Does Your Board Need More Cyber Expertise?

Written by

Despite continued and growing anxiety around cybersecurity, boards have long struggled to understand the intricacies of the bank’s security efforts. Instead, they have often left it to the technology and security experts within the institution. But with increased scrutiny from regulators, a shift toward proactive oversight at the board level may be in the works.

According to Bank Director’s 2023 Risk Survey, 89% of bank executives and board members reported in January that their institution conducted a cybersecurity assessment in 2021-22. In response to that assessment, 46% said that the board had increased or planned to increase its oversight of cybersecurity moving forward.

Ideally, that could have the board taking an active oversight role by asking pointed questions about the threats facing the organization and how it would respond in various scenarios. In order to do that, boards could look to add cybersecurity experts to their membership.

For public banks, a requirement to make known the cybersecurity expertise on the board is expected to go into effect soon. The Securities and Exchange Commission announced last year that public companies would need to disclose which board members have cybersecurity expertise, with details about the director’s prior work experience and relevant background information, such as certifications or other experience. The SEC adds that cyber expertise on the board doesn’t decrease the responsibilities or liabilities of the remaining directors. The proposed rules, which also include expectations around disclosing cyber incidents, were first expected to go into effect in April 2023.

The demand for cyber expertise in the boardroom “will eventually trickle down to all community banks,” predicts Joe Oleksak, a partner focused on cybersecurity at the business advisory firm Plante Moran. “Very few [people] have that very specific cybersecurity experience,” he continues. “It’s often confused with technology experience.”

Last year, Bank Director’s 2022 Governance Best Practices Survey found 72% of directors and CEOs indicating a need for more board-level training about cybersecurity. The previous year, 45% reported that at least one board member had cyber expertise.

Often, bank boards seek cyber expertise by adding new directors with that particular skill set; other times, a board member may take ownership over the space and learn how to oversee it. Both approaches come with significant hurdles. An existing board member may not have the extra time required to become the board’s de facto cyber expert. An in-demand outsider may not be willing to financially commit to the bank; board members are typically subject to ownership requirements.

Boards rely on information from the bank’s executives as part of the deliberation process. It’s common for directors to trust the chief technology officer, chief security officer or the chief information security officer to provide updates on cyber threats and tactics. But understanding the incentives and expertise of the executive would ensure that directors understand the value of the information they receive, says Craig Sanders, a partner of the accounting firm Moss Adams, which sponsored the Risk Survey.

Boards leaning on their CSO, for instance, need to understand that these officers solely focus on broad defense of the institution, which includes both physical and digital protection of the bank. The CISO, on the other hand, homes in on securing data. Meanwhile, the CTO should have a broad understanding of cybersecurity, but likely will not be able to dig into the weeds as they’re primarily focused on the bank’s technology.

A third party can help fill in the gaps for the board.

“If you have someone coming in that has seen hundreds of institutions, then you get a better lens,” says Sanders. An outside advisor can educate directors about common security threats based on what’s happening at other institutions. A third party can also provide an external point of view.

Some, however, hesitate in suggesting that a board should seek to add a cyber expert to its membership. “It’s going to taint your board or what the purpose of your board is,” says Joshua Sitta, co-founder and CISO at the cybersecurity advisor Sittadel. “I think you’re going to have a voice driving [the board] toward risk management.”

Sitta explains that those focused on cybersecurity will push for more security. But a board’s role is oversight, governance and providing a sounding board to executive management to keep the bank safe, sound and growing. Having cyber talent at the board level could discourage growth opportunities for fear that any new initiative could pressure security efforts.

Banks should ensure they’re protected against large breaches of critical data, says Sitta, but should avoid complete protection that has them investing to prevent every breach or fraud alert, no matter how insignificant. Understanding what’s a reasonable concern is important for the board to grasp. But cybersecurity experts within the company or advising the board should simply “inform” the board, according to Sitta. With that information, the board can then assess whether the bank has the risk appetite to add a debated service or investment.

