By Stephanie Chaumont
As a security consultant, I have spent time talking with management and members of the boards of directors at several institutions. And I can tell you that they run the gamut of security-mindedness and technology knowledge. I have met directors who want to know what’s going on in the IT department and are well-versed in information security and cybersecurity threats; there are others who want nothing to do with anything IT-related. But board members now have an excellent resource to improve their knowledge: Overview for Chief Executive Officers and Boards of Directors, released last year with the Federal Financial Institution Examination Council’s Cybersecurity Assessment Tool.
Leading up to the tool’s release, we’ve noticed a trend with examiners and questions about board involvement. The board has always had the final say in all things about information security. But gone are the days where the board is given a huge stack of pages filled with risk, policy and incident information, and then asked to blindly accept what others have created and maintained. Examiners are continually reminding us that a top-down approach is the most effective way to create a culture of security at your institution.
Even though the Overview doesn’t provide board requirements, it does provide some guidance on what a board’s role could be in cybersecurity. Those suggestions include:
- Engage management in establishing the institution’s vision, risk appetite and overall strategic direction.
- Approve plans to use the CAT.
- Review management’s analysis of the assessment results, inclusive of any reviews or opinions on the results issued by independent risk management or internal audit functions regarding those results.
- Review management’s determination of whether the institution’s cybersecurity preparedness is aligned with its risks.
- Review and approve plans to address any risk management or control weaknesses.
- Review the results of management’s ongoing monitoring of the institution’s exposure to and preparedness for cyber threats.
As you glance through this list, try to assess whether your board is able to interpret your CAT results and make plans to improve your institution’s cyber preparedness. If you think the board may need some help, you’re in good company. That’s why I would suggest you provide your board members with cybersecurity training annually to get them — and keep them — up to speed on what they should know surrounding cybersecurity.
This may seem like quite a task as cybersecurity encompasses so much, and most of that is technical in nature; however, your board does not need to understand cyber threats on the same level as your IT staff. But they do need a basic understanding of what could happen to your information and your customers’ information.
They need to understand why everyone (examiners, auditors, etc.) is making a big deal about cybersecurity. They need to know what your institution is doing to protect itself from these cyber threats. They need to understand what types of attacks are happening at other institutions and what new controls you can implement to be protected — or what existing controls you’re relying on for protection and how you can audit those to ensure they’re working effectively.
You need to provide your board members with enough cybersecurity knowledge that they start to operate from a risk-based approach to technology and services. It is commonly believed that security and convenience are inversely related, so that as convenience increases security usually decreases and vice versa. Educating your board on cybersecurity issues should usher in an era where all employees understand and accept some of the inconveniences associated with strong cybersecurity — an era where security is seen as everyone’s problem, not just IT’s problem.
I believe that’s what examiners have in mind when they talk of a top-down approach to security, and I think it’s definitely the most effective way to expand your bank’s information security posture.
Stephanie Chaumont is a security and compliance consultant for CoNetrix (www.conetrix.com). CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their information security program and cybersecurity assessments.