Effective Cybersecurity Demands Involvement From Everyone at Your Bank


cybersecurity-7-10-18.pngCybersecurity is one of the most discussed risks facing financial services companies today, but many organizations are taking too narrow an approach to combating cybercrime. These organizations make the mistake of placing responsibility for defending against the risks solely on their IT professionals.

As criminals continue to develop increasingly targeted attacks, institutions must tackle cybersecurity from an enterprise-wide perspective that goes further than mere regulatory compliance. Cybersecurity can no longer be the function of a single department–executives must see that it is embedded throughout the enterprise, from the branch to the boardroom.

Common Cybersecurity Gaps
Even institutions that have invested funding, allocated resources, built perimeters, and complied with regulations can fall prey to a single point of cybersecurity failure. Some of the recent major attacks have resulted, at least in part, from one of the following fail points:

  • Poor governance
  • Weak passwords
  • Inaccurate monitoring or unattended security information and event monitoring functions
  • Inadequate system patching procedures
  • Lack of cyberintelligence (external information gathered on known attacks)
  • Insufficient training
  • Lack of incident response planning

Notably, vulnerabilities such as weak passwords and insufficient training involve more than just IT staff. Organizations that involve all departments empower their employees and think daily about how their actions protect or expose the organization, and translates into multiple points of control. Strong governance is, of course, essential to achieving such an embedded mindset.

The Need for a Tailored Approach
Many financial services organizations have responded to cyberthreats by investing heavily in costly, one-size-fits-all technology systems. They rely on traditional controls for protection, like firewalls, encryption, anti-virus software, and multifactor authentication. These components are helpful and most often are necessary; however, many institutions require more tailored controls and processes. Instead, organizations should adopt enterprise-wide cybersecurity programs commensurate to their particular risks and sensitive assets.

For example, it’s common for a financial service organization to provide employee training on cyber risks. But standardized, “off-the-shelf” training does not consider the varying degrees of risk across the staff population. For training to be meaningful, it must be customized to different employees’ roles and access to data.

To develop such training, as well as other appropriate controls, an organization will need to identify the assets it wishes to protect and the associated access points. Each department or business unit that maintains sensitive information must catalog the information and classify the sensitivity of each asset, taking into account the organization’s risk appetite (the acceptable level of risk exposure). The departments then should identify all methods of access to each asset, as well as the parties with such access, and quantify the resulting risk.

Only when armed with this information can a financial services organization tailor appropriate controls and properly allocate resources against the related cyberthreats. For example, most organizations do not need to treat data across the enterprise equally. Rather, they can define unique security controls for the most sensitive data. Similarly, it might be wise to institute the most comprehensive training in the departments with access to sensitive data, are customer-facing, or those who provide information to third parties on behalf of the organization.

Enterprise incident response is another area that calls for a more customized. An organization should identify employees best positioned to notice suspicious activity and ensure they know how to respond. IT employees who are monitoring account and system activity should be included in this process, but key stakeholders and employees who are client and third-party facing also should be involved. The organization also must have an appropriate response plan ready to execute when those on the front lines raise the red flag.

Critical Steps
To adopt an enterprise-wide cybersecurity program, financial services organizations should:

  1. Identify and prioritize sensitive assets.
  2. Design and implement tailored and global controls aligned with sensitive assets and their associated risks (including dual controls for especially sensitive areas).
  3. Ensure executives and the board are aware of and aligned to the tailored program, which includes making cybersecurity part of the overall strategy of the institution.
  4. Educate employees specific to their roles and the associated.
  5. Manage cybersecurity at the enterprise level and on employee devices.
  6. Continuously monitor significant areas and environmental changes.
  7. Keep software and systems up to date.

Multiplying the Benefits
Financial services organizations that take a broad view of cybersecurity establish more effective and cost-efficient controls. Moreover, organizations with all of their employees on the same page are more likely to enjoy improved performance.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

Advice for New Bank Directors


governance-8-30-17.pngIf you have recently been appointed to a bank board, chances are you’re like most new directors in that you came from outside the industry and have little knowledge of banking other than what you might have learned as a customer. If, for example, you’re the owner of a local business that relies heavily on its banking relationships to keep the enterprise going (as most small businesses do), you will certainly have an opinion about what constitutes good customer service. And also you bring your own judgment and life experience outside of banking to the task, which will no doubt be very valuable to the board. But to be an effective bank director, you’re going to have broaden your knowledge base considerably when it comes to banking. Good judgment isn’t enough. There are certain things that you will need to know.

