Security Smarts


What CEOs and directors need to know about cyber-risk management

By Kelly Pike

It’s easy to think of cybersecurity as the domain of the information technology department or information security officer. They know the buzz words. They have the technical expertise. But they don’t have the ultimate responsibility.

While IT departments and officers have a large role to play, U.S. Treasury Secretary Jack Lew—and a slew of regulators—is making it clear that responsibility for a bank’s cybersecurity rests with senior management and the board.

“If you are the leader of a business, you should know how strong your company’s defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cybersecurity threats and what your company is doing to respond to those threats,” Lew said in a speech.

Passively managing information security isn’t an option for today’s community bank executives. The board and management can’t just review bullet points in a report or outsource responsibility. Regulators are looking to see greater CEO and board involvement with an eye toward managing risk—including information sharing, incidence response plans and third-party risk.

“The Federal Financial Institutions Examination Council is really emphasizing risk assessments,” says Cary Whaley, ICBA’s vice president, payments and technology policy. “Here is a cyberthreat. What does it mean to the bank and how are you mitigating it? The regulators are emphasizing that this needs to be a corner office/board issue.”

Despite this focus, “there’s not a lot of guidance on it,” says Gary Owen, principal with Promontory Financial Group LLC, a financial services consulting firm based in Washington, D.C. He instead suggests boards manage cybersecurity risk the same way they’d take on enterprise or operations risk. “The board more and more should be held accountable for it if there is any breach or significant challenge.”

The big picture

That doesn’t mean the board has to learn intricate details about firewalls and other technical specifications. Regulators are looking at the big picture.

“We’re not asking them to become IT experts,” says Valerie Abend, senior critical infrastructure officer at the Office of the Comptroller of the Currency. “We’re looking for good risk management processes. Here is your risk profile, here is what your institution and service providers are doing to address your risk profile and risk from this particular issue.”

The key words are identify, mitigate and monitor. Management and the board need to understand the risks most likely to impact the bank and develop risk management processes appropriate for the level of complexity. There must be a response plan that is tested.

“If you are the leader of a business, you should know how strong your company’s defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cybersecurity threats and what your company is doing to respond to those threats.”
—Jack Lew, U.S. Treasury secretary

It begins with creating a governance process to ensure accountability is ongoing, Abend says. There needs to be regular, timely and meaningful reports to senior management and the board so everyone knows what needs to be done and who’s doing it.

For that to happen, the technical team reporting to the board needs to speak at the level of the board or CEO—not the other way around.

“IT can be an intimidating topic,” notes Amy McHugh, senior associate, IT consulting at CliftonLarsonAllen LLP, a consulting firm with dual headquarters in Milwaukee and Minneapolis, and a former FDIC IT examination analyst. She suggests finding an outside director with some IT or information security background to help bridge the gap. “When you find someone able to translate between the technical and nontechnical side and get across the reasons the agencies have these programs, it quickly becomes intuitive.”

For some community banks, however, that may require a significant culture shift. Too often no one has ever sat down and explained a bank’s technology program in layman’s terms, McHugh adds. “What regulators are looking for is for the financial institution, its IT department and its information security officer to find some way of introducing these topics to the board on a regular basis and maybe enhancing board security awareness training,” she says.

To help community bank CEOs and directors better understand their role in cybersecurity, the Conference of State Bank Supervisors is launching an initiative to help state examiners talk about cybersecurity in a nontechnical way that resonates, says Mary Beth Quist, senior vice president, bank supervision for the Conference of State Bank Examiners in Washington, D.C. “We want to reinforce the message of CEOs and the board of directors getting engaged in management of the institution’s cybersecurity and also share with them how they can manage it in a way they easily understand,” she says.

Tips for Managing Cyber-Risk

Cyber-risk management competency is not that different from other areas of risk management and the same considerations apply, says Cary Whaley, ICBA’s vice president, payments and technology.

  • Skills and expertise. Make sure the right people are in the right places.
  • Threat awareness and communication. Management and the board should proactively communicate and anticipate threats. The Financial Services-Information Sharing and Analysis Center is an excellent source.
  • Policies, standards and procedures. They should be in place, tested and updated.
  • Risk assessment and measurement. Constantly assess risk, risk levels and the staff’s ability to handle that risk.
  • Tools and automation. It’s not enough to have tools—make sure they are actually being used.

Fostering a security culture

Aligning information security with business strategy is one way to build a security culture, says Abend. When a community bank considers a new business strategy or product, it should carefully evaluate whether and how it might be increasing its vulnerability. From home computers to mobile devices, there are many ways to connect to a bank. Bank executives can ask if new connections need to be made or whether it’s possible to simplify the ways employees, third parties and customers access a bank’s systems.

Management can also foster a culture of information security by demonstrating best practices to employees and setting a good example, Abend suggests. Consider social media profiles on sites like LinkedIn and Facebook. Criminals called spear phishers can use the personal details on the site to send a credible-looking email to fool a potential victim into thinking the message is from someone else. Click on it, and the victim’s computer or account is compromised. A CEO can ensure staff is trained on managing social media properly and identifying suspicious emails—and then make sure her profiles meet those standards.

But this is only possible when the board and management are up-to-date with the threats facing the bank and proactively seek information.

“Threat management and information sharing separates the herd,” says Owen, who served on the board of the Financial Information Sharing and Analysis Center for 10 years. “If you don’t have threat management and informational sharing capability at your institution, then you’ll be at the back of the herd.

In a world of growing cyberthreats, that’s one place the board, the CEO and the regulators least want to be.

Kelly Pike is a freelance writer in Virginia.