Many boards, though, might not have a full awareness of the level of attacks the bank faces. In Bank Director’s 2022 Risk Survey, conducted last year, board members and executives were asked if their bank experienced a data breach or ransomware attack in 2020-21, with 93% noting that they had not. This could indicate that board members and top executives aren’t fully aware of the threats their bank faces on a daily basis, or that they could weather a threat soon.

“They get into a false sense [of security],” says Sanders. “Everyone is going to have some kind of disclosure. Assessing the program and making changes once a year probably isn’t sufficient.”

While 71% of respondents in last year’s Risk Survey said their board was apprised of deficiencies in the bank’s cybersecurity risk program, less than half — 42% — reported that their board reviewed detailed metrics or scorecards that outlined cyber incidents, and 35% used data and relevant metrics to facilitate strategic decisions and monitor cyber risk.

The lack of awareness of a threat or breach could give the board a sense of ease. But this could hold the bank back from making the shifts needed to protect from the largest attacks. Further, a board that remains unaware of the true rates of incidents could underestimate the imperative to build or adjust a cyber response.

Another factor that boards must consider is how they have long prioritized cybersecurity.

“A lot of smaller organizations view cybersecurity as a cost center,” says Oleksak. The 2023 Risk Survey found that banks budget a median $250,000 for cybersecurity, ranging from $125,000 reported for the smallest institutions to $3 million for banks above $10 billion in assets. “It’s like insurance. You understand that it’s not a revenue generation center, [but] ignoring it can significantly affect the organization.”

Resources
Bank Director’s 2023 Risk Survey, sponsored by Moss Adams, surveyed 212 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including interest rate risk, credit and cybersecurity. Members of the Bank Services Program have exclusive access to the complete results of the survey, which was conducted in January 2023.

Bank Director’s 2022 Governance Best Practices Survey, sponsored by Bryan Cave Leighton Paisner, surveyed 234 independent directors and CEOs of U.S. banks below $100 billion in assets to explore governance practices, board culture, committee structure and ESG oversight. The survey was conducted in February and March 2022

Risk issues like these will be covered during Bank Director’s Bank Audit & Risk Conference in Chicago, June 12-14, 2023.

Dusting Off Your Asset/Liability Management Policies

Written by

Directors reviewing their bank’s asset/liability management policy in the wake of recent bank failures should avoid merely reacting to the latest crisis.

Managing the balance sheet has come under a microscope since a run on deposits brought down Silicon Valley Bank, the banking subsidiary of SVB Financial Group, and Signature Bank, leading regulators to close the two large institutions. While most community banks do not have the same deposit concentrations that caused these banks to fail, bank boards should ask their own questions about their organization’s asset/liability strategies.

A bank’s asset/liability management policy spells out how it will manage a mismatch between its assets and liabilities that could arise from changing interest rates or liquidity requirements. It essentially provides the bank with guidelines for managing interest rate risk and liquidity risk, and it should be reviewed by the board on an annual basis.

“With both Silicon Valley Bank and Signature Bank, you had business models that were totally different from a regular bank, whether it’s a community bank, or a regional or even a super regional, the composition of their asset portfolios, the composition of their funding sources, were really different,” says Frank “Rusty” Conner, a partner at the law firm Covington & Burling. “Anytime you have a semi-crisis or crisis like we’ve had, you’re going to reassess things.”

Conner identifies three key flaws at play today that mirror the savings and loan crisis of the 1980s and 90s: an over-concentration in certain assets, a mismatch between the maturities of assets and liabilities, and waiting too long to recognize losses.

Those are all lessons that directors should consider when they revisit their bank’s asset/liability management policies and programs, he says.“Is there any vulnerability in our policies that relates to concentration or mismatch, or failing to address losses early?”

In order to do that, directors need to understand their bank’s policies well enough to ask intelligent and challenging questions of the bank’s management. The board may or may not have that particular subject matter expertise on its risk, audit or asset/liability committee, or in general, says Brian Nappi, a managing director with Crowe LLP.

“I don’t think there’s a deficiency in policies per se,” he adds. “It’s the execution.”

Nappi recommends that boards seek to “connect the dots” between their company’s business strategy and how that could fare in a changing interest rate environment.