Learning is a life-long exercise, and for as long as you serve on a bank board there will always be new things to learn. But here are four areas that I think new directors should give extra attention to:

Learn About Regulation.
Banking is a complicated and highly regulated industry, and banks can pay a steep price for their compliance sins. Take the time to understand the industry’s regulatory structure and the expectations of your bank’s primary regulators, which will vary depending on the size of your institution and whether it has a state or national charter. Also, zero in on the regulations that can have the greatest impact on your bank (for example, the Bank Secrecy Act and the various consumer protection rules). The regulators will hold your board accountable for any serious compliance violations, so it’s not a responsibility to be taken lightly.

Learn How Your Bank Works.
Banking is very different from most other businesses like, say, manufacturing and retailing, or professional services like accounting and lawyering. Yours is a governance rather than an operating role, but you should still learn how your bank works inside and out so you can engage fruitfully with management. Learn how your bank makes most of its money and where its greatest risks lie. Service on the board’s audit committee would provide a very powerful introduction to the workings of your bank, because there’s very little that the audit committee doesn’t get involved in.

Learn About Technology and Try to Embrace It.
Technology tends to be a black hole for most boards. Most people in their 60s and 70s, which fits the profile of many directors who serve on bank boards, don’t understand or use technology as comfortably as those who are 20 or 30 years younger. The problem is that banking is undergoing a technological revolution that goes well beyond mobile (which gets most of the attention these days) and touches almost every area of the bank. Directors need to understand how these trends are likely to impact their institution. Some banks try to recruit at least one tech-savvy director to their board, but these people are hard to find—and even if you find one, you can’t delegate the responsibility to understand technology to that person. Regular board-level briefings from your bank’s chief technology officer, attendance at industry conferences and a commitment to read up on the topic can all help educate you. Also, experiment with some of the consumer technology that has come into financial services in recent years. If you have an iPhone, activate its wallet feature. Open a Venmo account and use it. And if you don’t use your own bank’s mobile banking app, shame on you!

Learn About Cybersecurity.
As banks become more digital, their cyber risk profile will increase ipso facto. Trying to lessen the risk by resisting the push toward digital banking isn’t a rational strategy because your institution will be left behind. The U.S. economy and our national culture are all being profoundly impacted by the digital phenomenon, and it’s a game that all banks simply have to play. Your role as a director is to make sure your bank has a good cybersecurity program and team in place, that the program conforms to the latest industry standards and regulatory expectations, and that the board is being briefed regularly.

These are not the only critical areas that new directors need to understand, of course, but they would be on my short list of things to go to school on if I had just joined a bank board. Congratulations and good luck!

Three Themes Are at the Top of Bankers’ Minds Right Now


risk-6-14-18.pngIf one looks at the bank industry as a whole, it’s easy to agree with Jamie Dimon, the chairman and CEO of JPMorgan Chase & Co., the nation’s biggest bank by assets, that we are in the midst of a “golden age of banking.”

This is true on multiple fronts. Dimon’s comments were directed specifically at the easing of the regulatory burden on banks, an evolution that has been going on since the change in administration at the beginning of last year. The lighter touch is most evident at the Consumer Financial Protection Bureau, which has taken a more passive approach to enforcement actions under its current acting director, Mick Mulvaney. The broadest base of regulatory relief culminated last month, when federal legislation was signed into law that eased the compliance burden on smaller banks in particular.

Banks are also reaping benefits from the cut last year in the corporate income tax rate from 35 percent down to 21 percent. The change led to a surge in profits and profitability.

These events highlight a trio of themes that emerged from this year’s Bank Audit & Risk Committees Conference hosted by Bank Director in Chicago. Each theme is unique, but the common denominator is that bank boards face an evolving landscape when it comes to the macroeconomic environment, cyber security threats and the means through which a bank can navigate this landscape.

