Several high-profile data breaches in 2019 assured that cybersecurity remains a top concern for bank boards and executive teams. Capital One Financial Corp. and Facebook revealed significant breaches last year — 106 million and over 500 million, respectively — so it’s no wonder that 87% say their anxiety over the issue has increased, according to Bank Director’s 2020 Risk Survey.
In response, more than three-quarters of directors and executives say they’ve increased oversight of cybersecurity and data privacy.
It’s a thorny issue for banks to manage. This isn’t a typical risk like credit that leverages bank leaders’ expertise and knowledge to ensure their practices are safe and sound. With cybersecurity, the threat level changes almost constantly, and the hacker trying to infiltrate your organization could be a world away.
Yet, the buck stops with the board. While management is charged with the implementation of the bank’s cyber risk program, it’s the board’s duty to ensure the bank is protected.
Unfortunately, board oversight is too often taken seriously only after an incident occurs, rather than before.
Basic Responsibilities
In its IT Examination Handbook, the Federal Financial Institutions Examination Council outlines responsibilities for bank boards. They include:
- Overseeing the development, implementation and maintenance of the information security program
- Communicating expectations to management and holding them accountable
- Approving policies, plans and programs
- Ensuring the program’s effectiveness by reviewing assessments and reports, and discussing management’s recommendations for improvement
How boards fulfill these duties varies. Most oversee cybersecurity within a committee; 19% as a full board.
Further, the frequency with which the board as a whole reviews cybersecurity can be as often as every meeting or as infrequent as annually (or less). The size of the bank appears to have little bearing on how often boards address this issue.
Regulators expect, at minimum, an annual review. But given the pace of change in the cyber threat landscape, meeting the minimal standard isn’t adequate. Bank boards need to take cybersecurity more seriously.
“If you’re talking cybersecurity less frequently than quarterly, I don’t think you can truly manage that risk to your institution,” says Craig Sanders, a partner at survey sponsor Moss Adams. “You can’t get enough data points to really understand what the risk profile is or isn’t doing in your institution in terms of [protecting the bank].”
At a minimum, the FFIEC says management should report to the board annually on the risk assessment process, risk management and control decisions, third-party arrangements, testing results, security breaches and management response, and recommendations for updates to the program. A designated information security officer should report directly to the board, as well.
In the survey, 76% indicate that the bank’s chief information security officer meets regularly with the board.
Next-Level Oversight
The FFIEC’s Cybersecurity Assessment Tool (CAT) has been made available by the interagency body to evaluate all facets of a bank’s cybersecurity program, including the activities the board engages in as part of its oversight capacity.
Annie Goodwin, the risk oversight chair at $13.7 billion Glacier Bancorp, says the CAT is among the tools in the Kalispell, Montana-based bank’s cybersecurity arsenal. “It’s valuable in assessing cybersecurity preparedness,” she says. “During the safety and soundness exam, the CAT tool is often reviewed, and our board is very familiar with it.”
The CAT provides a list of attributes that indicates a bank’s maturity within each domain: threat intelligence and collaboration, cybersecurity controls, external dependence management, cyber incident management and resilience, and cyber risk management and oversight, including the board’s role. Maturity levels are rated from baseline — a bare-minimum standard indicating the lowest level of maturity, intended for banks exhibiting minimal inherent risk — to advanced and innovative, the two highest levels.
Given the continued prominence of cybersecurity as a threat to the industry, the survey asked directors and executives about some of the advanced and innovative activities for board oversight. The results confirm that some practices are more common than others.
Almost three-quarters of respondents indicate their board participates in training to better understand the cyber threats facing the bank.
Cybersecurity has become a more frequent topic of discussion for the board at Cross Plains, Wisconsin-based SBCP Bancorp. “Rightly so,” says CEO Jim Tubbs, given increased threats to the $1.3 billion bank and its customers. “The first step is informing and educating [the board],” he says. “The second step is having them understand from us — senior management — or from our external auditors, to be able to provide them appropriate reports or knowledge in regards to how we are handling cyber risk, and how [we are] testing our own systems and how our audit function is working.”
Using data to facilitate strategic decisions and monitor cyber risk (27%) is one of the least common practices reported by respondents, along with benchmarking cybersecurity staffing against peer institutions (10%).
Sanders says more progressive organizations are asking for benchmarking metrics to better budget for cybersecurity and technology, to gauge whether they’re spending enough to protect their institution. “What are peer banks spending, and where are they [in terms of] maturity?” he says.
Incorporating more of the practices outlined in the CAT promises to augment the board’s ability to oversee cybersecurity as a risk.
“When you look at the intent of the [regulatory] guidance, and as you move from baseline maturity level to advanced, evolving, innovative — as you move up that chain, the governance piece becomes more heavily focused. They expect more participation” on the part of the board, says Sanders. “A small percentage of banks [say], ‘We want to move to evolving, or we want to move to advanced.’ Those are the ones that are spending more money and committing more to it, [and] their board and management team have a better harmony about what that program should look like and see the value in it.”
Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, surveyed 217 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks under $50 billion in assets. The survey was conducted in January 2020 and focused on the top risks facing financial institutions at that time, including cybersecurity, credit and interest rate risks, and emerging issues.
You can read more about the “Cyber War” facing the banking industry in the second quarter issue of Bank Director magazine. Additionally, Bank Director’s Online Training Series contains information on the board’s role in overseeing cybersecurity. Unit 11 covers best practices for the board. Unit 21 addresses further responsibilities, as well as the importance of an incident response plan and employee training.