The Need for Cybersecurity Expertise at the Board Level for Banking

Cybersecurity has, over the last few years, become an increasing concern for small and large businesses alike. An increasing number of organizations have fallen victim to cyberattacks in the past few years–and even big banks have seen an increase in the number of attacks. While thus far, there have been no known massive banking cyberattack crises, the problem remains: cybersecurity is a serious issue for banks of all sizes, and the risks of an attack continue to rise. 32% of bank board members admit that their cybersecurity concerns have increased significantly over the past year, while 50% admit to concern that has increased “somewhat.” Unfortunately, at least 67% of community bank boards (under $1B in assets) admit that they don’t have a known cybersecurity expert on their board–and that can lead to serious consequences.

Where Do You Handle Your Cybersecurity?

Many banks deal with cybersecurity in different locations, depending on how they choose to handle their cybersecurity needs. Where does your bank handle cybersecurity?

• 27% of banks handle cybersecurity needs within the risk committee
• 25% of banks use the technology committee to discuss cybersecurity risks
• 19% of banks keep cybersecurity in the audit committee
• 8% of banks report a full-level cybersecurity committee within the board
• 20% of banks address cybersecurity as a full board, rather than delegating it to a committee

Regardless of where you choose to discuss it, it has become increasingly clear that cybersecurity is a serious issue for many banks–and a lack of a cybersecurity expert can quickly leave your board struggling. Does your bank discuss cybersecurity at the board level on a regular basis? If not, you may be leaving your bank open to attack.

The Risks of Failing to Address Cybersecurity at a Board Level

According to the Bank Director “2019 Risk Survey” sponsored by Moss Adams, 18% of banks experienced a breach of data or cyberattack between 2017 and 2018. This number continues to rise–and that makes it critical that you address cybersecurity at a board level. Consider:

Hackers Have Access to More Tools than Ever

Today’s hackers are savvy, smart, and fast–and they have access to an increasing number of tools as they pursue their goal of breaching your bank. Many of them, for example, may use your customers’ mobile devices to work their way into your system. They may have more access than ever to your data–both individual customer data and, eventually, data for your bank as a whole. If your bank board doesn’t keep up with the changing methods used by hackers, you may not keep up with the threat. Your board needs to focus on shifting your methods and the protections you offer your customers on an ongoing basis. Without a cybersecurity expert on your board, you may miss out on key shifts within the cybersecurity landscape–and as a result, you may be left struggling to figure out how to protect your bank and your customers.

Security vs. Compliance: Is Your Bank Truly Secure?

Many professionals across a wide range of industries fall into a simple trap: they trust compliance standards to keep their businesses safe. Without a cybersecurity expert on your board, your bank may be no exception. If you’re trusting to basic legal compliance to keep you safe, keep in mind:

• Cybersecurity standards change faster than laws can keep up with them. More than 230,000 new pieces of malware appear every day, leaving significant vulnerabilities in many businesses. This can make it incredibly difficult for banks and other businesses to keep up with the latest threats and the latest research.
• Compliance standards may remain several generations behind what is necessary to keep your bank truly secure. As malware grows, cybersecurity standards adapt along with it–but if you don’t go beyond compliance in your approach to security, you may miss out.
• Compliance standards often miss the latest strategies used by hackers–or they may leave room for legacy systems that do not offer the security you need.
• Compliance standards are often created by government bodies, rather than cybersecurity experts–and as a result, they may miss many of the key details that will help keep your bank truly secure.

Without a cybersecurity expert at the board level, you may find yourself falling back on compliance standards to test the security of your bank. You need to understand cybersecurity, not as a broad concept, but based on the current changes in technology and how they have the potential to impact your bank, your data, and your customers.

Many Banks Lack a True Focus on Security

Only about 30% of banks have a CISO who is focused solely on cybersecurity for the bank. Many banks–about 49%–choose to keep a CISO, but require that individual to also focus on other areas of bank management and technology. 22% lack one at all. In many cases, this means that your CISO’s focus is divided–and that can be incredibly dangerous if a threat arises at the wrong moment. With a CISO dedicated to managing the ongoing cyber threat, on the other hand, you can ensure that you have the right tools and the right person on the front lines for your bank, offering vital protection. Not only that, your CISO needs to regularly report to and share information with your board–something that around 3% of banks still aren’t doing.

Meanwhile, only about 22% of banks address the growing cybersecurity threat at every board meeting. This means that it’s not an ongoing discussion–and discussion about cybersecurity may be put off until a time that’s deemed “more convenient” for the board, or until “more pressing matters” have been dealt with. Unfortunately, this may mean that holes in your cybersecurity protections remain–and that means your bank may fall victim to a data breach before you have a chance to fix it. By addressing these concerns at every meeting, on the other hand, you ensure that any potential challenges are dealt with as soon as possible–and that helps keep both your data and your customers safer.

Bringing Your Board Up to Standard

With a cybersecurity expert on your board, you can take better advantage of that expertise to shape a safer, more secure data structure for your bank. There are several steps you can take to keep your bank safer.

Make cybersecurity an ongoing conversation. Acknowledge that cybersecurity is an issue that isn’t going away. Hackers continue to develop new methods, making it difficult for your bank to remain secure. Constantly implement new strategies and test your existing strategies to ensure that your bank is as secure as possible. Step up your annual testing and compliance standards: you don’t need to wait for an auditor to come in and tell you that you need to improve your security, especially if you already know what challenges your bank might face. Solve problems as soon as they arise, rather than waiting for a hacker to step through the gaping hole in your security.

Partner with Financial Services – Information Sharing and Analysis Center (FS-ISAC) and other information sharing opportunities. Share information you’ve gathered about potential cyberattacks and cybersecurity. Connect with other banks to learn what they’ve done to help make their data more secure.

Utilize FIL-63-2018. This resource takes advantage of the FDIC’s cybersecurity resources for your bank, which means that you get more effective cybersecurity tools and assessments.

Take the FDIC Cyber Challenge. The challenge is designed to help bank boards and management get a better idea of what potential security problems could threaten their banks and their data. By taking the challenge, you can learn more about cybersecurity and how to genuinely protect your bank and your customers.

Prioritize improvement. Annual simply isn’t enough anymore. Review your security measures at least quarterly, and make sure that they adapt fast enough to keep up with the changing cybersecurity landscape.

Use the Federal Financial Institution Examination Council’s Cybersecurity Assessment Tool. This tool helps banks and other financial institutions examine their risk and determine how to mitigate those threats as much as possible.

Move cybersecurity to the top of your priority list. Your bank can no longer afford to treat cybersecurity as a vague conversation that they can afford to push to the back burner. Unfortunately, all too many financial institutions choose to do exactly that, failing to commit the budget and resources their institution needs to the ongoing cybersecurity threat. If you want to keep your bank as secure as possible, it’s critical that you take the steps necessary to provide that security–and that means continuing to address and deal with the potential for threats. Your board must prioritize the budget and resources necessary to protect your data. That’s not always an expensive measure. In many cases, it simply means taking the time to maximize the use of your existing resources. Without a cybersecurity expert on the board, however, you may fail to recognize the importance of many of these ongoing challenges, leaving you struggling to keep up with your bank’s needs.

Keeping up with the changes in cybersecurity–and therefore the potential threats to your bank–is an ongoing problem. If you need an organization to partner with you and help you better understand the challenges your bank may face, contact us. We’ll help you improve your understanding of cybersecurity, the potential threats to your bank, and how those threats can shape the way you handle your daily business.