What New Climate Disclosure Means for Banks

Climate risk assessment is still in its infancy, but recent pronouncements by federal regulators should have bank directors and executives considering its implications for their own organizations.   

Under a new rule proposed by the Securities and Exchange Commission, publicly traded companies would be required to report on certain climate-related risks in regular public filings. 

Though the SEC’s proposal only applies to publicly traded companies, some industry observers say it’s only a matter of time before more financial institutions are expected to grapple with climate-related risks. Not long after the SEC issued its proposal, the Federal Deposit Insurance Corp. issued its own draft principles for managing climate risk. While the principles focus on banks with over $100 billion of assets, Acting Chair Martin Gruenberg commented further that “all financial institutions, regardless of size, complexity, or business model, are subject to climate-related financial risks.” 

The practice of assessing climate risk has gained momentum in recent years, but many boards aren’t regularly talking about these issues. Just 16% of the directors and officers responding to Bank Director’s 2022 Risk Survey say their board discusses climate change annually.

To understand what this means for their own organizations, boards need to develop the baseline knowledge so directors can ask management smarter questions. They should also establish organizational ownership of the issue and think about the incremental steps they might take in response to those risk assessments. 

“Climate risk is like every other risk,” says Ivan Frishberg, chief sustainability officer at $7 billion Amalgamated Financial Corp. in New York. “It needs the same systems for managing it inside a bank that any other kind of risk does. It’s going to require data, it’s going to require risk assessments, it’s going to require strategy. All of those things are very traditional frameworks.” 

The SEC’s proposed rule intends to address a major challenge with sizing up climate risk: the lack of uniform disclosures of companies’ greenhouse gas emissions and environmental efforts. The agency also wants to know how banks and other firms are incorporating climate risks into their risk management and overall business strategies. That includes both physical risk, or the risk of financial losses from serious weather events, and transition risk, arising from the shift to a low-carbon economy.  

Bank Director’s Risk Survey finds that many boards need to start by getting up to speed on the issue. Though 60% of survey respondents say that their board and senior leadership have a good understanding of physical risks, just 43% say the same about transition risk. Directors should also get a basic grasp of what’s meant by Scope 1, Scope 2 and Scope 3 emissions to better gauge the impact on their own institutions.  

Understanding Carbon Emissions

Scope 1: Emissions from sources directly owned or controlled by the bank, such as company vehicles.

Scope 2: Indirect emissions associated with the energy a bank buys, such as electricity for its facilities. 

Scope 3: Indirect emissions resulting from purchased goods and services (business travel, for example) and other business activities, such as lending and investments.

 

The SEC’s proposal would not require scenario analysis. However, directors and executives should understand how their loan portfolios could be affected under a variety of scenarios. 

Talking with other banks engaged in similar efforts could help institutions benchmark their progress, says Steven Rothstein, managing director of the Ceres Accelerator for Sustainable Capital Markets, a nonprofit that works with financial institutions on corporate sustainability. Boards could also look to trade associations and recent comments by federal regulators. In a November 2021 speech, Acting Comptroller of the Currency Michael Hsu outlined five basic questions that bank boards should ask about climate risk. The Risk Management Association recently established a climate risk consortium for regional banks. 

Assessing climate risk involves pulling together large amounts of data from across the entire organization. Banks that undertake an assessment of their climate-related risks should appoint somebody to coordinate that project and keep the board apprised.  

Banks might also benefit from conducting a peer review, looking at competing institutions as well as banks with similar investor profiles, says Lorene Boudreau, co-leader of the environment, social and governance  working group at Ballard Spahr. “What are the other components of your investors’ profile? And what are they doing? Use that information to figure out where there’s a [gap], perhaps, between what they’re doing and what your company is doing,” she says.

Finally, boards should think about the shorter term, incremental goals their bank could set as a result of a climate risk assessment. That could look like smaller, sector-specific goals for reducing financed emissions or finding opportunities to finance projects that address climate-related challenges, such as storm hardening or energy efficiency upgrades. 

A number of big banks have made splashy pledges to reduce their greenhouse gas emissions to net zero by 2050, but fewer have gotten specific about their goals for 2030 or 2040, Boudreau says. “It doesn’t have a lot of credibility without those interim steps.” 

While many smaller financial institutions will likely escape regulatory requirements for the near term, they can still benefit from adopting some basic best practices so they aren’t caught off guard in a worst-case scenario. 

“Climate risk is financial risk,” says Rothstein. “If you’re a bank director thinking about the safety and soundness of a bank, part of your job has to be to look at climate risk. Just as if someone said, ‘Is the bank looking at cyber risk? Or pandemic risk or crypto risk?’ All of those are risks that directors, through their management team, have to be aware of.” 