Conner raises a similar point, questioning why some banks had so much money invested in government securities when the Federal Reserve was telegraphing its intent to eventually raise interest rates.

“That whole issue just looks so clear in hindsight now, and maybe that’s unfair,” he says. “But why is it that we didn’t anticipate that, and are we in a better position today to anticipate similar types of developments in the future?”

Boards could consider bringing in an outside expert to review the asset/liability management policy, says Brandon Koeser, a senior analyst with RSM US. A fresh set of eyes, such as an accounting firm, consultant or even a law firm, can help the board understand if its framework is generally in line with other institutions of its size and whether it’s keeping pace with changes in the broader economy.

“You also want to think about the [asset/liability management] program itself, separate from the policy, and how often you’re actually going through and reviewing to make sure that it’s keeping pace with change,” Koeser adds.

Steps to Take: Revisiting the Asset/Liability Management Policy

  • Establish and understand risk limits.
  • Consider how to handle policy exceptions.
  • Define executive authority for interest rate risk management.
  • Outline reports the board needs to monitor interest rate risk.
  • Establish the frequency for receiving those reports.
  • Evaluate liquidity risk exposure to adverse scenarios.
  • Understand key assumptions in liquidity stress testing models.
  • Review guidelines around the composition of assets and liabilities.
  • Monitor investment activities and performance of securities.
  • Review contingency funding plans.

Directors should also ask management about any liquidity stress testing the bank may be engaging in. Do directors fully understand the key assumptions in the bank’s stress testing models, and do they grasp how those key assumptions could change potential outcomes?

And if executives tell the board that the bank’s balance sheet can withstand a 30% run off of deposits in a short period of time, directors shouldn’t be satisfied with that answer, says Matt Pieniazek, CEO of Darling Consulting Group, a firm that specializes in asset/liability management. The board should press management to understand exactly how bad losses would need to be to break the bank.

“Directors don’t know enough to ask the question sometimes. They’re afraid to show their stress testing breaking the bank,” he says. “They need to have the opposite mindset. You need to understand exactly what it would take to break the bank. What would it take to create a liquidity crisis? How bad would it have to get?”

Sometimes policies tend to be too rigid or not descriptive enough, adds Pieniazek.

“The purpose of policies is not to put straighBtjackets around people,” he says. “If you have to look to policies for guidance, you want to make sure that they have an appropriate amount of flexibility and not too much unnecessary restrictiveness.”

Many banks’ policy limits concerning the use of wholesale funding — such as Federal Home Loan Bank advances and brokered deposits — are too strict and unnecessarily constrained, Pieniazek says. “A lot of them will have limits, but they’re inadequate or the limits are not sufficient, both individually and in the aggregate.”

An example of this might be a policy that stipulates the bank can tap FHLB funding for up to 25% of its assets and the Federal Reserve discount window for up to 15% but restricts the bank from going above 35% in the aggregate.

Along those lines, directors should make sure management can identify all qualifying collateral the bank might use to borrow from the Federal Reserve or FHLB, taking into account collateral that may have been pledged elsewhere. And directors should revisit any overly rigid policies that could tie executives’ arms in a liquidity crunch. A policy stipulating that a bank will sell securities first may prove too inflexible if it means having to sell those securities at a loss, for instance.

A board will also want to understand whether its asset/liability management plan considers the life cycle of a possible bank run. In that kind of scenario, how much would the bank depend upon selling assets in order to meet those liquidity needs? And what’s the plan if some of its securities are underwater when that happens?

While the most recent banking crisis doesn’t necessarily mean bank boards need to overhaul their asset/liability management policies, they should at least review those policies with some key questions and lessons in mind.

“If your regulator comes in, and they see dust on the cover of the ALM policy,” says Koeser, “and they see that the liquidity stress test or scenario analysis aren’t appropriately incorporating shocks or stressors, it could be a difficult conversation to have with your regulator on why there weren’t changes.”

Additional Resources
Bank Director’s Board Structure Guidelines include a resource focused on ALCO Committee Structure. The Online Training Series includes units on managing interest rate risk and model validation. For more about stress testing to incorporate liquidity, read “Bank Failures Reveal Stress Testing Gaps.”

