Skip to main content


Cybersecuring your Directors

Cybersecuring your Directors

A training program for Board members is nothing new; it’s a concept that’s nearly as old as time. In fact, “Board Training” is likely overused to the point of causing Board members to grumble under their collective breath every time the word “training” is uttered. Fortunately, or unfortunately, cybersecurity training for Board members is a new regulatory hot button that all financial institutions will be required to provide if not already, in the very near future. The most successful financial institutions take the following approach to technology and cybersecurity training:

  • They realize technology, and by extension cybersecurity, is a commodity and not simply an expense to the organization’s bottom line.
  • They realize that managing technology, and by extension cybersecurity, requires a top-down approach to be effective.


Technology as a Commodity

Most banks tend to view themselves as “old school.” A financial institution first and foremost, but one that may utilize technology as a necessary evil to make work more efficient. The reality is that your financial institution today is a technology company. A technology company that makes its money by providing financial services; but a technology company nonetheless. Financial institutions can no longer exist without incorporating technology. Gone are the days where the General Ledger could actually be kept on a physical ledger. Technology is such a commodity today; it may as well be part of the utility bills. Without it, operations grind to a halt, doors close, and people are unemployed.


Technology as an Advantage

According to The Financial Brand, the top three (3) trends in retail banking for 2018 are 1) removing friction from the customer journey; 2) use of big data, AI, advanced analytics, and cognitive computing; and 3) improvements in multi-channel delivery. Interestingly enough, these top three trends are exactly the same as 2017’s trend predictions.

Three Most Important Trends for Retail Banking


These top trends line up directly with the concepts of simplicity, convenience, and time-saving. How can our organization make it easier for our customers to accomplish what they want from a variety of different devices, and how can we make them feel like a valued customer the whole time vs. a number (the biggest complaint of retail banking customers in 2017)? That’s the million-dollar question. One thing is for sure: the answer does not lie in more manual processes. Smaller organizations are finding out quickly that investing in technology that simplifies the customer experience, builds convenience into the process, and saves time allows any organization to compete for valuable clients beyond their traditional geographical footprint. Technology-based products and services have truly leveled the playing field, but many small organizations have been slow to invest and now find themselves behind the curve. There’s still time to catch up, and the only cost to level the playing field is the investment into technology.


Cybersecurity Starts at the Top

To ensure an organization is onboard in thinking of themselves as a technology company, the message must be consistently portrayed from the top down. The Board of Directors, the CEO, and senior management must constantly exhibit a cybersecurity-focused mentality. Starting at the top means sharing the technology-focused message and vision with the whole organization. The message must then be backed-up with appropriate investment into not only the technology, but the resources needed to deploy the technology, including roles and responsibilities of the staff. A shift from treating technology as an expense to a critical business function means aligning actions with messaging.

The FFIEC provides financial institutions with the Cybersecurity Assessment Tool, which is an organizational risk assessment that identifies overall cybersecurity preparedness in the following five (5) areas:

  1. Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

While the use of the provided Cybersecurity Risk Assessment Tool is not required, the performance of a Cybersecurity Assessment is required of all financial institutions. Therefore, a Board of Directors to truly be invested in understanding the state of cybersecurity within the institution it directs, they should be able to answer the following ten (10) questions:

  1. Has the financial institution embedded cybersecurity into governance, control, and risk management systems?
  2. Has the financial institution remained vigilant about systematically identifying key assets, that is, those that provide high-value targets for malicious cyber actors?
  3. Has the financial institution tailored security controls to the specific cyber risks presented by each key network, system, or sensitive data?
  4. How does the financial institution prioritize the implementing of enhanced controls around key networks, systems, or sensitive data?
  5. Has the financial institution reviewed the FFIEC Cybersecurity Assessment Tool and appropriately incorporated it into its approach to cyber risk management.
  6. Has the financial institution designated specific professionals to be responsible for the institution’s cybersecurity strategy and provided them with the authority, resources, and access necessary to effectively perform their work?
  7. Has the financial institution trained all employees on cybersecurity policies?
  8. How does the financial institution ensure that insurance coverage matches cyber-related risks?
  9. Does the financial institution’s cyber risk insurance impose minimum required practices, which may lead to denial of coverage if not followed?
  10. What is the overall effectiveness of the financial institution’s Cybersecurity Program?

Once a financial institution can shift their thinking from the top down and buy into the idea that their organization is a technology company, they will begin to think differently about the way they protect themselves. Technology and security will no longer simply be considered an expense or a “necessary evil,” but as an extremely important line of business, without which the organization can’t operate.

Written by: Cody Delzer, 
Senior Information Security Consultant,
SBS CyberSecurity, LLC

SBS Resources:

  • {Service} Cybersecurity Partnership: If you begin to shift your mentality to that of a technology company, but don’t know where to start, SBS CyberSecurity has developed our Cybersecurity Partnership (CSP) program to help organizations just like you. The CSP program is designed to help organizations built a strong Information Security Program (ISP) that helps you make better decisions around information and cybersecurity, such as where to spend your next information security dollar. CSP clients are assigned their own Information Security Consultant to bring training and education, tools, frameworks, and templates to your organization to build an ISP that works for you, rather than simply checking the box for compliance. We will be your partners and guide you as you mature your security posture, as well as keep you up-to-date to the ever-changing regulatory and threat environments.
  • {Service} Executive/Board of Director Training: This training is used to help organizations become more knowledgeable in the topics of information security. This helps lower the risk of falling victim to some of the attacks and methods being used today, along with helping you stay compliant with laws and regulations. Keep in mind that Information Security is the responsibility of everyone at the bank, not just an individual or committee.
  • {Cyber Byte Video} Cybersecurity for Directors: According to FFIEC guidance, the "board of directors sets the tone and direction for an institution's use of IT." What does a Board need to be doing to demonstrate that they value the cybersecurity risk in your Information Security Program and can be a "credible challenge to management"?
  • {Blog} Cybersecurity Primer for Directors: A community bank Board of Directors is typically composed of business leaders often selected for their community knowledge and business development potential. An understanding of cybersecurity is rarely a pre-requisite for a Director, but perhaps it’s time to reconsider the technical knowledge of bank Directors.
  • {Hacker Hour} Taking Cybersecurity from the Basement to the Boardroom: For this Hacker Hour, we asked a selection of past attendees to share the most common issues they struggle with when communicating cybersecurity needs to their Board. Join us to discuss how to boost cybersecurity from its hiding spot in the basement to a consistent topic in the boardroom. 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Executive   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, May 14, 2018
Categories: Blog