Banks continue to meet unprecedented challenges of the Covid-19 pandemic, geopolitical cyberthreats and increasing public awareness of environment, social and governance (ESG) issues.
With the current landscape posing ever-evolving risks for banks, Moss Adams collaborated with Bank Director to conduct the 2022 Risk Survey and explore what areas are front of mind for bank industry leaders. Top insights from Bank Director’s 2022 Risk Survey include that the vast majority of survey respondents reported that cybersecurity and interest rate risks pose increasing concerns, and they expect these challenges to persist in the second half of the year, due to turbulent economic and geopolitical conditions. The survey also identified that banks increasingly focus on issues related to compliance and regulatory risks.
Cybersecurity Oversight Concerns about cybersecurity topped the survey responses: 93% of respondents stated that a need for increased cybersecurity grew significantly or somewhat. Bank executives and board members submitted survey responses in January, prior to heightened federal government warnings of increased Russian cyberattacks. Banks’ concerns will likely continue to increase as a result.
Data Breach Rates and Precautions While only 5% of respondents reported experiencing a data breach or ransomware attack at their own institution in the years 2020 and 2021, 65% reported data breaches at their bank’s vendors. In response, 60% stated they updated their institution’s third-party vendor management policies, processes, or risk oversight.
As a critical U.S. industry, banks follow stringent regulatory requirements for data security. The Federal Financial Institutions Examination Council (FFIEC) cybersecurity assessment tool provides a maturity model for banks to assess their cybersecurity maturity as baseline, evolving, intermediate, advanced or innovative. Ninety percent of respondents completed a cybersecurity assessment over the past 12 months; 61% used the FFIEC’s tool in combination with other methodologies, and another 19% only used the FFIEC’s tool. And 83% of respondents said that the maturity of their bank’s cybersecurity program increased in 2021, compared to previous assessments.
Room for Improvement Banks noted several areas of improvement for their cybersecurity programs, including training for bank staff (83%), technology to better detect and deter cyberthreats and intrusions (64%) and internal controls (43%). Thirty-nine percent believe they need to better attract and retain quality cybersecurity personnel. Banks’ investments in cybersecurity programs remained flat compared to the 2021 survey, with a median budget of $200,000.
As cybersecurity risks increase, banks should focus on researching and making appropriate investments, as well as implementing comprehensive planning for staff training, technology and governance. At the board level, respondents noted several activities as part of that body’s oversight of the cybersecurity risk management program. Key among these is board-level training (79%), ensuring continual improvements by management of their cybersecurity programs (75%) and being aware of any deficiencies in the bank’s cybersecurity program (71%).
Interest Rate Risk Concerns The prospect of rising interest rates fueled anxiety for our respondents: 71% noted increased concern. As the Federal Open Market Committee combats higher inflation by hiking interest rates, 74% reported hoping that they wouldn’t raise rates by more than one percentage point by the end of 2022 — which is currently below what’s projected.
Faced with likely rate hikes, banks are looking to their own business models to navigate a potential decrease in overall lending volume and potential pressure on profit margins. Respondents also noted that they were increased their focus in sectors such as commercial and industrial, commercial real estate and construction, or with the Small Business Administration or obtaining other small business loans.
ESG Initiatives Banks are under increasing pressure to adopt ESG initiatives. More than half of respondents don’t yet focus on ESG issues in a comprehensive manner, and regulators have yet to impose ESG requirements for banks. However, more than half of survey respondents say they have set goals and objectives in a variety of ESG-related areas, primarily in the social and governance verticals — employee development and community needs in particular topped the list.
Only 6% said that investors or other company stakeholders currently look for more disclosure around ESG initiatives, with diversity, equity and inclusion topping the list at 88%. Banks that haven’t established ESG strategies could first identify their top priority areas. These priorities may vary for each organization and will need to consider the values of investors, customers and local community.
Cybersecurity continues to be the top risk identified in Bank Director’s 2022 Risk Survey, sponsored by Moss Adams. But other risk areas have also grown increasingly prominent for the bank executives and board members responding to the survey, particularly interest rate risk. In this video, Moss Adams Partner Craig Sanders shares areas where banks can strengthen their weaknesses on cybersecurity. He also addresses the impact of fintechs on bank strategies and the rising prominence of environmental, social and governance (ESG) matters.
Topics addressed include:
Proactive Vendor Risk Management
Strategic Risks to Consider
Rising Interest Rates
Focusing on ESG
The 2022 Risk Survey explores several important risk areas, including credit risk, cybersecurity and emerging issues such as ESG. The survey results are also explored in the 2nd quarter 2022 issue of Bank Director magazine.
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, finds most bank executives and board members (65%) report that at least one vendor experienced a data breach or ransomware attack in 2020-21. While most weren’t directly affected by these incidents, 60% of respondents whose vendor experienced an attack took the opportunity to update third-party management policies, processes and/or risk oversight in response.
