Cybersecurity for the Board of Directors

Being cyber aware is one thing; being educated on our cyber threats takes it to a whole other level.”

Since the first publication of “Cybersecurity for the Board of Directors” in 2014, there have been many millions of additional records exposed as a result of breaches. With recent security breaches, such as the SolarWinds exploit, Vertafore and ABS events, the needle continues to point in the wrong direction.

Let us face the facts: Cyber threats are daunting. Not only are they complex and constantly evolving, but they also have the potential to impart significant financial and reputational damage to our financial institutions.

I wish there were a magic bullet we could deploy, but the fact is: There is no way to be 100% protected. That is why cybersecurity is no longer just the responsibility of IT or security departments; boards of directors and executive leadership are ultimately liable and responsible for the survival of their organizations. And, in today’s world, cyber resilience is a big part of that responsibility.

Educating our boards and leadership:

Most financial institutions have very well-defined and effective cybersecurity awareness programs. This type of awareness on the part of the board matters because, due to the technical and specific nature of threats, board members and business leaders may have difficulty learning quickly enough about an issue to provide effective governance over a cyber threat.

In fact, a primary challenge for financial institutions today is this lack of understanding of a bank’s current exposure to cyber threats and its effectiveness in managing the risk. This is where I believe there needs to be more effective education for our leadership. Being cyber aware is one thing; being educated on our cyber threats takes it to a whole other level.

What does that mean?

Do our boards and leadership know what questions to ask our staff in the board room? Without that type of education, I am afraid we’ll continue to be more reactionary to cyber events rather than taking more of an offensive cybersecurity approach.

Do not get me wrong; I think, especially among our community banks, we have engaged with our boards and are moving in the right direction. A few years ago, IT and security leaders were not even given the chance to get in front of the board. I am also encouraged by more institutions having board members with backgrounds in Directorscybersecurity or IT and/or advisory committee members. Most importantly, our security and IT leaders are given the opportunity to meet face-to-face with our boards.

In the financial/banking industry, we have many regulatory requirements and are provided some guidance. Some of the guidance is around board responsibilities for third-party service providers, which, in my opinion, is one of the more critical risks for our banks. Recent events, such as SolarWinds, is proof of this. What should boards be asking of staff? These are just a few questions we should be asking:

• Do we have established and approved risk-based policies governing the outsourcing process?
• How are we ensuring each outsourcing relationship supports our bank’s overall requirements and strategic plans?
• Do we have sufficient expertise to oversee and manage the relationship?
• How do we evaluate prospective providers based on the scope and criticality of outsourced services?
• Do we have an effective vendor management program based on the initial and ongoing risk assessments of outsources services?

Going forward: Help is on the way

TBA is currently engaged with consultants to develop a curriculum and training program on cyber risks built especially for our community banks and your directors.