Three Critical Challenges for Bank Audit Committees


audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

Technology’s Old Guard Focuses on Cybersecurity


cybersecurity.png

In the good old days, robbing a bank took some logistical planning. You needed enough gun-wielding associates to cover the lobby while the heist went down, and of course you needed a getaway car and a place to lay low. Today, all you need to rob a bank is a cheap laptop, some hacking skills and a high speed wireless connection. Talk to bankers and they’ll tell you that cybersecurity is their top concern. The reputational risk of a successful attack, let alone the potential financial exposure, is devastating.

Famed bank robber Willie Sutton once said he kept robbing banks because that’s where the money was. Of course, cyber thieves now steal identities and credit information instead of greenbacks, and their dogged persistence has turned cybersecurity into a growth industry. According to a recent report published by Homeland Security Research Corp., “Banking and Financial Services Cybersecurity: U.S. Market 2015-2020,” the financial services industry is the largest nongovernment cybersecurity market in the country. The industry is projected to spend $75 billion between 2016 and 2020 on cybersecurity measures.

Technology companies are well aware of the size and potential of the financial institutions marketplace for cybersecurity products and are rushing to develop products to meet the need. I doubt that many of the smaller ones will make much headway in financial services without partnering with a major tech firm. The career risk for a bank chief technology officer who hires Garage Genius Cyber Security is too great. Hiring a new young, innovative company gets you fired if an attack is successful. Hiring an old established well known company not only helps protect the bank from attack, it helps protect the CTO’s job if something goes wrong.

The older, more established companies are aware they have to keep up and are partnering with or acquiring new startups with promising cybersecurity products and services. This should allow them to offer cutting edge services to the financial community and still offer the peace of mind of a well-established and deep pocketed technology provider.

Already very active in the bank cybersecurity market, IBM has been buying up smaller cybersecurity companies and I expect that to continue as the company moves to counter new and developing threats. Vasco Data Security International–a world leader in two-factor authentication and transaction signing for financial institutions with more than half the world’s top 100 banks on their client roster — last year completed its acquisition of Silanis Technology Inc., a leading provider of electronic signature and digital transaction solutions that had a strong presence in the financial institutions marketplace.

Unisys’ new Stealth cybersecurity products can be used to protect your core data as well as mobile and cloud based platforms. And Cisco will continue to build its presence in the financial services cybersecurity market via acquisition. The company started down this path in 2013 by buying Sourcefire and have since added ThreatGRID, OpenDNS, and Lancope, and I expect it to make additional acquisitions as well.

Given their elevated concern about cybersecurity, most financial institutions are going to be reluctant to use smaller, younger companies—which means the established technology leaders should see the bulk of the money. And they, in turn, will have to be aggressive about buying and developing new technology to remain in front of the increasingly innovative and aggressive attacks that criminals will employ.

How Banks Can Increase Cybersecurity Risk Management


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity


cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank


Cybersecurity: Five Best Practices To Protect Your Bank



Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.

  • Cybersecurity and the Board
  • The FFIEC Cybersecurity Assessment
  • Detecting an Intrusion

The Five Critical Attributes of Effective Cybersecurity Risk Management


risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.

Understanding the Board’s Role in Cybersecurity


cybersecurity-3-7-16.pngUnfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.

Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.

Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.

As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.

The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.

The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.

Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.

Making the Right Investment in Cybersecurity


In a January interview with Bloomberg, Brian Moynihan revealed that Bank of America Corp. has an unlimited budget for cybersecurity. “I go to bed every night feeling comfortable that group has all the money, because they never have to ask,” said the Bank of America chairman and chief executive officer. “You’ve got to be willing to do what it takes at this point.”

The vast majority of banks can’t grant carte blanche to their organization’s information security team. Bank Director’s 2015 Risk Practices Survey found that most banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in 2014. Thirty-eight percent allocated from 1 percent to 5 percent of revenues on cybersecurity. Two percent dedicated 5 percent of revenues to cybersecurity.

Regulators don’t mandate a minimum cybersecurity spend; how much is the right amount is up to the bank. However, banks that are prepared to battle cybercrime typically aren’t hit as hard when the inevitable data breach or hack occurs. So bank boards face some difficult decisions when it comes to protecting their bank from cybercrime. How much should the bank invest? And on what? 

Tony Buffomante, principal in information protection and cybersecurity at KPMG, says bank boards want to know what the risks are, and whether their current programs are ready to mitigate cyberthreats. Identifying the areas of the business that the bank wants to protect from a potential cyberattack—where customer account data is housed, and what processes are involved—is key to determining how much to invest in cybersecurity, and where. “If they don’t really understand what the risks are, it’s difficult to figure out, ‘Am I investing enough?’” he says.

