Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.
In a January interview with Bloomberg, Brian Moynihan revealed that Bank of America Corp. has an unlimited budget for cybersecurity. “I go to bed every night feeling comfortable that group has all the money, because they never have to ask,” said the Bank of America chairman and chief executive officer. “You’ve got to be willing to do what it takes at this point.”
The vast majority of banks can’t grant carte blanche to their organization’s information security team. Bank Director’s 2015 Risk Practices Survey found that most banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in 2014. Thirty-eight percent allocated from 1 percent to 5 percent of revenues on cybersecurity. Two percent dedicated 5 percent of revenues to cybersecurity.
Regulators don’t mandate a minimum cybersecurity spend; how much is the right amount is up to the bank. However, banks that are prepared to battle cybercrime typically aren’t hit as hard when the inevitable data breach or hack occurs. So bank boards face some difficult decisions when it comes to protecting their bank from cybercrime. How much should the bank invest? And on what?
Tony Buffomante, principal in information protection and cybersecurity at KPMG, says bank boards want to know what the risks are, and whether their current programs are ready to mitigate cyberthreats. Identifying the areas of the business that the bank wants to protect from a potential cyberattack—where customer account data is housed, and what processes are involved—is key to determining how much to invest in cybersecurity, and where. “If they don’t really understand what the risks are, it’s difficult to figure out, ‘Am I investing enough?’” he says.
2014 Cybersecurity Budget, By Bank Size
$5Bn to $10Bn
$1Bn to $5Bn
Less than 1% of revenues
From 1% – 5% of revenues
More than 5% of revenues
Source: 2015 Risk Practices Survey
Cybersecurity Budget Increase for 2015, By Bank Size
$5Bn to $10Bn
$1Bn to $5Bn
Less than 10%
Source: 2015 Risk Practices Survey
As a rule of thumb, Michael Bruemmer, vice president of the data breach resolution group at Experian, recommends that companies commit 5 percent of their revenues to cybersecurity. Two of the more technical areas that the bank’s cybersecurity budget should prioritize are intrusion detection, to detect hacks and breaches, and encryption of data to make it more secure. Bruemmer calls encryption a cybersecurity “Get Out of Jail Free Card.” Depending on state laws, companies that can prove that their data was encrypted may not have to report the breach to customers. Security breach notification laws in states such as Arizona, California and Illinois specifically reference unencrypted data.
According to a 2014 study by the Ponemon Institute, the typical data breach for the financial services industry cost $236 per record lost, but companies that followed certain practices had lower than average costs. For example, the appointment of a chief information security officer (CISO) reduces the cost of a breach by $10 per record. Sixty-four percent of respondents to Bank Director’s Risk Practices Survey say they employ a full-time CISO, a practice less common for banks with less than $1 billion in assets (44 percent).
Preventing, detecting and responding to cyberthreats is at the core of information security. Banks need expertise in understanding what the risks are, someone who can implement controls to protect customer information, as well as watch for a breach and then react to it, says Buffomante. The role may be held by multiple people within the organization, or, instead of hiring a CISO, the role can be outsourced for banks that lack that expertise on staff.
An outsourced CISO can be just as effective, says Bruemmer. “It’s not as important who you have on staff…but that you cover all the bases, whether it is outsourced or internally.”
The median salary for an information security officer is $75,662, according to Crowe Horwath LLP’s 2014 Financial Institutions Compensation Survey.
Bank boards should recognize that the CISO isn’t the sole guardian of the bank’s digital assets. “Executives, meaning boards and senior executives of companies, need to participate and be involved in improving their incident response,” says Bruemmer.
Beyond technology investments, Bruemmer believes the biggest area of focus for banks should be on its employees. Training can make or break an organization’s cybersecurity efforts and investment, and Bruemmer says the root cause of most breaches is simple human error. Commonly, an employee makes a mistake and clicks a link in a phishing email, or doesn’t respond appropriately to an alert. “All of the budget expenditure in the world would not have stopped” these types of errors, he says. Employees should know not only how to prevent a breach, but how to respond to one as well. Banks need to have a plan.
According to Ponemon, an incident response plan for cybersecurity can result in a reduction of $17 per record. These plans should be tested regularly, so the bank is prepared when a real cyberattack occurs. Seventy-six percent of respondents to the 2015 Risk Practices Survey report that their bank has a cyber incident management and response plan in place. Of these, three-quarters regularly test it.
Does your bank have a written cyber incident management and response plan?