Profitability is a point that Steve Hovde, chairman and CEO of Hovde Group, stressed in a presentation on the current and future state of banking. Banks earned a record $56 billion in the first quarter of the year, which amounted to 28 percent growth over the same quarter of 2017. And while the industry has yet to report a return on assets above 1 percent on an annual basis since the financial crisis a decade ago, the average bank eclipsed that figure in the first three months of the year.

And banks aren’t just more profitable, they’re also arguably safer, former Comptroller of the Currency Thomas Curry noted in a conversation with Bank Director magazine Editor in Chief Jack Milligan. Curry pointed to the fact that banks have more capital than they’ve had in decades.

Yet, as Hovde noted, many of these positive performance trends are not being experienced equally across the industry, with the lion’s share going to the biggest banks. The return on average assets of banks with between $10 billion and $50 billion in assets is 1.27 percent compared to 0.72 percent for banks with less than $1 billion in assets. This is also reflected in bank valuations, with big banks trading on average for more than two times tangible book value compared to 1.4 percent for smaller banks.

This gap is projected to grow with time, in part because of a second theme that coursed through conversations at this year’s Bank Audit & Risk Committees Conference: trends in technology and cyber threats, which large banks have deeper pockets to address. Of all the things that concern bank officers and directors right now, especially those tasked with audit- and risk-related duties, the need to defend against cyber threats is at the top of the list.

There are approximately 20 million hostile cyber events every day, with an estimated 200,000 of these targeted at financial institutions, noted Alex Hernandez, vice president of DefenseStorm, a cybersecurity defense firm. Seventy-three percent are perpetrated by people outside the organization compared to 28 percent by insiders. It isn’t just criminals who pose a threat, as nation-state actors are behind 12 percent of hostile cyber events, with their timing tending to coincide with elections.

The solution, Hernandez notes, is to double down on the fundamentals of cyber defense. “The most effective way to address cyber threats isn’t to focus on the latest shiny object like artificial intelligence, it’s about educating your staff and securing your network.” To this point, most threats come through unsophisticated channels, be it an email phishing scheme or malware delivered by way of a thumb drive.

One challenge in addressing these threats is simply recruiting the right expertise—not only on the bank level, but also on the board. Finding and retaining the right talent in not only information security but elsewhere was also a recurring theme. Most board members in attendance acknowledge they don’t know enough about technology to ask the right questions. But recruiting people who do is easier said than done, especially for banks in rural communities, who often try to tap into nearby metro areas for talent, or offer creative compensation plans to mitigate risk and retain younger officers.

There are certainly reasons to suggest big banks are experiencing a golden age, but smaller and mid-size banks shouldn’t use this recent change in fortune as an excuse to rest on their laurels. It remains incumbent on bank officers and directors to stay vigilant against ever-evolving cybersecurity risks and focused on recruiting the talent and designing effective governance structures to address them.

The Good and the Bad Facing Audit and Risk Committees Today


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

Cybersecurity Should Keep Bank Leaders Up at Night


cybersecurity-6-11-18.pngTwo years in a row, Mike Morris and his team at the consulting firm Porter Keadle Moore dinged a client bank for what the firm saw as a potential security threat by allowing access to personal email accounts while using company equipment.

Then about a month ago, on a Friday afternoon, Morris, a partner and cybersecurity expert at PKM, got a call. The bank they had written up two straight years for the same potential security lapse had, in fact, been breached by someone using personal email on company equipment, exactly what they had identified as the possible threat.

Such cybersecurity threats are among the most serious for any institution for a multitude of reasons, from fiduciary responsibilities to reputation and beyond. Cybersecurity will be a common topic at the Bank Director’s 2018 Bank Audit & Risk Committees Conference, held June 12-13 in Chicago.

Morris has multiple stories about hacks and phishing scams that have in some way compromised personal data or a customer’s own money.

Another recent case: A customer fell victim to a phishing scam, and the source in China managed to wire $150,000 through another bank before they “got lazy” and tried to draw another $150,000 directly from the customer’s bank. The second transaction, thankfully, was caught by the bank’s compliance team in review.

“That’s happening on a regular basis, and it’s not a new trend, but yeah, it’s happening all the time,” Morris says.

Some of the financial services industry’s most experienced experts paint a dark picture about how prepared—or not—banks generally are for cyberattacks, or perhaps more generally, just threats to customer information that could ultimately pose a risk to the bank.