The Post-Pandemic Priorities for Audit and Risk Committees

Written by

Even as the Covid-19 pandemic continues to reshape the banking and financial services industries, forward-looking organizations are focusing on how they can adapt to a post-pandemic world. With many business processes and controls forever changed, boards of directors — including their audit and risk committees — acknowledge that their views on fundamental risk issues must change as well.

New Workplaces, New Risks
One of the pandemic’s most disruptive effects was the upheaval of the centralized workforce. For decades, employees gathered together in a central location to work. Businesses took great pride in these workplaces, even putting their names atop the buildings in which they were located.

However, the pandemic shattered that model — possibly permanently — along with the concept of regular office hours and the expectations that personal devices should not be used for company business. During the pandemic, employees worked from their kitchens and dining rooms, improvising as they adapted to new ways of operating that would have been impossible 20 years ago. Beyond the obvious physical, security and technical risks associated with this dispersal, board members should understand some of the less visible risks.

For example, corporate culture often is shaped from the ground up through casual workplace interactions, which can be lacking in a remote work arrangement. Similarly, if people cannot gather together physically to brainstorm ideas, innovation and creativity can suffer. Many executives also lament their inability to read body language, tone of voice and other nuances in employees’ behavior to spot potential problems.

These types of risks are inherently difficult to quantify. Nevertheless, risk committees should be aware of them and ascertain whether management is addressing them.

Of even more pressing concern, however, are the effects that a decentralized workforce has on a bank’s business processes and control environment. While the immediate responsibility for overseeing management’s response to these risks might be assigned to the audit and risk committees, ultimately all board members have oversight responsibility and should make a committed effort to understand these risks.

Audit and risk committee priorities
Previously, when audit committees addressed risks associated with business processes and controls, they had the advantage of operating in something like a laboratory. The bank controlled most of the variables such as access controls, approvals and validations. In the post-pandemic world, however, risk monitoring and mitigation efforts must address new variables outside the bank’s control.

One specific audit committee priority is the need to evaluate how a dispersed workforce affects the control environment. Controlling access to systems is an area of major risk; remote reconciliations, remote approvals and digital signatures also are important concerns.

While a virtual private network generally would be the preferred method of providing remote employee access, that capability often was unavailable during the pandemic. Other options became necessary. In addition, many controls had to be redesigned quickly, with little time for testing the adequacy of their design or the effectiveness of the implementation.

Now is the time for many audit committees to take a step back and look holistically at their banks’ control environments. In addition to system access, this overview should include controls governing the retention of sensitive data, timely execution of controls, coordination to resolve deficiencies and validation of secondary reviews.

In assessing such controls, committee members might be constrained by their limited understanding of the technology. Given the novel nature of today’s situation, audit committees should consider getting qualified technical assistance, independent of management, to evaluate the steps taken to accommodate the new work environment.

Strategic issues and board concerns
Both the risk committee and the full board should consider broader questions as well. At a strategic level, boards should explore whether management’s response to the pandemic is sustainable. In other words, should the new practices the bank established — including remote work arrangements — become permanent?

Bank management teams have issued many press releases recounting how successfully they responded to the crisis. As banks move into the post-pandemic world, board members should review these responses and ask whether the new practices will allow for growth and innovation so that their banks can thrive in the future while still maintaining a well-controlled work environment.

As they revisit documented policies, controls and procedures — and remeasure the associated risks — boards and management teams ultimately must decide whether the new control environment is consistent with the strategy of the bank and capable of sustaining its desired organizational culture.

Why a Solid Risk Management Framework Helps Manage Change

Written by

Who owns risk management at your bank?

If your bank limits that function to the teams that report to the chief risk officer, it’s fumbling on two fronts: It’s failing to drive accountability across every corner of the enterprise, and it’s conceding its edge in a marketplace that’s never been more competitive.

