As a security consultant, I have spent time talking with management and members of the Board of Directors at several institutions, and I can tell you that they run the gamut of security-mindedness and technology knowledge. I have met directors who like to know what’s going on in the IT department and are well versed in information security and cybersecurity threats, and there are others who want nothing to do with anything IT related. With the release of the FFIEC’s Cybersecurity Assessment Tool also comes the release of a set of Board expectations.
One of the resources released with the FFIEC’s Cybersecurity Assessment Tool last year was the Overview for Chief Executive Officers and Boards of Directors. Leading up to the tool’s release, we’ve noticed a trend with examiners and questions about Board involvement. The Board has always had the final say in all things information security, but gone are the days where the Board is given a huge stack of pages filled with risk, policy, and incident information and then asked to blindly accept what others have created and maintained. Examiners are continually reminding us that a top-down approach is the most effective way to create a culture of security at your institution.
While the Overview doesn’t give Board requirements, it does provide some guidance on what a Board’s role could be in cybersecurity. Those suggestions include:
- Engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.
- Approve plans to use the Assessment.
- Review management’s analysis of the Assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results.
- Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks.
- Review and approve plans to address any risk management or control weaknesses.
- Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.
As you glance through this list, try to assess whether your Board is able to interpret your Cybersecurity Assessment Tool (CAT) results and make plans to improve your institution’s cyber preparedness. If you think they may need some help, you’re in good company! That’s why I would suggest you provide your Board with cybersecurity training annually to get them – and keep them - up to speed on what they should know surrounding cybersecurity. That may seem like quite a task as cybersecurity encompasses so much, and most of that is technical in nature. I don’t think you need your Board to understand cyber threats on the same level as your IT staff, but they do need a basic understanding of what could happen to your information and your customer’s information. They need to understand why everyone (examiners, auditors, etc.) is making a big deal about cybersecurity. They need to know what your institution is doing to protect yourselves from these cyber threats. They need to understand what types of attacks are happening at other institutions and what new controls you can implement to be protected—or what existing controls you’re relying on for protection and how you can audit those to ensure they’re working effectively.
You need to provide your Board with enough cybersecurity knowledge that they start to operate from a risk-based approach to technology and services. It’s commonly believed that security and convenience are inversely related, so that as convenience increases, security usually decreases and vice versa. Educating your Board on cybersecurity issues should usher in an era where all employees understand and accept some of the inconveniences associated with strong cybersecurity…an era where security is seen as everyone’s problem—not just IT’s problem. I believe that’s what examiners have in mind when they talk of a top-down approach to security, and I think it’s definitely the most effective way to expand your bank’s information security posture.
Stephanie Chaumont is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program and Cybersecurity Assessments.