Despite continued and growing anxiety around cybersecurity, boards have long struggled to understand the intricacies of the bank’s security efforts. Instead, they have often left it to the technology and security experts within the institution. But with increased scrutiny from regulators, a shift toward proactive oversight at the board level may be in the works.
According to Bank Director’s 2023 Risk Survey, 89% of bank executives and board members reported in January that their institution conducted a cybersecurity assessment in 2021-22. In response to that assessment, 46% said that the board had increased or planned to increase its oversight of cybersecurity moving forward.
Ideally, that could have the board taking an active oversight role by asking pointed questions about the threats facing the organization and how it would respond in various scenarios. In order to do that, boards could look to add cybersecurity experts to their membership.
For public banks, a requirement to make known the cybersecurity expertise on the board is expected to go into effect soon. The Securities and Exchange Commission announced last year that public companies would need to disclose which board members have cybersecurity expertise, with details about the director’s prior work experience and relevant background information, such as certifications or other experience. The SEC adds that cyber expertise on the board doesn’t decrease the responsibilities or liabilities of the remaining directors. The proposed rules, which also include expectations around disclosing cyber incidents, were first expected to go into effect in April 2023.
The demand for cyber expertise in the boardroom “will eventually trickle down to all community banks,” predicts Joe Oleksak, a partner focused on cybersecurity at the business advisory firm Plante Moran. “Very few [people] have that very specific cybersecurity experience,” he continues. “It’s often confused with technology experience.”
Last year, Bank Director’s 2022 Governance Best Practices Survey found 72% of directors and CEOs indicating a need for more board-level training about cybersecurity. The previous year, 45% reported that at least one board member had cyber expertise.
Often, bank boards seek cyber expertise by adding new directors with that particular skill set; other times, a board member may take ownership over the space and learn how to oversee it. Both approaches come with significant hurdles. An existing board member may not have the extra time required to become the board’s de facto cyber expert. An in-demand outsider may not be willing to financially commit to the bank; board members are typically subject to ownership requirements.
Boards rely on information from the bank’s executives as part of the deliberation process. It’s common for directors to trust the chief technology officer, chief security officer or the chief information security officer to provide updates on cyber threats and tactics. But understanding the incentives and expertise of the executive would ensure that directors understand the value of the information they receive, says Craig Sanders, a partner of the accounting firm Moss Adams, which sponsored the Risk Survey.
Boards leaning on their CSO, for instance, need to understand that these officers solely focus on broad defense of the institution, which includes both physical and digital protection of the bank. The CISO, on the other hand, homes in on securing data. Meanwhile, the CTO should have a broad understanding of cybersecurity, but likely will not be able to dig into the weeds as they’re primarily focused on the bank’s technology.
A third party can help fill in the gaps for the board.
“If you have someone coming in that has seen hundreds of institutions, then you get a better lens,” says Sanders. An outside advisor can educate directors about common security threats based on what’s happening at other institutions. A third party can also provide an external point of view.
Some, however, hesitate in suggesting that a board should seek to add a cyber expert to its membership. “It’s going to taint your board or what the purpose of your board is,” says Joshua Sitta, co-founder and CISO at the cybersecurity advisor Sittadel. “I think you’re going to have a voice driving [the board] toward risk management.”
Sitta explains that those focused on cybersecurity will push for more security. But a board’s role is oversight, governance and providing a sounding board to executive management to keep the bank safe, sound and growing. Having cyber talent at the board level could discourage growth opportunities for fear that any new initiative could pressure security efforts.
Banks should ensure they’re protected against large breaches of critical data, says Sitta, but should avoid complete protection that has them investing to prevent every breach or fraud alert, no matter how insignificant. Understanding what’s a reasonable concern is important for the board to grasp. But cybersecurity experts within the company or advising the board should simply “inform” the board, according to Sitta. With that information, the board can then assess whether the bank has the risk appetite to add a debated service or investment.
Many boards, though, might not have a full awareness of the level of attacks the bank faces. In Bank Director’s 2022 Risk Survey, conducted last year, board members and executives were asked if their bank experienced a data breach or ransomware attack in 2020-21, with 93% noting that they had not. This could indicate that board members and top executives aren’t fully aware of the threats their bank faces on a daily basis, or that they could weather a threat soon.
“They get into a false sense [of security],” says Sanders. “Everyone is going to have some kind of disclosure. Assessing the program and making changes once a year probably isn’t sufficient.”
While 71% of respondents in last year’s Risk Survey said their board was apprised of deficiencies in the bank’s cybersecurity risk program, less than half — 42% — reported that their board reviewed detailed metrics or scorecards that outlined cyber incidents, and 35% used data and relevant metrics to facilitate strategic decisions and monitor cyber risk.
The lack of awareness of a threat or breach could give the board a sense of ease. But this could hold the bank back from making the shifts needed to protect from the largest attacks. Further, a board that remains unaware of the true rates of incidents could underestimate the imperative to build or adjust a cyber response.
Another factor that boards must consider is how they have long prioritized cybersecurity.
“A lot of smaller organizations view cybersecurity as a cost center,” says Oleksak. The 2023 Risk Survey found that banks budget a median $250,000 for cybersecurity, ranging from $125,000 reported for the smallest institutions to $3 million for banks above $10 billion in assets. “It’s like insurance. You understand that it’s not a revenue generation center, [but] ignoring it can significantly affect the organization.”
Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, surveyed 212 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including interest rate risk, credit and cybersecurity. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in January 2023.
Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner, surveyed 234 independent directors and CEOs of U.S. banks below $100 billion in assets to explore governance practices, board culture, committee structure and ESG oversight. The survey was conducted in February and March 2022
Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago, June 12-14, 2023.