Only 1 in 5 Directors are Confident in their IT Knowledge

Directors are responsible for setting policy and managing risk in their banks. However, many directors are not confident in their knowledge of information technology issues and as a result are not effective at setting policy or managing risks that relate to information technology.

A recent survey of directors revealed only one in five board members are confident in their IT knowledge. While many directors believe they are well versed in assessing and managing credit risk, liquidity risk and interest rate risk, the rapidly changing technology environment is creating new risks every day that many bank boards find challenging to manage.

Regulators are concerned about boards effectively managing information technology. In 2014, regulators performed enhanced IT exams at 500 community banks across the nation. The intent was to create a baseline understanding of the cybersecurity risks banks are engaging in, what risk mitigation controls they have in place and how the directors are managing their risks. As a result of these exams, regulators are placing more emphasis on bank boards to analyze and manage cybersecurity risks. Recent releases from the FFIEC and member regulatory agencies have focused on getting the board of directors more involved in managing the bank’s cybersecurity risks.

One of these recent releases included the Cybersecurity Inherent Risk Profile. The profile is a two-part assessment developed by regulatory authorities to provide a uniform process for directors to gauge the level of cybersecurity risk they are accepting on behalf of their institutions. Bank boards are expected to complete this activity and document the results.

Once the Inherent Risk Profile is completed, bank boards are expected to complete the second part of the Assessment Tool, the Cybersecurity Maturity Assessment. This identifies specific controls and practices in place intended to mitigate the bank’s current cybersecurity risks. When complete, the board reviews both the Inherent Risk Profile and the Cybersecurity Maturity Assessments to determine if their institutions’ controls are appropriate for the level of risk being incurred. If there is a mismatch between risks incurred and controls in place the board will be expected to take action by reducing risks, improving controls or both.

Bankers can expect examiners to review the board’s efforts on both the Inherent Risk Profile and Cybersecurity Maturity Assessments during the bank’s next IT exam.

Following are a few questions for board members to consider when analyzing their cybersecurity risks:
• Are mergers and acquisitions planned or in process?
• Are there vacancies or weaknesses in IT staffing?
• How many people have remote access to the bank’s systems?
• Have there been changes in the bank’s technology systems?
• Does the bank host systems internally?
• How many different third-party technology vendors does the bank work with?
• What level of exams, audits and internal controls do the bank’s vendors have?

Even if directors don’t know the specific answers, they should know where to find them. This enables banks to analyze their cybersecurity risk and determine if existing controls are sufficient in protecting the bank.

BankOnIT client banks can rest easily knowing they have help readily available to assist in preparing responses to regulatory issues. BankOnIT has a proven solution that provides 24/7/365 management and monitoring designed to help provide the best possible security to keep your bank data and your clients’ data secure.

For more information, please contact us at 800-498-8877 or