It’s not a new challenge for the industry. Banks have had training along with regulator attention and oversight for at least a decade on this topic, but with an increasingly vast digital footprint, troves of data and relationships outside the walls of the bank with vendors, the potential threats grow in parity.

“Firms that successfully introduce cutting-edge technologies need to infuse cybersecurity risk management practices throughout the entire development life cycle to identify and mitigate new risks as they emerge,” said Bob Sydow, a principal at Ernst & Young, in testifying before the Senate Banking Committee in late May. “This shift in mindset from thinking about cybersecurity as a cost of doing business to seeing it as a growth enabler is not easy, but it is the only viable path forward.”

The data about cyber threats—not to mention what seems like weekly headlines about data breaches—doesn’t help dissuade any worry that bank leaders or risk officers might have. The 2017-18 Global Information Security Survey by Ernst & Young found nearly 90 percent of some 1,200 bankers around the world said their cybersecurity function doesn’t fully meet their organization’s need. More than a third said their data protection policies were ad hoc or nonexistent, Sydow told senators, just weeks after Facebook CEO Mark Zuckerberg was on Capitol Hill testifying about Cambridge Analytica’s use of the social network’s user data.

“As banks and other financial services firms define their digital strategies, their operations are becoming ever more integrated into an evolving and, at times, poorly understood cyber ecosystem,” Sydow said.

That integration Sydow talked about is an area where there’s considerable risk, Morris says, that should be reviewed and understood by audit committees, risk committees, boards and other bank leaders. Financial institutions are working with an increasing number of third-party vendors for specific services or products, some of which require that vendor to access the data of the bank’s customers. That itself presents a risk, and boards should be especially careful when negotiating contracts that in early draft stages tend to favor the interests of the vendor but are often revised through the negotiation process.

Morris says it should be a top priority for banks to have a right-to-audit clause or confidentiality clause in those agreements, which gives the bank some authority to ensure the data to which they are allowing access is treated properly and kept secure. Boards should also take the opportunity to update or revise long-standing contractual agreements, like those with core system providers, when they come up for renewal.

Many institutions have lengthy contracts with their core technology providers, and with data security a preeminent concern, those renewals should be taken seriously.

“You have that moment of power when you haven’t signed an updated agreement that you can get some of these clauses put in there,” Morris says.

Regulatory Issues to Watch In 2018


regulation-5-22-18.pngAs 2018 unfolds, all eyes in the financial services industry continue to look to Washington,D.C. In addition to monitoring legislative moves toward regulatory reform and leadership changes at federal regulatory agencies, bank executives also are looking for indications of expected areas of regulatory focus in the near term.

Regulatory Relief and Leadership Changes
Both the U.S. House of Representatives and the Senate began 2018 with a renewed focus on regulatory reform, which includes rollbacks of some of the more controversial provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the sweeping reform passed after the 2008 financial crisis. These legislative actions are ongoing, and the final outcomes remain uncertain. Moreover, even after a final bill is signed, regulatory agencies will need time to incorporate the results into their supervisory efforts and exam processes.

Meanwhile, the federal financial institution regulatory agencies are adjusting to recent leadership changes. The Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Consumer Financial Protection Bureau (CFPB) have new leaders in place or forthcoming, some of whom have been vocal supporters of a more “common sense” approach to financial regulation and who generally are supportive of regulatory relief. In the case of the CFPB, the ultimate direction of the agency could remain uncertain until a permanent director is appointed later in 2018.

Regulators’ Priorities in 2018
Notwithstanding the regulatory reform efforts, following are some areas likely to draw the most intense scrutiny from regulatory agencies during 2018 examination cycles:

Credit-related issues. While asset quality continues to be generally sound industrywide, concerns over deteriorating underwriting standards and credit concentrations continue to attract significant regulatory attention, accounting for the largest share of matters requiring attention (MRAs) and matters requiring board attention (MRBAs).

The federal banking regulators have encouraged banks in recent months to maintain sound credit standards within risk tolerances, understand the potential credit risks that might be exposed if the economy weakens, and generally strengthen their credit risk management systems by incorporating forward-looking risk indicators and establishing a sound governance framework. At the portfolio level, regulators are particularly alert to high concentrations in commercial real estate, commercial and industrial, agriculture, and auto loans, according to the FDIC.