Cyberattacks on U.S. financial institutions are rarely impactful, according to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) “Navigating Cyber 2022” report. However, the cyber-focused industry consortium added that “several high-profile third-party incidents have impacted the security and availability of products and services used by many financial firms.” Banks have responded by devoting resources to assessing exposure, patching and mitigating, as well as increasing compliance mandates for third-party operational resilience.
Regulators are taking note of the threat. An interagency rule approved by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. in November 2021 mandates that banks must notify their primary regulator of a cyber incident within 36 hours; this rule went into effect on April 1, 2022. Service providers must notify affected bank clients “as soon as possible” when they determine that a cyber incident has or will cause a “material service disruption or degradation” for four hours or more. From there, banks must assess whether the incident will have a material impact on the organization and its customers, and whether that will trigger a notification by the bank to its regulator.
In March 2022, the Securities and Exchange Commission proposed new rules around cybersecurity disclosure that would include how companies select and monitor third-party providers. And guidance is still pending from the primary financial regulators around risks related to third-party relationships. That guidance would include an assessment of the vendor’s information security program, including if the vendor has “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.”
Bank boards and leadership teams will need to be proactive — rather than reactive — as regulators get even more serious about this issue. “Know where you stand and what [vendors are] doing to address any of your concerns, and that starts with having a defined criteria of what you require,” says Cody Harrell, managing director at Strategic Resource Management (SRM), a Memphis, Tennessee-based consulting firm.
Broadly, bank executives and boards need to understand the risks inherent with all of the bank’s vendors, including existing ones, says Harrell. “Who are the most critical vendors to our business? Who are the ones that house sensitive data? Where’s our biggest risk? And not only from a liability standpoint, but from an operational standpoint.” If a vendor falls victim to a cyberattack, will the bank still be able to serve customers? “You need to have a vendor due diligence checklist for each vendor, regardless of whether there’s a problem or not,” he adds. “[Make] sure that everyone that’s within the ecosystem is in compliance with your requirements.”
All vendors also need to comply with regulatory guidelines. The November 2021 notification rule specifies that service providers must comply even if the contract states otherwise. But bank boards are ultimately responsible for ensuring compliance. “If the bank doesn’t have a program of regularly conducting annual vendor diligence and sending renewed questionnaires and identifying gaps, then you’re not conducting ongoing diligence,” says Steve Cosentino, a partner at the law firm Stinson LLP who regularly negotiates agreements between banks and their service providers.
Here are four considerations for bank boards seeking to enhance their third-party oversight.
Understand how vendors will respond to a cyber incident. This should be uncovered during due diligence.
When a breach occurs, “how much you did in the vendor diligence area [will impact] how quickly you’re able to respond to an incident,” says Cosentino. “If you have a quality vendor diligence program [with] extensive diligence and ongoing monitoring, those will all be helpful facts if you’re subject to a potential litigation claim or class action, which has been more and more common.”
In line with the regulatory rule around security notifications, banks need to know when they’ll be notified of an incident, and whether the vendor or the bank will communicate with affected customers. And even if individuals weren’t affected, that doesn’t absolve the vendor from notifying the bank, says Cosentino. “It’s evidence of a flaw in [the vendor’s] systems and security processes that next time could potentially affect the bank, and the bank needs to be apprised of what they’re doing to remedy that.” He adds that these obligations could differ in a security breach, where confidential data may have been accessed, versus a security incident, which may not involve the theft of personal information.
Banks should also know if the service provider will engage an outside cyber forensics firm to investigate a breach, and whether that company is on retainer and can respond quickly. “Taking a day or two out to review different forensic investigators and getting a contract in place and all that, that’s time that’s lost,” says Cosentino. Regulators will ask, “Why did it take so long between the time that the breach occurred and [when] the notices went out?”
The bank should also know what the vendor won’t do. “What are the things that my critical vendor, my third-party provider, is requiring me to take care of, that they’re not?” says Moss Adams Partner Craig Sanders. That could include password resets, network design or educating administrators.
Don’t overlook fourth parties. Vendors have their own vendors, from smaller fintechs that may provide ancillary services to big cloud platforms like Amazon Web Services or Microsoft Corp.’s Azure, and those can pose their own risks. Effective diligence on fourth parties can be difficult, says Cosentino, but banks can take a few steps. Questionnaires sent to third-party vendors should address their own due diligence with subcontractors, and banks should access SOC (System and Organization Controls) reports on those fourth parties. In addition, “Put in your agreement some language that says that the service provider may use subcontractors, [but] they always have to be responsible for [their vendors’] actions and omissions,” he says. “But they can only do so after completion of a third-party risk management vendor diligence review consistent with the FFIEC IT examination handbook and interagency guidance on third-party relationships.”