2014 Cybersecurity Budget, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 1% of revenues 60% 38% 50% 59% 72%
From 1% – 5% of revenues 38% 62% 50% 38% 28%
More than 5% of revenues 2% 3%

Source: 2015 Risk Practices Survey

Cybersecurity Budget Increase for 2015, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 10% 52% 57% 50% 56% 42%
From 10%-25% 23% 43% 30% 23% 15%
No Increase 21% 20% 18% 35%
From 25%-50% 4% 3% 8%

Source: 2015 Risk Practices Survey

As a rule of thumb, Michael Bruemmer, vice president of the data breach resolution group at Experian, recommends that companies commit 5 percent of their revenues to cybersecurity. Two of the more technical areas that the bank’s cybersecurity budget should prioritize are intrusion detection, to detect hacks and breaches, and encryption of data to make it more secure. Bruemmer calls encryption a cybersecurity “Get Out of Jail Free Card.” Depending on state laws, companies that can prove that their data was encrypted may not have to report the breach to customers. Security breach notification laws in states such as Arizona, California and Illinois specifically reference unencrypted data.

According to a 2014 study by the Ponemon Institute, the typical data breach for the financial services industry cost $236 per record lost, but companies that followed certain practices had lower than average costs. For example, the appointment of a chief information security officer (CISO) reduces the cost of a breach by $10 per record. Sixty-four percent of respondents to Bank Director’s Risk Practices Survey say they employ a full-time CISO, a practice less common for banks with less than $1 billion in assets (44 percent).

Preventing, detecting and responding to cyberthreats is at the core of information security. Banks need expertise in understanding what the risks are, someone who can implement controls to protect customer information, as well as watch for a breach and then react to it, says Buffomante. The role may be held by multiple people within the organization, or, instead of hiring a CISO, the role can be outsourced for banks that lack that expertise on staff. 

An outsourced CISO can be just as effective, says Bruemmer. “It’s not as important who you have on staff…but that you cover all the bases, whether it is outsourced or internally.” 

The median salary for an information security officer is $75,662, according to Crowe Horwath LLP’s 2014 Financial Institutions Compensation Survey.

Bank boards should recognize that the CISO isn’t the sole guardian of the bank’s digital assets. “Executives, meaning boards and senior executives of companies, need to participate and be involved in improving their incident response,” says Bruemmer. 

Beyond technology investments, Bruemmer believes the biggest area of focus for banks should be on its employees. Training can make or break an organization’s cybersecurity efforts and investment, and Bruemmer says the root cause of most breaches is simple human error. Commonly, an employee makes a mistake and clicks a link in a phishing email, or doesn’t respond appropriately to an alert. “All of the budget expenditure in the world would not have stopped” these types of errors, he says. Employees should know not only how to prevent a breach, but how to respond to one as well. Banks need to have a plan.  

According to Ponemon, an incident response plan for cybersecurity can result in a reduction of $17 per record. These plans should be tested regularly, so the bank is prepared when a real cyberattack occurs. Seventy-six percent of respondents to the 2015 Risk Practices Survey report that their bank has a cyber incident management and response plan in place. Of these, three-quarters regularly test it.

Does your bank have a written cyber incident management and response plan?

CyberResponse_chart.png

Another investment boards should consider is cyber insurance, which can reduce the impact of a data breach by protecting the institution from customer lawsuits and covering costs like credit monitoring, customer notification and crisis management.

The Federal Financial Institutions Examination Council encourages banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit source for intelligence on cyberthreats, which gives banks access to information on the latest threats. The agency also plans to release a cybersecurity self-assessment tool, which will help institutions evaluate their ability to mitigate these risks. 

Bruemmer argues that the success and failure of a bank’s cybersecurity preparedness doesn’t come down to how much money is thrown at the problem. Instead, it’s more about the bank’s dedication to protecting the bank, and focusing resources on the issue. The board should play a strong role, though fewer than 20 percent regularly address cybersecurity within meetings, according to the 2015 Risk Practices Survey. Just 8 percent of respondents from banks with less than $1 billion in assets say their board addresses the issue at each board meeting. Although the board’s job isn’t to manage the bank’s security, it should provide effective oversight in terms of knowing about the bank’s security plans, staffing and resources, and making sure those are adequate.

Cybersecurity “needs to be part of the board-level strategy discussion, says Bruemmer. It “is so impactful to the organization’s ongoing reputation and viability, [and] it needs to be connected to the board level,” says Bruemmer.