Skip to main content


Become a Credible Challenge for Information Security

Become a Credible Challenge for Information Security

Are You a Credible Challenge?

Have you appointed an information technology (IT) or information security (IS) expert to sit as a full-time member of your Board of Directors?

If you’ve followed SBS’ key messages for the last several years, the phrase “you may consider yourself a financial institution, but you’re really a technology company” is something you’ve probably heard several times. If we’ve learned nothing else from the COVID-19 Pandemic, it’s that this statement is more accurate than ever before. We rely on technology to operate our businesses and support our customers. Imagine where we would be, right now, without technology!

You are a technology company that makes money by providing services (financial or otherwise) to customers, primarily through technology. Once you buy into this concept, the value of your technology becomes more apparent and protecting that investment becomes even more crucial.

Appointing an IT or IS expert (there is a difference) to sit as a full-time member of your Board of Directors is a great next-step to making sure your organization is properly protecting its technology investment. There’s a good chance your Board consists of ownership, certain members of senior management, and external advisors that provide valuable insight that assists in your business model or market. Why not have a dedicated technology or information security expert as a board resource also? Financial institutions are starting to explore this option. Perhaps doing so simply isn’t in the cards for your financial institution; however, the responsibility to become a “credible challenge” to IT or IS decisions still falls to the Board of Directors.



The FFIEC defines a “credible challenge” as being actively engaged, asking thoughtful questions, and exercising independent judgment. The FFIEC mentions being a credible challenge in three sections of two Handbooks, specifically the Management and Business Continuity Handbooks in the following excerpts:

Management Handbook Section I.A.1 Board of Directors Oversight states, “While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management”

Management Handbook Section III.D.7 Reporting states, “Recipients of IT risk reports should have the authority and responsibility to act on the reported information, provide a credible challenge for information contained in the reports, and be held accountable for the outcomes.”

Business Continuity Handbook Section IX Board Reporting states, “Board minutes should reflect business continuity discussion (including credible challenges) and approvals.


Becoming a Credible Challenge

As is made clear in the previous section, it is expected that the Board of Directors take an active involvement in the oversight of information security by becoming a credible challenge. While the appointment of an IT or IS expert to your institution's Board can help improve your institution’s insight and credibility regarding cybersecurity, in some cases, such an appointment is simply not feasible.

Additionally, adding an IT or IS expert to the Board does not automatically make you a credible challenge. Improving any Board’s ability to be a credible challenge starts with learning how to ask better cybersecurity questions. Here’s a list of better questions to ask when new technology is being evaluated or threats are identified to help you get started. The first three questions pertain directly to governance, and the last three questions have to do with operations:

  1. How is this addressed in our risk assessment process?
  2. How have we governed this in our policy?
  3. How do we have this independently audited?
  4. How is our institution addressing this issue?
  5. How do we help our customers address this issue?
  6. How do we ensure our vendors have addressed this issue?

1. How is this addressed in our risk assessment process? Is this a new system, business process, vendor, etc.? Is there a new threat to a system, process, vendor, etc.? There are many types of risk assessments, but all systems, processes, and vendors must be included in a risk assessment. Those risk assessments should determine if the system, process, or vendor fits the Board’s risk appetite. Asking “How is this addressed in our risk assessment process?” will assist in providing greater insight to the Board as to how the risk assessment process works, and where these individual topics fit in.

2. How have we covered this in our policy? Policy needs not detail how things are accomplished, but rather who is responsible for the policy’s execution, along with the expected format and frequency of execution. Asking “How have we covered this in our policy?” will assist in ensuring adequate policy coverage of systems, processes, and vendors.

3. How do we have this independently audited? Have our risk assessments determined this system, process, or vendor to be high risk? If so, how is this thing tested, and how frequently? Is a requirement for testing this thing addressed in our policy?

4. How is our institution addressing this issue? When properly answered, this question will contain information from the previous three questions. It is risk assessed through this process, which is governed by this policy, and it’s independently tested in this way. However, more elaboration can be provided here.

5. How do we help our customers address this issue? Will this issue affect our customers? If so, what can we do to reduce risk or reduce agitation among our customers? Again, when properly answered, this question will contain information from the first three questions.

6. How do we ensure our vendors have addressed this issue? This question is only relevant if the system or process in question is outsourced; however, it is important to consider. Your vendor risk assessment should identify your levels of vendor risk. But the answer to this question may be more issue-specific and rely on the results of an ongoing vendor review to fully understand. It may be a new topic that would not have been covered in a previous review and could warrant a conversation with the vendor to determine how the issue may be addressed. Again, when properly answered, this question will contain information from the first three questions.


The Big Takeaway

Examiners expect adequate oversight of information security from the Board of Directors. The Board may delegate these responsibilities, but the Board must present a credible challenge to management. Becoming a credible challenge means asking better questions to successfully provide oversight and accountability to senior management and the committees with whom responsibility for information security lies. Appointing an IT or IS expert to your Board of Directors is a great step to becoming a credible challenge, as is outlining a framework to ask better questions like those listed above. Hopefully, in time, having Directors with a background in technology becomes common practice. If this is a step your organization has already taken, great! Until that time, Boards must ensure they provide a credible challenge to information security management, regardless of expertise.


Written by: 
Cody Delzer
VP Information Security Consultant - SBS CyberSecurity, LLC 


SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

  • {Download} You Are a Technology Company: As your organization is reviewing its strategic plans, take a moment to evaluate the use of technology as a core component of your business. If most of you are being honest with yourselves you will realize that your organization has shifted from performing a service for a customer and using technology to make that service more convenient to truly operating as a technology company that offers your customer a specific service. Begin download.
  • {Blog} The Board of Directors Proactive Cybersecurity Mindset: The Board of Directors' responsibility for oversight of the ISP is better managed proactively. A proactive mindset will reduce financial losses, have more efficient processes, gain control of the challenges to the Institution, and gain a competitive advantage over the competition. Read blog
  • {Education} Executive/Board of Director Security Awareness Training: This training is used to help organizations become more knowledgeable in the topics of information security. This helps lower the risk of falling victim to some of the attacks and methods being used today, along with helping you stay compliant with laws and regulations. Keep in mind that Information Security is the responsibility of everyone at the bank, not just an individual or committee. Training can be tailored to employees or executive level/board of directors. Learn more


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Executive

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, August 12, 2020
Categories: Blog