Don’t silo due diligence. The due diligence exercise shouldn’t be limited to the bank’s technology team.
“The IT group doesn’t always have an understanding of all of the software and systems that process personal information or nonpublic personal information. And that slips through the cracks a lot,” says Cosentino. He recommends a data mapping exercise that includes multiple areas so the bank knows where all of its information is housed. “Conduct that review with your IT group, obviously, but also with the marketing team, your sales team, your operations team, your legal team, because you will find when you do that, there are a number of engagements with third-party service providers where nonpublic personal information is involved, and they’re not picked up in the vendor diligence process,” says Cosentino. Involving multiple teams in the bank will ensure everyone’s on the same page before a breach occurs. “If you do have a data security incident, you have to know where all that information is stored, and how to address, analyze and review [where the] personal information is and what actions you need to take with respect to notifications and remediations and all that,” he says.
While multiple teams within the bank should be included along the way, centralizing vendor management — ensuring an individual has responsibility or using a vendor management platform, or both — can help banks stay on track. “A lot of the financial institutions that we see, various departments control a contract or a decision or a vendor evaluation, and they’re not necessarily speaking to the other departments and having a defined criteria that everyone should comply with,” says Harrell. Vendor diligence requires a lot of documentation, and that needs to be tracked. “Make this a systematic approach.”
Set the tone at the top. In a 2019 letter, the FDIC reminded financial institutions that “boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.”
Unfortunately, boards often lack the skill sets to understand cybersecurity, says Sanders. “They’ve got to have that knowledge and expertise at the governance level to really understand what should be going on.” He recommends that boards hear from the bank’s chief information security officer at least quarterly and should seek the best technology providers that meet the bank’s strategic needs — not selecting a solution because it’s the cheapest option. The bank may find it gets what it pays for.
“Be honest with yourself about where the risk is and what the involvement from the institution is that should take place at the governance level,” says Sanders. “From the top down, give the support to management and compliance to go out and do what they need to do.”
Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. Bank Services members have exclusive access to the complete results of the survey, which was conducted in January 2022.
For 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.
Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.
In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.
Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.
Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.
Other key findings:
Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.
To view the full results to the survey, click here.
Cybersecurity: Five Best Practices To Protect Your Bank
Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.
The banking industry has made great strides over the last few years in the management of risk, and a number of important best practices have begun to emerge, according to Bank Director’s 2014 Risk Practices Survey, sponsored by FIS. While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, smaller banks are proactively following suit. By taking a more comprehensive approach to risk management, these institutions are reaping the benefits with improved financial performance.
The 2014 Risk Practices Survey reveals how these banks govern risk, and that a best-practice approach can positively impact financial performance. Creating and properly using a comprehensive risk appetite statement challenges many boards. Many see room for improvement in the quality and comprehensiveness of the bank’s enterprise risk management program. Tying risk management to the strategic plan and measuring its impact on the organization is difficult for many institutions, although those that have tried to measure the risk management program’s impact report a positive effect on financial performance.
Conducted in January, the survey is based on 107 online responses from independent directors and senior bank executives, primarily chief risk officers, of banks with more than $1 billion in assets.
Ninety-seven percent of respondents report that the bank has a chief risk officer or equivalent on staff, and 63 percent oversee risk within a separate risk committee of the board. Moreover, respondents whose banks have a separate board-level risk committee report a higher median return on assets (ROA), at 1.00, and higher median return on equity (ROE), at 9.50, compared to banks that govern risk within a combined audit/risk committee or within the audit committee.
Of those that oversee risk within a separate risk committee, 64 percent of respondents review the bank’s strategic plan and risk mitigation strategies, while the remaining 36 percent do not yet do so.
Tools like the risk appetite statement, the enterprise risk assessment and risk dashboard aren’t fully used. Only one-third of respondents feel that the bank’s risk appetite statement covers all the risks faced by the institution, and less than half use it to provide limits to board and management. Just 13 percent analyze the risk appetite statement’s impact on financial performance.
Just 17 percent of respondents review the bank’s risk profile and related metrics at the board and executive level monthly. Almost half review these metrics quarterly, while 23 percent review twice a year or annually.
Fifty-seven percent of directors feel that the board could benefit from more training in understanding how new regulations impact and pose risk to the bank, and 53 percent want a deeper understanding of emerging risks, such as risks associated with cyber security or Unfair, Deceptive or Abusive Acts or Practices (UDAAP). Conversely, senior executives feel that the board needs more training in overseeing the bank’s risk appetite, and understanding risk oversight best practices and how other banks govern risk.
The regulatory environment continues to challenge bank boards. Fifty-five percent cite the volume and pace of regulatory change as the environmental factor most likely to cause risk evaluation failures at the bank.
More than half of bank officers, and 40 percent of respondents overall, say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge.