Over the last few months, hundreds of bank senior executives from across the United States have attended Executive Briefing on Cybersecurity seminars. One of the strongest comments consistently made by the banking commissioners was about the need to have CEOs, Presidents and Board of Director involvement in managing IT risk. State and federal regulators are all delivering the same message: Technology risk is not just an IT problem, but a board-level risk-management problem.
Technology continues to progress at a rapid pace, which creates increased opportunities for banks to better meet their customers’ needs. Along with these opportunities in technological advances, significant increases in cybersecurity risks for banks and their customers are also occurring due to the amount and rapid pace of technological changes. New technology opens doors that become gateways for new risks, which means as a banker you need to take more precautions than ever before to stay ahead of the cybersecurity curve.
There are 24 hours in a day, every day of the year. Have you thought about how you want to spend the 24 hours you are given each day? You could spend time planting pansies or peonies, but you save time and get a better result when you hire a firm that has the knowledge and reputation for making businesses look their best with landscaping rather than planting the petunias yourself. Information technology at a bank is similar.
Security risks, reliability risks, regulatory risks – every day, banks are facing new and ever-increasing risks due, in part, to the rapidly changing technology environment. These risks are taking up more time and becoming more challenging to manage.
Technology is changing at a faster rate today than ever before. New systems, applications and software are continually being implemented, more bankers are working remotely and the amount of stored data is rapidly increasing. These changes make it challenging for banks to keep their information technology systems current, secure, reliable and regulatory compliant.
Directors are responsible for setting policy and managing risk in their banks. However, many directors are not confident in their knowledge of information technology issues and as a result are not effective at setting policy or managing risks that relate to information technology.
Increasingly occurring cyber hacks make it clear that preventative measures against today’s cyber risks need to become a priority. Attacks such as those on Target, the IRS and even the United States Office of Personnel Management serve to illustrate the increasing severity of the cybersecurity problem.
The FFIEC released the Cybersecurity Assessment tool on June 30, 2015, and regulators are expecting that banks’ board of directors will use this tool to assess their own cybersecurity risks.
The intent is for a bank board to be able to recognize the cyber risks they are taking on and what mitigating controls are in place. Banks engaging in more cyber activities or in higher risk areas are expected to be implementing additional risk mitigation controls.
Agency is not probing hard enough on I.T. exams
It may surprise some bankers to learn that the FDIC has an independent office of Inspector General (OIG) that conducts audits, investigations, and other reviews of the FDIC’s programs and operations. The OIG recently prepared a report assessing the FDIC’s efforts to ensure that over 4,000 institutions it supervises, as well as those banks’ major vendors, are prepared for cyberattacks, and to determine whether the agency has sufficient examination resources dedicated to this goal.
The FFIEC has listed its cyber-security priorities for 2015.(1) Directors and management should consider how these upcoming steps may affect their bank. In recent presentations regulators have identified cybersecurity risk as a bank’s second-highest overall risk, behind only interest-rate risk. Does your board give cybersecurity risk the attention that examiners are expecting?