In the past, the Board has always been expected to make strategic decisions, choosing what was best for the overall success of their institution. For most institutions, these decisions were made with little information or regard to cybersecurity. As threats to our information security evolve, so do examiner expectations for the Board of Directors.
With the release of the FFIEC's Cybersecurity Assessment Tool in 2015, we saw specific examiner suggestions for improving Board oversight of an institution's cybersecurity program and posture in their Overview for Chief Executive Officers and Board of Directors. The picture painted throughout all the suggestions provided is that of a Board who understands cyber risks and makes risk-based decisions. That picture may or may not be an overwhelming shift for your institution, but I think for the vast majority of us, there is room for growth in this area. For institutions with a large gap their current Board oversight of cybersecurity versus where they need to be, here are a few things to start with:
- Risk Appetite: This is a newer term in the context of cybersecurity programs, but the idea is not new. The Board needs to set the tone for their appetite or tolerance for risk. Does the Board want to take a more conservative approach to risk and really aim for the lowest reasonable level of cybersecurity risk? Or does the Board feel comfortable shouldering more risk when it means that their products, services, etc. are innovative when compared with peer institutions? The risk appetite statement and attitude will vary from institution to institution, but the important thing is that the Board decides the direction here and that decisions are made based on this risk appetite. When an executive or the IT department want to implement a new product, process, or service, you can then bring it all back to the risk appetite – does the risk involved in this new venture align with what the Board decided on risk appetite/tolerance? If not, then we move on or find other controls that will bring the risk down to an acceptable level.
- Board Training: The Board doesn't need to acquire the same cybersecurity knowledge that you would expect in a CISO or IT professional, but it's important for them to understand the cyber risks your institution faces and how your institution is managing those risks. It's important for your Board to understand they set the tone and culture for the bank, and security awareness has to start at the top for it to effectively become a part of your bank's culture. From security awareness training to knowing bank policies surrounding information security, the Board is a crucial part of any successful cybersecurity program. As with any training, shorter, more frequent sessions are typically recommended to help with retention.
- Board Reporting: Some examiners are now urging financial institutions to provide regular reporting on various cybersecurity issues (data breaches and losses incurred, breaches at other institutions and controls implemented to prevent them from reaching you, new laws or regulations, etc.). There is no guidance requiring this to happen on a specific timetable, but just checking in with your Board to show them a current cybersecurity snapshot will go a long way in giving them the knowledge needed to make informed and risk-based decisions for the institution.
This is by no means an exhaustive list, but if you're like most institutions who are overwhelmed with cybersecurity and how best to get the Board involved, these should be a great start.