In the summer of 2014, JP Morgan Chase, the country’s largest bank, was the subject of a cyber security breach that impacted the confidential information of 76 million U.S. households, over one half of all U.S. households. The hackers obtained the customers’ names along with all contact information including phone numbers and email addresses and additional internal customer information.
Banks and other financial service firms are victimized by cyberattacks far more than any other business type. It’s no real surprise of course; “that’s where the money is”. In fact, financial service firms are hacked 300 times more often than other types of businesses. This is stark. Another type of U.S. business can expect to be targeted about 4 million times per year while the typical American financial services firm will be attacked an incredible 1 billion times per year.
A January 2019 Risk Survey conducted by Bank Director and sponsored by Moss Adams, understandably focused a great deal of its attention on bank oversight practices in addressing cybersecurity risk. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they are more—rather than less—worried this year could be indicative of the industry’s struggles to wrap their arms around the issue. The survey results are telling:
- Of all the risks assessed – compliance, consumer, credit, cybersecurity, environmental, interest rate, legal, liquidity, operational, reputational and strategic – management and directors cited cybersecurity as their most significant concern.
- Thirty-two percent of respondents indicated that concern about cybersecurity risk had increased over the past year. With the exception of interest rate risk (12%) concern over all other categories had not increased more that 10% in the past year.
- Forty nine percent of bank respondents employ a full time Chief Information Security Officer (CISO).
- Only 32% of respondents indicated that cybersecurity governance was handled at the Board level; other banks deal with the issue in various committees.
- Sixty-two percent of the banks had someone they “would consider to be an expert on cybersecurity” on the board (5% were unsure).
Overall, the survey results are a mixed bag. It is clear that cybersecurity has caught the attention of company leaders and their boards. However, it seems equally apparent that companies are struggling to get ahead of the problem.
What’s a Board to Do About Cybersecurity Risks?
One of the board’s most critical roles is to work with the CEO to develop and implement forward looking company strategic plans. It is here, in the core work with the company’s DNA, that boards can have the greatest influence. They must review and approve IT strategic plans that include security strategies for addressing ongoing and emerging threats, including cyberthreats. But, this is just the beginning, there’s more:
- Boards should educate themselves. Perhaps this means that a cyber security expert should actually sit on the board. This may not be feasible for smaller companies. The alternative may be for the board to schedule visiting cyber security experts to present to or consult with the board. The days of relying wholly on an IT Department, operating in a silo, to address the threats, are over. Boards must become smart enough to ask the right questions about company cybersecurity practices.
- There are sophisticated tools that can enable financial institution management and governing boards to thoroughly appreciate the inherent cybersecurity risks facing banks. The Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) is a very good place to start in building a bank’s cyber security governance infrastructure. The tool first assists banks in identifying both internal and external cybersecurity threats and risks. Once the risk environment is established, the CAT can then test “the maturity of the bank’s cybersecurity program”, focusing upon the adequate involvement of the bank’s board and the efficacy of its oversight practices.
- The bank board should schedule an opportunity for the CEO and the executive management team to formally present the bank’s comprehensive cybersecurity plan. This is the chance for the CEO to shine by explaining his or her understanding of the cybersecurity environment and the chosen approach and vision in addressing the risk. Board’s should use this opportunity to ask probing questions in order to determine management’s tolerance for risk and its overarching strategic initiatives for proactively addressing cybersecurity challenges.
- In working with the CEO and the senior management, the level of board understanding of bank cybersecurity risks will play out. The board will want to:
- know that effective controls to avert hackers are established and functioning and that management, either through direct oversight or by holding lines of the business accountable, is aggressively managing the risk.
- know that management has taken inventory and has a clear understanding of the IT assets that have been acquired and marshaled to combat cybersecurity threats. These assets, whether internal or controlled by third parties, should be fully capable of assessing and mitigating cybersecurity risk.
- review results of all bank monitoring activities designed to determine the bank’s vulnerability and the its preparedness for cyber threats.
- assure that the bank has adequately budgeted for the level of cybersecurity risk
- review the bank’s cybersecurity insurance policies at least annually.
- require annually that the bank’s network can pass appropriate tests against cybersecurity threats.
More than with any other industry, cybersecurity represents a primary, in many cases an existential, risk to financial institutions. The financial assets held by banks as well as the enormous amount of financial data about customers make banks ideal targets for cybersecurity criminals. Banks confront a daily barrage of sophisticated cyber attacks.
This very real risk is no longer just an IT Department problem, and bank board’s will be challenged to play an increasingly important role in the oversight of the response to cybersecurity threats which will continue to proliferate. Boards should take the initiative to educate themselves and assess their institutions’ readiness. Building a strong oversight infrastructure can then help guide and continually reinforce banks’ preparedness. While in the end management must be the committed driving force in addressing the bank’s unique cybersecurity risk, the board must assure that this responsibility is met.