Recognizing that every employee owns a piece of this responsibility make risk management an equal offensive and defensive pose for your organization. This empowers your employees to move nimbly, strategically and decisively when the bank encounters change, whether it’s an external regulatory pressure or an internal opportunity to launch a new product or service. In either case, your team navigates through change by building on best operational practices, which, in the end, work to your advantage.

Getting the bank into that position doesn’t happen overnight; the vision starts with the actions of your senior leaders. They set the tone and establish expectations, but everyone plays a hands-on role. When management prioritizes an environment where people can work collaboratively and have transparency into related roles, they foster consistency across your change management process that minimizes risk.

The need for a risk-aware culture aligns precisely with the signals coming out of Washington, D.C., that the stakes are getting higher. The Consumer Financial Protection Bureau hinted early at increased regulatory scrutiny, advising that it would tighten the regulatory standards it had relaxed to allow banks to quickly respond to customers’ financial hardship in 2020.

In response to the competitive and regulatory environment, your bank’s risk management framework should incorporate four key elements:

  • Start with setting the ground rules for how the bank will govern its risk. Define its risk strategy, the role the board and management will play and the committees that compose that governance structure — and don’t forget to detail their decision-making authority, approval and escalation process across those bodies. This upfront work also should introduce robust systems for ongoing monitoring and risk reporting, establish standard parameters on how the bank identifies issues and create a basic roadmap to remediate issues when they come along.
  • Operating Model. Distinguish the roles and responsibilities for every associate, with a key focus on how they manage risk generated by the core activities in that business. By taking the time to ensure all individuals, in every line of defense, understand their expected contributions, your bank will be ahead of the game because your people can act quicker and efficiently when a change needs to happen.
  • Standard Framework, Definitions and Taxonomies. In basic terms, everyone across the enterprise needs to speak the same language and assign risk ratings the same way. Calibrating these elements at the onset builds confidence that your bank gives thoughtful attention to categorize risks into the right buckets. Standardization should include assessment scales and definitions of different risks and risk events, leading to easier risk aggregation and risk reporting that enables a holistic view of risk across the enterprise.
  • Risk Appetite. Nothing is more important than establishing how much risk your organization is willing to take on in its daily business. Missing the mark can impact your customers, bottom line and reputation. Optimally, bank leaders will reestablish this risk appetite annually, but black swan events such as the pandemic should prompt more timely reviews.

Too often, banks reinvent the wheel every time a change or demand comes along. As the industry eyes increasing regulatory pressure in the year ahead, driving and promoting a robust risk management culture is no longer a “nice to have” within your organization; it’s a “need to have.”

When you reset the role and ownership of risk management as a strategic pillar in your bank’s future growth and direction you minimize your bank’s risk and actually propel your company forward.

Banks looking to check out best practices and a strategic framework for creating their enterprise risk framework should check out my latest whitepaper, Turning a Solid Risk Framework Into a Competitive Advantage.

Driving Accountability in Incentive Compensation Governance

Written by


compensation-7-17-19.pngI once flunked a math test because I didn’t show my work. Turns out, showing your work is important to both math teachers and bank regulators.

To drive accountability, it is important to document and “show your work” when it comes to governance of incentive compensation plans and processes. The largest banks, due to increased regulatory oversight, have made significant strides in complying with regulators’ guidance and creating robust accountability. Here are some resulting “better practices” that provide food for thought for banks of all sizes.

While the 2010 interagency guidance on sound incentive compensation policies is almost a decade old, it remains the foundation for regulatory oversight on the matter. The guidance outlined three lasting principles for the banking industry:

  • Provide employees incentives that appropriately balance risk and reward.
  • Create policies that are compatible with effective controls and risk management.
  • Support policies through strong corporate governance, including active and effective oversight by the organization’s board of directors.

Most organizations used the release of the 2010 guidance to take a fresh look at their incentive plans. It proposed a non-exhaustive list of risk-balancing methods, such as risk adjustment of awards and deferral of payment. Many banks changed their plan structures and provisions to increase sensitivity to, and better account for, risk. The changes made sense pragmatically but largely addressed only the first principle.

