Community bank board members’ understanding of cybersecurity issues—and their willingness to dedicate funds to this function—is key to thwarting the next breach.
By Karen Epper Hoffman, Illustration by Neil Webb
There’s no avoiding the daily headlines about the latest data breaches or online attacks. For community banks, cybersecurity has ceased to be a fringe interest best left to the IT department and is now a concern for the entire leadership team.
At community banks, that heightened awareness has not equaled more dollars or employees dedicated to online security. Many industry experts believe that is because the primary decision-makers at many banks—the board of directors and top executives—lack sufficient understanding about this fast-moving, increasingly impactful area of technology.
Indeed, despite the fact that cybersecurity is garnering more interest and concern these days, as stories of new viruses, malware, attack vectors, online scams, successful cyberattacks and mounting losses pile up, industry prognosticators still estimate that less than 10 percent of a corporation’s IT budget is dedicated to cybersecurity.
Experts say one main reason for cybersecurity still ranking low on banks’ budgetary to-do lists is because the very people who are putting together these budgets aren’t able to grasp how significant cybersecurity has become to their bank, the likely pitfalls of not enhancing online security, and how to most cost-effectively combat potential cyber threats. It would be a mistake, however, to see community bank board members and top executives as naïve, complacent or uninterested in this issue. Instead, a major factor is that few bank leaders hail from the online security arena, or even the technology field.
“The state of understanding on the boards of most community banks is marginal,” says Ryan O’Leary, chief security research officer for WhiteHat Security. “They are no doubt aware that there are attacks that happen and that companies have suffered. However, they lack the knowledge of how to prevent these kinds of attacks. Cybersecurity is a very wide area of study with many intrusion points, so it’s understandable they may be a little confused.”
According to a 2016 survey conducted by Accenture Strategy, only 6 percent of board members and only 3 percent of CEOs at large global banks have technology backgrounds. Forty-three percent of surveyed banks do not have any board members with professional technology experience, and another 30 percent can boast only one board member with such experience. (While there is no recent data available on U.S. community banks specifically, industry experts say that given their anecdotal experience, these percentages are likely to be even lower at smaller local or regional institutions.)
Percentage of large
global bank board
Percentage of large
global bank CEOs
with a technology background
Community bank chief executives are often drawn from the bank-owning family or come to the job with more of an accounting or marketing background. Board members are often drawn from the pool of top business leaders in the bank’s geography, whether or not they are well versed in financial services, technology issues or cybersecurity.
“In my experience of working for many years with community banks, I can tell you that the board and the C-suite are all scared to death about cybersecurity issues,” says Jeffrey C. Gerrish, partner with Gerrish Smith Tuck, PC in Memphis, Tenn. “It’s always on the agenda, but there has not been enough education. … So, at best, they often default to an outside vendor.”
Another issue is that leaders at cash- and resource-strapped community banks, like companies in most sectors today, are focused on the bottom line. They want to focus their time, their resources and their money on the line items they know will provide them the biggest return on investment.
Since online security typically does not provide any kind of relatable or tangible “payback,” it is often seen by margin-minded board members and top executives as a budgetary black hole. At best, a security investment becomes a mathematical exercise—the amount of risk reduced minus the amount spent on reducing that risk—which is tricky to gauge in an environment where the cyber threat is changing from day to day. This fact tends to lead boards to not want good security so much as they want good-enough security, as one adage goes.
However, according to Trent Fleming, a longtime community bank consultant on board issues, the situation may be improving as community banks increasingly come to grips with this pervasive and pernicious concern. “[Bank] directors’ understanding remains less than ideal, but I do believe it is trending up,” Fleming says. “The challenge is to convince directors that they are able to understand the basics necessary to oversee their bank’s program. Cybersecurity, along with all of operations and IT, must be seen as a key business unit of the bank, rather than a mysterious component that no one understands.”
The National Association of Corporate Directors (NACD) weighed in on this issue in 2017, publishing its own list of five “cybersecurity principles every board director should know.”
According to the NACD Cyber-Risk Oversight Handbook, back in 2012, only four out of 10 boards (across all industries) received reports on risk and privacy online. Now, more than eight in 10 are “talking regularly about cybersecurity, especially financial services [companies],” says Robyn Bew, director of strategic content development for the NACD. “There’s a growing realization that cybersecurity is complex and moves very fast, which makes it challenging.”
Board members and community bank executives must bolster their understanding and preparedness as cybersecurity becomes a more important part of the financial framework. To that end, here are some ways that community banks can beef up their online security readiness among their top ranks, without having to replace existing leaders.
1. Provide good cybersecurity direction at each board meeting and executive event. IT security talent is hard to come by, for every company. Combine the fast uptake of this job category with demand and the relative dearth of potential candidates in most rural areas and small towns, and you find that most community banks struggle to find potential qualified candidates to lead their IT security initiatives. Hence, many community banks may need to bring in outside experts to help educate their board about cybersecurity issues. Community banks may want to consider offering boardroom briefings to boards, led by qualified third parties, to help extend and spread better understanding of cybersecurity issues.
Consider who at the bank actually manages online risk, as well as who prepares for potential breaches. According to the NACD, the CIO is the person who most often reports cybersecurity issues to the board (62 percent of cases), followed by the head of internal audit (38 percent), the CEO (37 percent) and, finally, the chief information security officer (31 percent). The board should be hearing from the chief information security officer regularly, according to Bew, to help integrate cybersecurity into the bank’s business processes, customer interactions and HR policies, among others.
