and tested incident response program is in place.
  4. Challenge preparedness results by reviewing the ACAT and not accepting “baseline” control maturity levels as the desired control level. 
  5. Budget appropriately for cybersecurity preparedness. Compare the funding for cybersecurity controls to physical security controls. Assuming cybersecurity threats are greater than physical security threats, then funding of cybersecurity controls should be in parity with physical security investments.

What the board should be doing

  1. Consult with cybersecurity professionals to provide education on an annual basis.
  2. Ask the CEO and senior management to present the bank’s vision, risk appetite, and overall strategic direction for the bank’s cybersecurity program. 
  3. Review the results of ongoing monitoring of the bank’s exposure to and preparedness for cyber threats. Challenge the status quo and do not become complacent. Expect control proficiency levels to increase from baseline levels to evolving levels and higher. Criminals are not standing still and neither should you.
  4. Ensure proper budgeting of cybersecurity controls and review the bank’s cyber liability insurance annually.
  5. Ensure the bank’s systems are tested against cybersecurity threats at least annually and utilize the same techniques criminals use to break in.

What bank CEOs should know

  1. Where is our bank most at risk?
  2. Are our cybersecurity controls improving beyond baseline?
  3. Are we comfortable with residual risk levels?
  4. Are we reviewing the ACAT at least quarterly?
  5. Are our cybersecurity controls improving fast enough to outpace the evolving cybersecurity threats?

What the bank should be doing

  • Your bank should be a member of information sharing organizations such as Financial Services – Information Sharing and Analysis Center (FS-ISAC) and share information in bank peer group meetings. 
  • Work with cybersecurity experts to develop regular board reporting on cybersecurity threats and risk management.
  • Improve cybersecurity control proficiency beyond baseline. Remember that improvement does not have to be overly expensive.
    • Maximize the use of all currently available controls.
    • Do not wait on examiners or IT auditors to make you improve. It could be too late.

Many executives and boards feel unprepared to address cybersecurity threats and risks. The good news is there are many well trained and qualified cybersecurity professionals that can help you. Enact change where needed and provide ongoing oversight of the cybersecurity program at your bank. Doing so will go a long way towards ensuring your bank does not become another victim of cybersecurity attack.

Effective Cybersecurity Demands Involvement From Everyone at Your Bank


cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

Advice for New Bank Directors


governance-8-30-17.pngIf you have recently been appointed to a bank board, chances are you’re like most new directors in that you came from outside the industry and have little knowledge of banking other than what you might have learned as a customer. If, for example, you’re the owner of a local business that relies heavily on its banking relationships to keep the enterprise going (as most small businesses do), you will certainly have an opinion about what constitutes good customer service. And also you bring your own judgment and life experience outside of banking to the task, which will no doubt be very valuable to the board. But to be an effective bank director, you’re going to have broaden your knowledge base considerably when it comes to banking. Good judgment isn’t enough. There are certain things that you will need to know.

Learning is a life-long exercise, and for as long as you serve on a bank board there will always be new things to learn. But here are four areas that I think new directors should give extra attention to:

Learn About Regulation.
Banking is a complicated and highly regulated industry, and banks can pay a steep price for their compliance sins. Take the time to understand the industry’s regulatory structure and the expectations of your bank’s primary regulators, which will vary depending on the size of your institution and whether it has a state or national charter. Also, zero in on the regulations that can have the greatest impact on your bank (for example, the Bank Secrecy Act and the various consumer protection rules). The regulators will hold your board accountable for any serious compliance violations, so it’s not a responsibility to be taken lightly.

Learn How Your Bank Works.
Banking is very different from most other businesses like, say, manufacturing and retailing, or professional services like accounting and lawyering. Yours is a governance rather than an operating role, but you should still learn how your bank works inside and out so you can engage fruitfully with management. Learn how your bank makes most of its money and where its greatest risks lie. Service on the board’s audit committee would provide a very powerful introduction to the workings of your bank, because there’s very little that the audit committee doesn’t get involved in.

Learn About Technology and Try to Embrace It.
Technology tends to be a black hole for most boards. Most people in their 60s and 70s, which fits the profile of many directors who serve on bank boards, don’t understand or use technology as comfortably as those who are 20 or 30 years younger. The problem is that banking is undergoing a technological revolution that goes well beyond mobile (which gets most of the attention these days) and touches almost every area of the bank. Directors need to understand how these trends are likely to impact their institution. Some banks try to recruit at least one tech-savvy director to their board, but these people are hard to find—and even if you find one, you can’t delegate the responsibility to understand technology to that person. Regular board-level briefings from your bank’s chief technology officer, attendance at industry conferences and a commitment to read up on the topic can all help educate you. Also, experiment with some of the consumer technology that has come into financial services in recent years. If you have an iPhone, activate its wallet feature. Open a Venmo account and use it. And if you don’t use your own bank’s mobile banking app, shame on you!