After the financial crisis, boards were expected to engage in the oversight and review of all incentive arrangements to ensure that they were not rewarding imprudent risk taking. However, most institutions quickly realized it was not practical for directors to be in the weeds of all their broad-based incentive plans and thus delegated that task to management.

Compensation committees outlined expectations for senior management regarding incentive plan creation, administration and monitoring in a formal document. Their expectations would include, for example, the process for reviewing incentive plan risk.

Comp, Risk Committees Cooperate
Banks also developed stronger communication or information sharing between the compensation and risk committees of the board. This was sometimes accomplished through cross-pollinating members between the committees or conducting joint meetings on the topic. It also became standard for the chief risk officer to participate in compensation committee meetings and present on incentive compensation risk, as well as the overall risk profile of the organization.

Incentive compensation review committees, made up of the most-senior control function heads such as the chief financial officer, chief human resource officer, general counsel and chief risk officer, are often delegated primary oversight responsibilities. To create accountability, this management committee operates under a formal charter, oversees the entire governance process, provides for credible challenges throughout and annually approves all non-executive plans. A summary of their activities and findings is presented to the compensation committee annually, at minimum.

Working groups representing various business lines and broad control functions support the management committee in actively monitoring incentive compensation plans. Every activity in the governance process—from plan creation or modification to risk reviews and back-testing—has a documented process map with roles and responsibilities.

These large bank practices might be overkill for smaller organizations. However, some level of documentation and process formalization is a healthy process for any size. My advice: Don’t get fixated on the red tape, as proper governance and controls can be scaled to the size and complexity of each individual bank.

Formalize the Process
The second and third principles of the 2010 guidance are aimed at driving greater accountability and efficient oversight, including enhanced information sharing. Formalizing the process simply helps to crystalize expectations for those involved and safeguards against the dodging of responsibilities.

Plus, regulators—just like that math teacher—want to see the work. It’s not enough to simply have the right answer. You must be able to document the process you went through to get there.

Why Your Board’s Risk Committee Structure Matters

Written by


committee-4-18-19.pngCommunity bank boards have a lot of regulatory leeway when it comes how they oversee the critical risks facing their organizations, including cybersecurity. Because of this latitude, many boards are working to find the best way to properly address these risks, congruent with the size and complexity of their institution.

“We’re evolving, and I think banks our size are evolving, because we are in that grey area around formal risk management,” says Robert Bradley, the chief risk officer at $1.4 billion asset Bank of Tennessee, based in Kingsport, Tennessee. “There’s no one way to approach risk management and governance.”

As a result, some banks govern risk within a separate risk committee, while others opt for the audit committee or address their institution’s risks as a full board.

And governance of cybersecurity is even more unresolved. Most oversee cybersecurity within the risk committee (27 percent) or technology committee (25 percent), according to Bank Director’s 2019 Risk Survey. A few—just 8 percent—have established a board-level cybersecurity committee.

“Those that have formed a cyber committee, whether they’re small or big, I think it’s an indication of how significant they believe it is to the institution,” says Craig Sanders, a partner at survey sponsor Moss Adams.

Does a bank’s governance structure make a difference in how boards approach oversight? It might. Our analysis finds a correlation between committee structure and executive responsibilities, communications with key executives and board discussions on risk.

The majority of respondents say their bank employs a chief information security officer, though many say that executive also focuses on other areas of the bank. Whether a bank employs a dedicated CISO tends to be a function of the size and complexity of the bank’s cyber program, says Sanders.

Banks that govern cybersecurity within a risk committee or a cybersecurity committee are more likely to employ a CISO.

CISO.png

The reporting structure for the CISO varies, with a majority of CISOs reporting to the CEO (32 percent) and/or the chief risk officer (31 percent). However, the reporting structure differs by committee.

Banks with a cybersecurity committee seem to prefer that their CISO reports to the CEO (36 percent). However, 27 percent say the CISO reports to the CRO, and a combined 27 percent say the CISO reports to the chief information officer or chief technology officer. Similarly, if cybersecurity is overseen in the technology committee, the CISO often reports to the CEO (33 percent) and/or the CIO or CTO (a combined 29 percent).