2. Present online security issues for the non-technical layman. The key to speaking the truth of cybersecurity to leadership is to not only put it into commonly understood language but to put it in terms that the audience will accept. In this case, that means presenting cybersecurity in basic terms that someone without a technology background can grasp, while also imparting the potential impact on the bank and its customers. “Regular, plain English presentations of key issues will help them to understand,” Fleming says.
3. Introduce ways to inform top leaders of security issues that affect the bank. Board meetings, as infrequent as they are, cannot be the only way that directors and executives are informed about ruminating threats. While community bank boards tend to be risk-averse, “which actually plays into cybersecurity nicely,” according to O’Leary, “banks need only look at the news headlines to see dozens of companies that have been compromised every month. The risk is real, it’s out there right now, and it costs the company a lot of money.” Community banks may not be able to “weather the storm as easily as a big bank,” he adds. “The brand reputation damage to a small community bank could be devastating. If its customers lose confidence in the bank, they’ll take their money someplace else and could put an end to the bank. This is a real risk that the board needs to know about and understand.” For that reason, offering regular email, website, Twitter or text updates that board members and top executives are required to follow might be one way to keep them in the loop between board meetings.
4. Educate the board and C-suite about their fiduciary and regulatory responsibilities. Board members especially may not even be aware of their legal responsibilities when it comes to cybersecurity, because the area is changing so quickly. For example, in 2016, New York state banking regulators decided to release a set of cybersecurity rules—which went into effect in March 2017—requiring banks to write a cybersecurity policy, which must be certified by the bank’s board members or senior officer. This is the case despite the fact that more than six out of 10 board members in this state said they are not required to pass any cybersecurity training.
“The ultimate responsibility and risk for cybersecurity compliance and loss is at the board level,” says Brad H. Hamilton, attorney at law for Jones & Keller PC. “Cybersecurity programs that do not come from the board down do not meet regulation and standard-of-care requirements, and have a lower level of effectiveness and adoption. Once the board understands this, their interest is high. So it is necessary to make sure, through dedicated meetings and presentations to the board, that they understand the significance of their role and responsibility.”
Three ways to stretch cybersecurity dollars
Even if and when community bank boards become more sympathetic to IT security issues, the fact is that perpetually resource-strapped community banks will always need to be thrifty when it comes to planning and executing their cybersecurity strategy.
With that in mind, here are three ways community banks can make the most of their online security investment.
1. Hire good people and keep them educated about cybersecurity.
No matter what technologies banks put in place, there is no replacement for having good people. “Employees remain the weakest link, followed closely by customers,” says Trent Fleming, a longtime community bank consultant on board issues. “Spending time and effort to close down potential points of entry in the bank’s systems, and to encourage customers to protect their access credentials, are key methods.” Having employee oversight—by way of third parties attempting to “phish” them for training purposes, for example—is another way to make sure employees are aware of cyber hygiene. “Most breaches come through employees and contractors, phishing email and direct contacts, clicking on bad links and opening attachments,” says Brad H. Hamilton, attorney at law for Jones & Keller PC. “These are addressed through education and top-down adoption, which, in hard dollars at least, is less expensive than robust IT departments and manned network operating centers continuously monitoring for attacks.”
2. Make IT security, and technology in general, part of the overall business plan.
Jeffrey C. Gerrish of Gerrish Smith Tuck, PC recounts an experience where one community bank board member pointed out an IT employee and said, “She costs us a lot of money.” Community banks must embrace the notion that IT security is an essential part of the bank’s risk management and therefore a part of the bank’s overall business plan, and must incorporate online security into the bank’s strategic enterprise risk management plan from the outset. “For many CEOs, strategic planning for technology is an afterthought or a dreaded task,” Fleming says. “Moving discussions of technology into your enterprise strategic planning will help you to leverage technology by embracing its value and clearly defining how technology will support your business lines, both customer-facing and internal.”
3. Make sure vendors and internal staff play well together.
Community banks often must rely on their third-party providers to get technology work done. With that in mind, Ryan O’Leary of WhiteHat Security says that software-as-a-service (SaaS) vendors should do continuous assessments. These SaaS vendors are typically cheaper than hiring the security professionals directly into your organization and can allow the bank’s team to scale much more easily than hiring internally, according to O’Leary. “In addition, you get the assurance and safety of continuous assessments, which a human just can’t do. This is a great way to make the security budget stretch as far as it can.”
—Karen Epper Hoffman
Knowledge is power
The Learning Labs at this year’s ICBA Community Banking LIVE will offer a wealth of expertise on cybersecurity’s importance—and the risks of remaining complacent. Here are two Learning Labs to consider attending:
Soup to Nuts: Mitigating and Managing Cyber Risk
The first step to protect your institution against cyber risk is preparation. You must know your data, you must know your vulnerabilities and you must know the threats you face. This presentation covers pre-breach services that can help businesses protect against cyber risks, including cybersecurity assessments, pen testing, compliance audits and more. Review the latest cyber-claim trends and issues in incident response.
Behind the Curtain: The Dark World of Cyber Crime
Data breaches, ransomware, email compromises, phishing and computer network intrusions. In recent years, cyber criminals have exposed security vulnerabilities across all business sectors to disturbing effect. Peek behind the curtain and view a live demonstration of the dark web as we expose the very latest tactics and techniques cyber criminals are deploying today.
Karen Epper Hoffman is a writer in Washington state.