Learn About Cybersecurity.
As banks become more digital, their cyber risk profile will increase ipso facto. Trying to lessen the risk by resisting the push toward digital banking isn’t a rational strategy because your institution will be left behind. The U.S. economy and our national culture are all being profoundly impacted by the digital phenomenon, and it’s a game that all banks simply have to play. Your role as a director is to make sure your bank has a good cybersecurity program and team in place, that the program conforms to the latest industry standards and regulatory expectations, and that the board is being briefed regularly.

These are not the only critical areas that new directors need to understand, of course, but they would be on my short list of things to go to school on if I had just joined a bank board. Congratulations and good luck!

Three Themes Are at the Top of Bankers’ Minds Right Now


risk-6-14-18.pngIf one looks at the bank industry as a whole, it’s easy to agree with Jamie Dimon, the chairman and CEO of JPMorgan Chase & Co., the nation’s biggest bank by assets, that we are in the midst of a “golden age of banking.”

This is true on multiple fronts. Dimon’s comments were directed specifically at the easing of the regulatory burden on banks, an evolution that has been going on since the change in administration at the beginning of last year. The lighter touch is most evident at the Consumer Financial Protection Bureau, which has taken a more passive approach to enforcement actions under its current acting director, Mick Mulvaney. The broadest base of regulatory relief culminated last month, when federal legislation was signed into law that eased the compliance burden on smaller banks in particular.

Banks are also reaping benefits from the cut last year in the corporate income tax rate from 35 percent down to 21 percent. The change led to a surge in profits and profitability.

These events highlight a trio of themes that emerged from this year’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago. Each theme is unique, but the common denominator is that bank boards face an evolving landscape when it comes to the macroeconomic environment, cyber security threats and the means through which a bank can navigate this landscape.

Profitability is a point that Steve Hovde, chairman and CEO of Hovde Group, stressed in a presentation on the current and future state of banking. Banks earned a record $56 billion in the first quarter of the year, which amounted to 28 percent growth over the same quarter of 2017. And while the industry has yet to report a return on assets above 1 percent on an annual basis since the financial crisis a decade ago, the average bank eclipsed that figure in the first three months of the year.

And banks aren’t just more profitable, they’re also arguably safer, former Comptroller of the Currency Thomas Curry noted in a conversation with Bank Director magazine Editor in Chief Jack Milligan. Curry pointed to the fact that banks have more capital than they’ve had in decades.

Yet, as Hovde noted, many of these positive performance trends are not being experienced equally across the industry, with the lion’s share going to the biggest banks. The return on average assets of banks with between $10 billion and $50 billion in assets is 1.27 percent compared to 0.72 percent for banks with less than $1 billion in assets. This is also reflected in bank valuations, with big banks trading on average for more than two times tangible book value compared to 1.4 percent for smaller banks.

This gap is projected to grow with time, in part because of a second theme that coursed through conversations at this year’s Bank Audit & Risk Committees Conference: trends in technology and cyber threats, which large banks have deeper pockets to address. Of all the things that concern bank officers and directors right now, especially those tasked with audit- and risk-related duties, the need to defend against cyber threats is at the top of the list.

There are approximately 20 million hostile cyber events every day, with an estimated 200,000 of these targeted at financial institutions, noted Alex Hernandez, vice president of DefenseStorm, a cybersecurity defense firm. Seventy-three percent are perpetrated by people outside the organization compared to 28 percent by insiders. It isn’t just criminals who pose a threat, as nation-state actors are behind 12 percent of hostile cyber events, with their timing tending to coincide with elections.

The solution, Hernandez notes, is to double down on the fundamentals of cyber defense. “The most effective way to address cyber threats isn’t to focus on the latest shiny object like artificial intelligence, it’s about educating your staff and securing your network.” To this point, most threats come through unsophisticated channels, be it an email phishing scheme or malware delivered by way of a thumb drive.

One challenge in addressing these threats is simply recruiting the right expertise—not only on the bank level, but also on the board. Finding and retaining the right talent in not only information security but elsewhere was also a recurring theme. Most board members in attendance acknowledge they don’t know enough about technology to ask the right questions. But recruiting people who do is easier said than done, especially for banks in rural communities, who often try to tap into nearby metro areas for talent, or offer creative compensation plans to mitigate risk and retain younger officers.

There are certainly reasons to suggest big banks are experiencing a golden age, but smaller and mid-size banks shouldn’t use this recent change in fortune as an excuse to rest on their laurels. It remains incumbent on bank officers and directors to stay vigilant against ever-evolving cybersecurity risks and focused on recruiting the talent and designing effective governance structures to address them.

The Good and the Bad Facing Audit and Risk Committees Today


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.