BRENTWOOD, TENN., March 23, 2015 – Cybersecurity is the top risk facing bank boards and executives today, according to 82 percent of the bank chief executives, chief risk officers, and directors who responded to Bank Director’s 2015 Risk Practices Survey, sponsored by FIS™. Following 2014’s data breaches at JPMorgan Chase &Co. and major retailers such as Home Depot and Kmart, anxiety about the issue is even more heightened than measured in last year’s survey, when 51 percent of respondents cited cybersecurity when asked about the risk category that concerns them most.
Half of the respondents say that preparing for a cyberattack is one of the biggest risk management challenges facing their bank, but this hasn’t yet translated into more focus by bank boards, or bigger budgets. Less than 20 percent say the board reviews cybersecurity at every meeting. And banks may be underfunding their cybersecurity programs despite the concerns of bank executives and board members. The majority, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in fiscal year 2014.
The 2015 Risk Practices Survey examines how bank leaders govern risk and address the related challenges they face. The survey was completed in January by 149 CEOs, chief risk officers, senior executives and independent directors of U.S. banks with more than $500 million in assets.
Key findings include:
- Fifty-five percent see room for improvement in the bank’s cybersecurity preventative and detective controls.
- More than one-third of respondents say their bank does not employ a chief information security officer, and 51 percent of risk committees do not review their bank’s cybersecurity plan.
- Ninety-four percent of bank leaders reveal a moderate or heavy dependency on vendors for cybersecurity. Just 28 percent rate their institution’s cybersecurity vendor oversight as strong.
- Banks with risk expertise—a chief risk officer (CRO) and a risk expert on the board—perform better financially. Banks with a CRO and/or board risk expert report a median return on equity (ROE) of 9.2, and a median return on assets (ROA) of 1.0. In contrast, banks without a CRO have a median ROE of 7.3 and median ROA of 0.8; boards without a risk expert have a ROE of 9.0 and ROA of 0.9.
- Creating a culture that supports risk management throughout the organization is a key challenge, according to 43 percent, up 18 percentage points from last year’s survey. Just more than half train all employees on risk, and 21 percent communicate the risk appetite statement to all employees.
Full survey results are available online at BankDirector.com, and will be featured in the 2nd quarter 2015 issue of Bank Director magazine. A video highlighting key findings from the survey is also available at BankDirector.com and fisglobal.com/egrc.
ABOUT BANK DIRECTOR
Since 1991, Bank Director has served as a leading information resource for the directors and officers of financial institutions. Through its quarterly Bank Director magazine, executive-level research, annual conferences, and its website, BankDirector.com, Bank Director reaches the leaders of the institutions that comprise America’s banking industry. Bank Director is headquartered in Brentwood, Tennessee.
FIS is a global leader in banking and payments technology as well as consulting and outsourcing solutions. With a long history deeply rooted in the financial services sector, FIS serves more than 14,000 institutions in over 130 countries. Headquartered in Jacksonville, Fla., FIS employs more than 40,000 people worldwide and holds leadership positions in payment processing and banking solutions. Providing software, services and outsourcing of the technology that drives financial institutions, FIS is 426 on the Fortune 500 and is a member of Standard & Poor’s 500® Index. For more information about FIS, visit www.fisglobal.com.
FIS provides clients a 360-degree solution set of products and services that enable enterprise risk management, information security, enhance overall compliance programs and mitigate risk through a best practices-based model that ensures regulatory compliance proficiencies now and in the future.
Contact: Emily McCormick, director of research, (615) 777-8471, email@example.com