Board-level Management of Your No.1 Risk

Over the last few months, hundreds of bank senior executives from across the United States have attended Executive Briefing on Cybersecurity seminars. One of the strongest comments consistently made by the banking commissioners was about the need to have CEOs, Presidents and Board of Director involvement in managing IT risk. State and federal regulators are all delivering the same message: Technology risk is not just an IT problem, but a board-level risk-management problem.

Community banks have plenty of issues to resolve every day. Anything that doesn’t seem so immediate can easily be pushed down the list. From a strictly local viewpoint, a banker might say, “We haven’t experienced any successful cybersecurity attacks, so we must be OK.” But regulators have a different vantage point—looking at what’s happening over a broader area. Regulators are worried that cybersecurity attacks are increasing dramatically, banks are taking losses as a result, and many community banks are not adequately prepared. Regulators have stated cybersecurity risks are a bank’s number one risk.

A bank’s major business risks must be supervised and monitored at the board level. Establishing and monitoring the bank’s Loan Policy (controlling lending risk) is an example. The Asset-Liability Management Policy (controlling interest-rate risk) is another example. Similarly, a bank’s cyber risk has now become so important that it requires supervision and strategic decision-making at the board level.

On June 30, the FFIEC released a Cybersecurity Assessment Tool for banks to use internally to evaluate the bank’s existing information security risks, the “maturity level” of its existing information security protections, and whether the bank’s information security risks and security controls are appropriately balanced. This Assessment Tool shows management and the board what gaps may exist between the bank’s risk level and its security protections. (Gaps should be translated into an action plan approved by the board, which may include reducing some elevated information security risk factors, strengthening the bank’s information security controls in some areas, or a combination of both.)

Examiners will use the Assessment Tool at each IT exam and will compare results from one exam to the next to determine if a bank’s cybersecurity risks are increasing or decreasing. The Assessment Tool also will help regulators to measure how your bank’s level of cybersecurity risk compares with other banks across the country.

Is your bank’s board adequately managing the increasing security, reputational and regulatory cybersecurity risks your bank is engaging in?

BankOnIT client banks can rest easily knowing they have secure, efficient and reliable information technology systems combined with the help needed to assist with ever changing regulatory requirements. For more information, please contact us at 800-498-8877, or