Information technology and cybersecurity risk. The Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool in May 2017. Although its use is voluntary, federal and state banking regulators typically consider a bank’s use of the FFIEC tool or some other recognized assessment or framework as part of their assessment of an organization’s cybersecurity risk management, controls, and resilience.

On a broader scale, in February 2018, the Department of Justice announced a new cybersecurity task force. Although the task force is not directed specifically at the financial services industry, its first report, expected to be released this summer, could provide useful insight into the scope of the task force’s activities and potential guidance into what types of regulatory actions and controls to expect in the coming years.

Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. The industry has seen a steady increase in enforcement actions—some of which have included severe sanctions— when regulators perceived banks had pared back resources in this area too severely. Compliance with Office of Foreign Assets Controls (OFAC) requirements and efforts to prevent terrorist financing are also continuing to draw regulatory scrutiny.

Consumer lending practices. Regulatory priorities in this area are likely to remain somewhat fluid given the leadership changes occurring at the CFPB, where a permanent director is to be appointed by September. Additionally, legislative efforts that could affect the structure and authority of the bureau also are underway.

Third-party and vendor risk management. It has been nearly five years since the OCC released OCC Bulletin 2013-29, which expanded the scope of banks’ third-party risk management responsibilities and established the expectation for a formal, enterprise-wide third-party risk management effort. Since then, regulatory agencies have issued several follow-up publications, such as OCC Bulletin 2017-7, which spells out supplemental exam procedures. Also in 2017, the FDIC’s Office of Inspector General issued a report with guidance regarding third-party contract terms, business continuity planning, and incident response provisions, and the Fed published an article, “The Importance of Third-Party Vendor Risk Management Programs,” which includes a useful overview of third-party risk issues.

Despite the industry’s hopes for regulatory relief in some areas, all financial services organizations should continue to focus on maintaining sound risk management policies and practices that reflect today’s environment of continuing change and growing competitive pressures.

Cybersecurity & Regtech: Defending The Bank



How can financial institutions proactively combat the risks facing the industry today? The 2018 Risk Survey—presented by Bank Director and Moss Adams LLP—compiled the insights of directors, chief executive officers and senior executives of U.S. banks with more than $250 million in assets. According to the survey, the worries keeping top executives awake at night align with the key priorities that banks commonly hear from banking regulators: cybersecurity, compliance and strategic risk.

Cybersecurity
Cybersecurity was the biggest concern by far, reported by 84 percent of respondents.

The survey addressed the confidence that executive and directors have in their institutions’ cybersecurity programs, with an emphasis on staffing and overall effectiveness. Access to the proper talent—in the form of a chief information security officer (CISO) or a strategic partner with the necessary skill set—and associated costs are key to a successful program, and 71 percent of respondents revealed their bank employs a full-time CISO.

While technical skills are valuable in today’s business environment, financial institutions must overcome their dependence on skilled technicians who don’t necessarily have the ability to strategically look at the changing technological landscape. The CISO should build an appropriate plan by taking a full view of the bank’s technology and strategy. Without this perspective, a bank could provide hackers with an opening to breach the institution, regardless of size or location.

Institutions building the foundation of a robust cybersecurity program should also focus on three key areas:

  • Assessment tools: Is the institution leveraging the proper technologies to help maximize the detection and containment of potential issues?
  • Risk assessments: Has management identified current risks to the organization and implemented proper mitigation strategies?
  • Data classification: Has management identified all critical data and its forms, and addressed the protection of this data in the risk-assessment process?

Compliance
Compliance was the second biggest area of concern, identified by 49 percent of respondents. It’s an area that continues to evolve as new regulators have been appointed to head the agencies that regulate the industry, and technological tools—dubbed regtech—have entered the marketplace.

More than half of survey respondents indicated that the introduction of regtech has increased their banks’ compliance budgets, demonstrating that the cost of solutions and staff to evaluate, deploy and support these efforts in an effective manner is a growing challenge.

Because the volume of available data and the ability to analyze that data continues to grow, respondents may have felt this technology should have effectively decreased the cost of operating a robust compliance program.