Another investment boards should consider is cyber insurance, which can reduce the impact of a data breach by protecting the institution from customer lawsuits and covering costs like credit monitoring, customer notification and crisis management.
The Federal Financial Institutions Examination Council encourages banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit source for intelligence on cyberthreats, which gives banks access to information on the latest threats. The agency also plans to release a cybersecurity self-assessment tool, which will help institutions evaluate their ability to mitigate these risks.
Bruemmer argues that the success and failure of a bank’s cybersecurity preparedness doesn’t come down to how much money is thrown at the problem. Instead, it’s more about the bank’s dedication to protecting the bank, and focusing resources on the issue. The board should play a strong role, though fewer than 20 percent regularly address cybersecurity within meetings, according to the 2015 Risk Practices Survey. Just 8 percent of respondents from banks with less than $1 billion in assets say their board addresses the issue at each board meeting. Although the board’s job isn’t to manage the bank’s security, it should provide effective oversight in terms of knowing about the bank’s security plans, staffing and resources, and making sure those are adequate.
Cybersecurity “needs to be part of the board-level strategy discussion, says Bruemmer. It “is so impactful to the organization’s ongoing reputation and viability, [and] it needs to be connected to the board level,” says Bruemmer.
The focus on the board’s role in managing risk has certainly been in the spotlight in the years following the financial crisis, with the regulatory bar raised regarding risk governance. While publicly traded institutions with more than $10 billion in assets are specifically required to establish separate risk committees of the board, many smaller banks are doing so as well. In March, Bank Director’s 2014 Risk Practices Survey found that more than half of institutions with between $1 billion and $5 billion in assets and 76 percent of those with between $5 billion and $10 billion in assets now govern risk within a separate committee. Data for institutions with less than $1 billion in assets was not collected.
When does a bank need a separate board-level risk committee? Despite the rising popularity of risk committees, many community banks have not taken this approach, but instead govern risk in the audit committee or as an entire board.
Regardless of size, banks with a more complex risk profile have a greater need to govern risk within a separate board-level committee. Not only does a more complex organization intrinsically have a more complex risk profile, its audit committee will be more heavily tasked, leaving less time to devote to risk management matters. In that situation, “the best case scenario is to have two separate committees,” says Jennifer Burke, partner at accounting and consulting firm Crowe Horwath LLP.
Jim McAlpin, partner at Bryan Cave LLP, believes it best to separate risk and audit responsibilities if the bank has qualified directors for both committees. “Not all boards have qualified directors for this,” he says. “Unless you have adequate capability on the board, it’s not helpful to have both committees.”
The ability of the board to place appropriate members on a risk committee is important, and having those skills mirror that of the bank’s audit committee may not be the best approach. The risk analysis process focuses on more than just financial risk and requires directors who can anticipate a variety of problems that could be faced by the institution. “It’s good to have directors with a compliance or risk background that are used to thinking outside of the box. The most beneficial aspect of the risk committee is anticipation,” he says. “The board can charge management to focus on areas where risks appear to be developing.”
He sees more banks bringing in new directors with these skills, and there is no shortage of qualified candidates. That said, larger institutions can better attract directors from outside the community and recruit for these skills, so risk and compliance expertise may not be found on the boards of smaller, less complex banks. “So far, the regulators understand this,” says McAlpin.
Generally, the more complex an organization is, the more likely the regulators will be to urge the establishment of a stand-alone risk committee. McAlpin recommends that a board look at how many different business lines the bank has, particularly in consumer-facing areas like mortgage lending. Over the past two years, scrutiny by the regulators on consumer compliance has grown significantly, he says, resulting in greater risk to the bank regarding these issues. Further risk analysis may also be required if the bank is involved in business lines that regulators deem to be unique or cutting edge.
The maturity of the bank’s risk management program could also dictate whether the bank is ready to establish a separate risk committee.
Crowe Horwath Partner Mike Percy says that a more mature and developed enterprise risk management (ERM) program will allow the board to better assess and monitor risk. Without the robust set of information provided through a mature ERM program, a risk committee won’t have much to contribute. “If you lead with [the risk committee] before the processes are mature, I think it just frustrates” board members, he says.
But McAlpin can see how a risk committee could precede development of an ERM program or the hiring of a chief risk officer. “The risk committee could be the body to take the steps of driving the hire of risk personnel or implementation of ERM,” he says.
A bigger bank is, typically, a more complex one, so banks with plans to grow, whether through organic means or by acquisition, may consider beefing up their approach to risk governance. Percy says that some regulators, notably the Office of the Comptroller of the Currency, consider risk committees to be a best practice for institutions approaching $10 billion in assets.