However, the CISO is more likely to report to the CRO (49 percent) if cybersecurity is governed within the risk committee.

Interestingly, the audit committee is most likely to insert itself into the CISO’s reporting structure when it governs cybersecurity. Of these, 32 percent say the CISO reports to the audit committee, 37 percent to the CEO and 32 percent to the CRO.

Sanders believes more CISOs should report to the relevant committee or the full board. “I view that position almost like internal audit. They shouldn’t be reporting up through management,” he says.

Establishing a dedicated committee is a visible sign that a board is taking a matter seriously. Committees can also provide an opportunity for directors to focus and educate themselves on an issue. So, it’s perhaps no surprise that the few bank boards that have established cybersecurity committees are dedicating more board time to the subject, as evidenced in this chart.

cybersecurity.png

Risk and audit committees are tasked with a laundry list of issues facing their institutions. It’s hard to fit cybersecurity into the crowded agendas of these committees. However, it does make one question whether cybersecurity is addressed frequently enough by these boards.

Governance structure also seems to impact how frequently cybersecurity is discussed by the full board. With a cybersecurity committee, 46 percent say cybersecurity is part of the agenda at every board meeting, and 27 percent discuss the issue quarterly. Boards that address cybersecurity in the risk or audit committee are more likely to schedule a quarterly discussion as a board.

review.png

When boards take responsibility for cybersecurity at the board level—rather than assigning it to a committee—almost half say cybersecurity is on the agenda twice a year or annually. With this structure, 31 percent discuss it at every board meeting.

How frequently should boards be talking about cybersecurity?

“More is better, right?” says Sanders. “The requirement, from a regulatory standpoint, is that you only report to the board annually. So, anybody that’s doing it more than annually is exceeding the regulator’s expectation,” which is a good approach, he adds.

Few banks have cybersecurity committees, and it’s worth noting that boards with a cybersecurity committee are more likely to have a cybersecurity expert as a member. That expertise likely makes them feel better equipped to establish a committee.

Community bank boards have long grappled with how to govern risk in general. For several years following the enactment of the Dodd-Frank Act in 2010, risk committees were only required at banks above $10 billion in assets. Now, following passage of the Economic Growth, Regulatory Relief and Consumer Protection Act in 2018, that threshold is even higher, at $50 billion in assets.

But if it ain’t broke, don’t fix it: The 2019 Risk Survey confirms that boards aren’t suddenly dissolving their risk committees. Forty-one percent of banks—primarily, but not exclusively, above $1 billion in assets—have a separate board-level risk committee.

The survey indicates there’s good reason for this.

Ninety-six percent of respondents whose bank governs risk within a board-level risk committee say the CRO or equivalent meets quarterly or more with the full board. Audit committees are almost on par, at 89 percent. But interestingly, that drops to 79 percent at banks who oversee risk as a full board.

Bank of Tennessee’s audit and risk committee meets quarterly, and Bradley says that getting a handle on the bank’s overall risk governance is a priority for 2019. That includes getting more comprehensive information to the board.

“The board has all the right governance and oversight committees for ALCO, for credit, for all of those kinds of things, but we haven’t had a one-stop-shop rollup for [the overall risk] position of the bank, and that’s one of the things I’m focused on for 2019,” Bradley says. “Going forward, what I would like to do is [meet] with the risk committee at least quarterly, and with the full board, probably twice a year.”

Bank Director’s 2019 Risk Survey, sponsored by Moss Adams, reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance. The survey was conducted in January 2019.

For additional information on the responsibilities of a bank’s risk committee, please see Bank Director’s Board Structure Guideline titled “Risk Committee Structure.”

2019 Risk Survey: Cybersecurity Oversight

Written by


risk-3-25-19.pngBank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.

The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.

The survey also examines how banks oversee cybersecurity risk.

More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.

How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.

A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.

Additional Findings

  • Three-quarters of respondents reveal enhanced concerns around interest rate risk.
  • Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
  • The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
  • For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
  • When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
  • Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
  • Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.

To view the full results of the survey, click here.

The Good and the Bad Facing Audit and Risk Committees Today

Written by


committee-6-12-18.pngIn today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.

Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.

Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.

And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.

The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.

These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.

Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.

Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity

Written by

 

cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank

Heightened Standards for Directors: What You Need to Know

Written by


directors-10-15-15.pngOn September 2, 2014, the OCC issued guidelines establishing heightened standards for certain institutions with $50 billion in total assets and for “highly complex” institutions, noting that it does not intend to apply the guidelines to community banks. However, the guidelines distill the OCC’s characterization of directors’ responsibilities that apply regardless of asset size. In this regard, the guidelines should be required reading for directors of every bank.

With regard to the role of directors, the OCC did not adopt a higher standard of director liability than the law generally provides (depending upon state of incorporation or chartering). This approach is very different from that espoused by the Federal Reserve Board’s Governor Tarullo in his controversial speech last year. Governor Daniel Tarullo exhorted legislatures to change the standards governing director conduct to impose a duty to meet regulatory and supervisory objectives (not just a duty to their institution and shareholders). The OCC notably bypassed the opportunity to try to extend director obligations beyond statute. Thus, the guidelines need to be read in conjunction with the existing legal framework.

The OCC reformulated what are in many cases age-old principles of director conduct. The guidelines are beneficial to directors in a variety of ways. Notably, the OCC sought to reclarify the divide between director and managerial responsibilities. To understand the significance of such line drawing, directors need to be aware of the regulatory approach to conflating the roles of directors and management since the downturn. Specifically, administrative actions, matters requiring attention and supervisory correspondence, have discussed the directors’ obligations to become further involved in their institutions’ activities in a quasi-managerial tone.

The OCC’s guidelines, however, note that they do not impose managerial responsibilities on boards or suggest the boards must guarantee any particular result. Instead, the OCC notes that the board’s duty is the traditional one of strategy and oversight.

However, there are increasing expectations for directors, particularly in terms of oversight of risk management. First, the OCC expects institutions to establish strategic plans that set forth a risk appetite. The board then must hold management accountable for adhering to the framework established. The guidelines clarify that the board provides active oversight by relying on risk assessments prepared by the departments of risk management and internal audit. Thus, although the board’s active oversight is in reliance on risk assessments, the board still must evaluate whether the risk appetite is being exceeded.

This expectation for oversight of risk tolerance have been seeping down the landscape and has become common practice for banking organizations of over $1 billion. I have seen institutions of $600 million and $700 million in total assets adding chief risk officers and risk committees. Risk assessments have proliferated like kudzu. Whether the guidelines are only expectations generally for the systemic important financial institutions (SIFIs) or not, these principles are becoming mainstream ideas for community banks as well. For SIFIs, the scope and pervasiveness of the risk management and mitigation framework are yet to be fleshed out.

The OCC expects boards to provide a credible challenge to management. Specifically, boards, in reliance on information from independent risk management and internal audit, should question, challenge and, when necessary, oppose decisions to expand the bank’s risk profile beyond its risk appetite.

The guidelines note that boards are not prohibited from engaging third-party experts to assist them. Thus, the OCC keeps open the well-worn ability of directors to rely on others for guidance (although the fiduciary decision-making remains exclusively the province of the board).

Otherwise, the OCC trots out existing basic minimum standards for corporate governance. Specifically, the guidelines provide that boards should conduct annual self-assessments. The guidelines also note that the OCC will review director training to see if it touches on all appropriate areas. Moreover, the guidelines note that directors must dedicate time and energy to reviewing and understanding the key issues affecting their bank. Those expectations are hardly new.

In short, the guidelines represent a mixed bag for bank directors. The OCC’s adherence to the separation between board and managerial responsibilities and directors’ ability to rely on third-party experts is reassuring. The OCC’s discussion of risk management and engaged directors challenging managerial direction are not threatening in themselves. Director concerns lie in the notion that examiners will expect an increasingly elaborate edifice of risk tolerance and assessment. For community banks, the question is how much of this edifice will they need. Thus, it is not the principles that are controversial, but the way in which such principles will be measured that causes concern for director liability.