Executives looking to decrease costs may want to consider the staffing required to operate a compliance program and whether deploying technology would allow for fewer personnel. When technology is properly used and standards are developed to help guarantee efficient use of it, the dilemma of acquiring technology versus adding staff can often be more easily solved.

Strategic Risk
Strategic risk was the third largest area for concern, identified by 38 percent of respondents. Many directors and executives are wrestling with what the future holds for their institutions. The debate often boils down to one question: Should they continue to build branches or invest more in technology—either on their own or by partnering with fintech companies?

Fintech companies are a growing player in lending and payments segments, areas that were historically handled exclusively by traditional institutions. That, coupled with clients who no longer value personal relationships and instead prioritize being able to immediately access services via their devices, increases the pressure to deliver services via technology channels.

Financial institutions have entered what many would call a perfect storm. Every institution will need to make hard decisions about how to address these issues in a way that facilitates growth.

Assurance, tax, and consulting offered through Moss Adams LLP. Wealth management offered through Moss Adams Wealth Advisors LLC. Investment banking offered through Moss Adams Capital LLC.

Digitization Inside and Out of the Boardroom


digitization-4-16-18.pngAs global businesses and markets are caught in a seemingly perpetual cycle of disruption and adjustment, company leadership and directors are tasked with finding new, innovative ways of communicating and working with shareholders in an increasingly complex and fragmented landscape. This is even more important given the massive technological advancements within the last decade, which have not only shifted the ways in which companies operate, but the means in which businesses and investors convey and share information.

Recent advancements in technology have transformed everyday business processes through digitization, which, in turn, has made cybersecurity a top priority. Moreover, they have made the world a much more connected place, facilitating business at a faster pace than ever before. To help company leadership adjust, new technologies have been developed to help directors and leadership teams improve collaboration and workflow.

Digitization
Today’s boards are going paperless, and the reality has become indisputable: directors are turning away from printed documents in favor of digital information that is easy to share and accessible on mobile platforms, like board portals.

Through digitization, directors are now accustomed to heightened levels of speed and efficiency across all business processes. With board portals, corporate secretaries and meeting managers are able to streamline board book creation and tighten information security. The benefits to this technology are clear: easy access to digital meeting information with user-friendly tools for assigning tasks, approvals, consent votes and secure messaging.

We have also observed a growing trend driving increased global demand for board portal solutions: the need to collaborate and share confidential information and documents across internal and external teams in a highly secured environment. The C-suite executives who already use our board portal tools for director-level collaboration are now expanding that capability across their organizations, all through a single sign-on service.

Cybersecurity
As businesses shift to digital platforms, data security plays a much bigger role. Companies must closely scrutinize how sensitive information is handled due to the risk of breaches. Cyberattacks are common and can result in significant financial and reputational damage; cybercrime damage costs are expected to total $6 trillion annually by 2021, according to CSO. This makes it especially important for boards and company leadership to take a strategic approach to data protection. Information is being shared in more rapid and innovative formats, and the methods in which boards communicate with shareholders will need to prioritize safety along with accessibility.

Protecting sensitive information should be at the top of a company’s concerns. This is why solutions should comply with strict encryption standards, multi-factor authentication and a completely cloud-less data storage system. Companies can also leverage machine learning and artificial intelligence (AI) to navigate and secure large volumes of data. These technologies can monitor and detect network anomalies that signal potential attacks and prevent further access before data is compromised.

Globalization
Due to the digitization of communication channels, we are now able to connect and do business in seconds with people halfway across the world. As technology brings us closer together, it breaks barriers to information accessibility. This ease of information exchange has impacted investing by virtually removing any impediments that once stood in the way of certain markets.

Increased ease of access to information around the world means companies, and particularly company leadership, should ensure key information is digestible for all stakeholders. That’s why being equipped with full translation services for common languages can be advantageous.

Moreover, as globalization continues to facilitate business and investing opportunities, shareholder bases are broader and more diverse than ever before. With the rise of passive investing, companies lack a level of transparency that allows them to know who their stakeholders are. For this reason, it is necessary to take advantage of tools and technologies that provide actionable insights into passive investment data and provide a more comprehensive picture of shareholders.

Looking Ahead
As technology continues to augment the ways in which companies operate, boards need to keep pace, ensuring they are communicating with their shareholders in the most efficient and preferred methods possible.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.