Burke says that a bank’s growth strategy should be considered when a board makes a decision to have a risk committee, and for those with a more aggressive growth plan a risk committee is a best practice. “You’re making changes, you’re growing [and] your strategy is different from what it’s been in the past,” says Burke.
Growth typically results in additional personnel, business lines and assets, particularly as the result of a merger, which could lessen the certainty that the board knows everything they need to know, says McAlpin.
“An acquisition strategy is just an additional complexity,” adds Percy. Banks with an eye to grow, particularly those above $1 billion in assets, need the infrastructure in place to support a larger organization, which could include a chief risk officer, an ERM program and a board-level risk committee.
“This side of the banking crisis, the attention to risk is greater than it was,” says Percy. Whether governed within a separate risk committee, combined with audit responsibilities or addressed as a full board, the board, along with senior management, is responsible for setting the tone for risk governance.
The Financial Stability Board, an international regulatory agency based in Basel, Switzerland, released guidance in April (“Guidance on Supervisory Interaction with Financial Institutions on Risk Culture”) that details the elements of a sound risk culture within a financial institution. Though primarily intended for an audience of large, systemically important institutions, this report provides some basic tenets that can be applied to institutions of all sizes. A key element of a sound risk culture that is perhaps the most applicable to bank directors is the establishment of an “effective system of controls commensurate with the scale and complexity of the financial institution.”
In addition to a mature ERM program, this system of controls would include proper oversight by the board. McAlpin recommends that boards work with senior management to determine what areas of risk require the board’s focus. Independent analysis should play a role in these decisions. “If the board relies only on senior management, that’s a big mistake,” he says.
The banking industry continues to make improvements in the area of risk management, according to Bank Director’s 2014 Risk Practices Survey sponsored by FIS. In this video, Sai Huda of FIS shares five best practices that boards have begun to implement as they strive to build high performing banks.
The banking industry has made great strides over the last few years in the management of risk, and a number of important best practices have begun to emerge, according to Bank Director’s 2014 Risk Practices Survey, sponsored by FIS. While the Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers, smaller banks are proactively following suit. By taking a more comprehensive approach to risk management, these institutions are reaping the benefits with improved financial performance.
The 2014 Risk Practices Survey reveals how these banks govern risk, and that a best-practice approach can positively impact financial performance. Creating and properly using a comprehensive risk appetite statement challenges many boards. Many see room for improvement in the quality and comprehensiveness of the bank’s enterprise risk management program. Tying risk management to the strategic plan and measuring its impact on the organization is difficult for many institutions, although those that have tried to measure the risk management program’s impact report a positive effect on financial performance.
Conducted in January, the survey is based on 107 online responses from independent directors and senior bank executives, primarily chief risk officers, of banks with more than $1 billion in assets.
Ninety-seven percent of respondents report that the bank has a chief risk officer or equivalent on staff, and 63 percent oversee risk within a separate risk committee of the board. Moreover, respondents whose banks have a separate board-level risk committee report a higher median return on assets (ROA), at 1.00, and higher median return on equity (ROE), at 9.50, compared to banks that govern risk within a combined audit/risk committee or within the audit committee.
Of those that oversee risk within a separate risk committee, 64 percent of respondents review the bank’s strategic plan and risk mitigation strategies, while the remaining 36 percent do not yet do so.
Tools like the risk appetite statement, the enterprise risk assessment and risk dashboard aren’t fully used. Only one-third of respondents feel that the bank’s risk appetite statement covers all the risks faced by the institution, and less than half use it to provide limits to board and management. Just 13 percent analyze the risk appetite statement’s impact on financial performance.
Just 17 percent of respondents review the bank’s risk profile and related metrics at the board and executive level monthly. Almost half review these metrics quarterly, while 23 percent review twice a year or annually.
Fifty-seven percent of directors feel that the board could benefit from more training in understanding how new regulations impact and pose risk to the bank, and 53 percent want a deeper understanding of emerging risks, such as risks associated with cyber security or Unfair, Deceptive or Abusive Acts or Practices (UDAAP). Conversely, senior executives feel that the board needs more training in overseeing the bank’s risk appetite, and understanding risk oversight best practices and how other banks govern risk.
The regulatory environment continues to challenge bank boards. Fifty-five percent cite the volume and pace of regulatory change as the environmental factor most likely to cause risk evaluation failures at the bank.
More than half of bank officers, and 40 percent of respondents overall, say that maintaining the technology and data infrastructure to support risk decision-making is a top risk management challenge.