3 Steps to Planning for Climate Risk

Last year, President Joe Biden’s Executive Order on Climate-Related Financial Risk and the resulting report from the Financial Stability Oversight Council identified climate change as an emerging and increasing threat to U.S. financial stability.

A number of financial regulatory and agency heads have also spoken about climate risk and bank vulnerability.

Now the question is: What should banks be doing about it now? Here are three steps you can take to get started:

1. Conduct a Risk Assessment
Assessing a financial institution’s exposure to climate risk poses an interesting set of challenges. There is the short-term assessment for both internal operations and business exposures: what is happening today, next month or next year. Then there are long-term projections, for which modeling is still being developed.

So where to begin?
Analyzing the potential impacts of physical risk and transition risk begins with the basic question, “What if?” What if extreme weather events continue, how does that impact or alter your operational and investment risks? What if carbon neutral climate regulations take hold and emissions rapidly fall? Widen your scope from credit risk to include market, liquidity and reputational risk, which is taking on new meaning. Bank executives may make reasonable decisions to stabilize their balance sheet, but those decisions could backfire when banks are seen as not supporting their customers in their transition.

Regional and smaller financial institutions will need more granular data to assess the risk in their portfolios, and they may need to assemble local experts who are more familiar with climate change’s impact on local companies.

2. Level Up the Board of Directors
Climate change has long been treated as part of corporate social responsibility rather than a financial risk, but creating a climate risk plan without executive support or effective oversight is a fool’s errand. It’s time to bring it into the boardroom.

Banks should conduct a board-effectiveness review to identify any knowledge gaps that need to be filled. How those gaps are filled depends on each organization, but climate change expertise is needed at some level — whether that be a board member, a member of the C-suite or an external advisor.

The next step is incorporating climate change into the board’s agenda. This may already be in place at larger institutions or ones located in traditionally vulnerable areas. However, recent events have made it clear that climate risk touches everything the financial sector does. Integrating climate risk into board discussions may look different for each financial institution, but it needs to start happening soon.

3. Develop a Climate-Aware Strategy
Once banks approach climate risk as a financial risk instead of simply social responsibility, it’s time to position themselves for the future. Financial institutions are in a unique position when formulating a climate risk management strategy. Not only are they managing their own exposure — they hold a leadership role in the response to carbon neutral policies and regulation.

It can be challenging, but necessary, to develop a data strategy with a holistic view across an organization and portfolio to reveal where the biggest risks and opportunities lie.

Keeping capital flowing toward clients in emission industries or vulnerable areas may seem like a high risk. But disinvestment may be more detrimental for those companies truly engaged in decarbonization activities or transition practices, such as power generation, real estate, manufacturing, automotive and agriculture. These exposures may be offset by financing green initiatives, which have the potential to mitigate transition risk across a portfolio, increase profit and, better yet, stabilize balance sheets as the economy evolves into a carbon neutral world.

An Audit Expert Explains What’s Changed

An audit committee seat can one of the biggest challenges — and one of the greatest responsibilities — for a bank director, even without a global pandemic and economic recession. The audit committee sets the tone at the top for the bank. How does its role change in a pandemic? It’s an increasingly important responsibility, says Jon Tomberlin, managing partner in Dixon Hughes Goodman LLP’s financial services practice, participating in a panel discussion focusing on audit matters at Bank Director’s BankBEYOND 2020 experience. “There’s a lot of risk and difficulty in being on the audit committee,” he says. “They are one of the most important elements of the bank.” The audit committee creates and maintains an conditions and expectations that support the integrity of the bank’s financial controls — an environment that may have altered or become strained under the pandemic’s forceful impact or the severe economic fallout. Tomberlin says he sees many roles for audit committee in this turbulent environment, overseeing and challenging the appropriateness of internal controls and management’s risk assessment. Joining Tomberlin in this conversation with Bank Director’s Editor-At-Large Jack Milligan were Michael Ososki, a partner at BKD LLP, and Mandi Simpson, a partner at Crowe LLP. You can access all of the BankBEYOND 2020 sessions by registering here.

Balance Sheet Opportunities Create Path to Outperformance

How important is net interest margin (NIM) to your institution?

In 2019, banks nationally were 87% dependent on net interest income. With the lion’s share of earnings coming from NIM, implementing a disciplined approach around margin management will mean the difference between underperforming institutions and outperforming ones. (To see how your institution ranks versus national and in-state peers, click here.)

Anticipating the next steps a bank should take to protect or improve its profitability will become increasingly difficult as they manage balance sheet risks and margin pressure. Cash positions are growing with record deposit inflows, pricing on meager loan demand is ultra-competitive and many institutions are experiencing accelerated cash flows from investment portfolios.

It is also important to remember that stress testing the balance sheet is no longer an academic exercise. Beyond the risk management, stressing the durability of capital and resiliency of liquidity can give your institution the confidence necessary to execute on strategies to improve performance and to stay ahead of peers. It is of heightened importance to maintain focus on the four major balance sheet position discussed below.

Capital Assessment, Position
Capital serves as the cornerstone for all balance sheets, supporting growth, absorbing losses and providing resources to seize opportunities. Most importantly, capital serves as a last line of defense, protecting against risk of the known and the unknown.

The rapid changes occurring within the economy are not wholly cyclical in nature; rather, structural shifts will develop as consumer behavior evolves and business operations adjust to the ‘next normal.’ Knowing the breaking points for your capital base — in terms of growth, credit deterioration and a combination of these factors — will serve your institution well.

Liquidity Assessment, Position
Asset quality deterioration leads to capital erosion, which leads to liquidity evaporation. With institutions reporting record deposit growth and swelling cash balances, understanding how access to a variety of funding sources can change, given asset quality deterioration or capital pressure, is critical to evaluating the adequacy of your comprehensive liquidity position.

Interest Rate Risk Assessment, Position
In today’s ultra-low rate environment, pressure on earning asset yields is compounded by funding costs already nearing historically low levels. Excess cash is expensive; significant asset sensitivity represents an opportunity cost as the central bank forecasts a low-rate environment for the foreseeable future. Focus on adjusting your asset mix — not only to improve your earnings today, but to sustain it with higher, stable-earning asset yields over time.

Additionally, revisit critical model assumptions to ensure that your assumptions are reflective of actual pricing behaviors, including new volume rate floors and deposit betas, as they may be too high for certain categories.

Investment Assessment, Position
Strategies for investment portfolios including cash can make a meaningful contribution to your institution’s overall interest income. Some key considerations to help guide the investment process in today’s challenging environment include:

  • Cost of carrying excess cash has increased: Most institutions are now earning 0.1% or less on their overnight funds, but there are alternatives to increasing income on short-term liquidity.
  • Consider pre-investing: Many institutions have been very busy with Paycheck Protection Program loans, and we anticipate this will have a short-term impact on liquidity and resources. Currently, spreads are still attractive in select sectors of the market.

Taylor Advisors’ Take:
Moving into 2021, liquidity and capital are taking center stage in most community banks’ asset-liability committee discussions. Moving away from regulatory appeasement and towards proactive planning and decision-making are of paramount importance. This can start with upgrading your bank’s tools and policies, improving your ability to interpret and communicate the results and implementing actionable strategies.

Truly understanding your balance sheet positions is critical before implementing balance sheet management strategies. You must know where you are to know where you want to go. Start by studying your latest quarterly data. Dissect your NIM and understand why your earning asset yields are above or below peer. Balance sheet management is about driving unique strategies and tailored risk management practices to outperform; anything less will lead to sub-optimal results.

Steering a De Novo Through a Crisis and Beyond

New York-based Piermont Bank opened its doors in July 2019. Just eight months later — on March 1 — a New York woman returning home from Iran became the city’s first Covid-19 case. By March 20, with cases in the state rapidly climbing, Gov. Andrew Cuomo mandated that non-essential businesses close. One hundred days after reporting its first case, New York began reopening — but as of Nov. 19, restrictions remained in place, and New York City public schools recently returned to virtual learning to combat a resurgence of Covid-19 cases.

What a time to run a bank — especially a new one.

It sounds counterintuitive at first blush, but Wendy Cai-Lee, the bank’s founder and chief executive, believes Piermont is well positioned to serve customers. The $117 million bank focuses heavily on commercial real estate loans; it also makes commercial and industrial (C&I) loans.

She points out that as a de novo, the bank’s balance sheet is clean; her team didn’t have to devote attention to working with troubled borrowers. Piermont also has a lot of capital on hand, with a leverage ratio of 32.82% as of June 30.

But Cai-Lee recognizes the broader, longer-term impact the pandemic could have on the New York market. “We have seen appraisal values essentially drop anywhere between 10% to 35%,” she says. Her team has a risk assessment meeting every Monday; when we spoke in October, they were evaluating the potential fallout from the end of unemployment benefits through the CARES Act, set to expire at the end of the year. “That’s going to impact people’s ability to pay their rent, and I do think that’s going to bring some impact to multi-family that we haven’t seen so far,” she says.

Serving customers during the pandemic had some banks scrambling to adopt new technology to serve customers; in contrast, Piermont was already positioning itself as a “tech-enabled” bank. “When it comes to innovation, I’m a big believer that it’s not only technology that we need to focus on, but also process,” says Cai-Lee. She aims to create an end-to-end digitized process without sacrificing on risk controls.

“I use technology to digitize everything that the client doesn’t see so that I can move all those resources to allow my bankers to spend the time with the client to find specific pain points” and identify the right solution, she explains. “This allows my bankers to engage the client very differently.” Piermont can close commercial loans in three days, she says, rather than a couple of weeks. And innovation isn’t limited to technology; Piermont offers subscription pricing for its services, for example, and recently announced a banking-as-a-service platform it’s offering through a partnership with Treasury Prime.

I spoke with Cai-Lee before that announcement. “We’re actually not going to be that anonymous bank behind these fintechs,” she says. “We’re actually going to market front and center along with the API partner so that we can actually focus on creating the right product for them.”

Piermont Bank also seeks to serve women- and minority-owned businesses, which have been particularly devastated by the pandemic and have historically lacked access to credit and investor capital. A lot of banks say they want to serve women and minority entrepreneurs, yet these groups remain underserved. When I ask how Cai-Lee’s plans differ from other institutions’ efforts, she credits Piermont’s diverse team.

Cai-Lee is Asian American; before founding Piermont, she led the commercial real estate, commercial lending, and consumer and business banking divisions at $50 billion, Pasadena, California-based East West Bancorp, which serves markets in the U.S. and China. Before that, she spent almost a decade at Deloitte, where she was literally the poster child for diversity. “They had a [life-size] cutout of me made and had it in the lobby of every Deloitte domestic office,” she recalls.

When she founded Piermont Bank, she prioritized adding a diverse array of voices and backgrounds when she assembled her team. She believes it’s a strength for the bank. “The reason why [women and minorities are] underserved is — no different from serving any industry or any demographic out there — unless you understand their pain points, it’s hard to come up with the right product and service to serve them,” says Cai-Lee. “If you don’t have enough representation of women, of minorities on your board and senior management [team], how do you foster an environment where [you can] address that demographic?”

How Subchapter S Issues Could Snag a Sale


acquisitions-5-2-19.pngNearly 2,000 banks in the U.S. have elected Subchapter S tax treatment as a way of enhancing shareholder value since 1997, the first year they were permitted to make the election. Consequently, many banks have more than 20 years of operating history as an S corporation.

However, this history is presenting increasingly frequent challenges during acquisition due diligence. Acquirers of S corporations are placing greater emphasis on due diligence to ensure that the target made a valid initial Subchapter S election and continuously maintained eligibility since the election. Common issues arising during due diligence typically fall into two categories:

  • Failure to maintain stock transfer and shareholder records with sufficient specificity to demonstrate continuous eligibility as an S corporation.
  • Failure by certain trust shareholders to timely make required Qualified Subchapter S Trust (QSST) or Electing Small Business Trust (ESBT) elections.

A target’s inability to affirmatively demonstrate its initial or continuing eligibility as an S corporation creates a risk for the acquirer. The target’s S election could be disregarded after the deal closes, subjecting the acquirer to corporate-level tax liability with respect to the target for all prior periods that are within the statute of limitations. This risk assessment may impact the purchase price or the willingness of the buyer to proceed with the transaction. In addition, the target could become exposed to corporate tax liability, depending on the extent of the compliance issues revealed during due diligence, unless remediated.

Accordingly, it is important for S corporation banks to ensure that their elections are continuously maintained and that they retain appropriate documentation to demonstrate compliance. An S corporation bank should retain all records associated with the initial election, including all shareholder consents and IRS election forms. S corporation banks should also maintain detailed stock transfer records to enable the substantiation of continuous shareholder eligibility.

Prior to registering a stock transfer to a trust, S corporation banks should request and retain copies of all governing trust instruments, as well as any required IRS elections.

It is also advisable to have the bank’s legal counsel review these trust instruments to confirm eligibility status and any required elections. Banks that are relying on the family aggregation rules to stay below the 100 shareholder limitation should also keep records supporting the family aggregation analysis.

While S corporation banks have realized significant economic benefits through the elimination of double taxation of corporate earnings, maintaining strong recordkeeping practices is a critical element in protecting and maximizing franchise value, especially during an acquisition. Any S corporation bank that is contemplating selling in the foreseeable future should consider conducting a preemptive review of its Subchapter S compliance and take any steps necessary to remediate adverse findings or secure missing documentation prior to exploring a sale.

One Tool To Get a Better Grasp on Cybersecurity Risk Oversight


cybersecurity-11-26-18.pngAs new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.

This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.

Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.

To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.

The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.

Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.

The questions are organized into four groups:

  1. Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
  2. Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
  3. Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
  4. Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.

Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.

Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.

Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.

The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.

As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance


cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

How Banks Can Increase Cybersecurity Risk Management


cybersecurity-5-6-16.pngIn mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.

Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.

A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.

Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).

Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.

Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.

IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.

There are a number of steps that financial institutions can take in order to mitigate IT security risks:

  • User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
  • Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
  • Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
  • Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.

With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.

The Five Critical Attributes of Effective Cybersecurity Risk Management


risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.