Skip to main content


Cybersecurity Primer for Directors

Cybersecurity Primer for Directors

A community bank Board of Directors is typically composed of business leaders often selected for their community knowledge and business development potential. An understanding of cybersecurity is rarely a pre-requisite for a Director, but perhaps it’s time to reconsider the technical knowledge of bank Directors. Today, Board members may understand IT threats at a high-level, but most Directors are not sure what types of questions to ask the Information Security Officer in the first place.

Role of Directors in Cybersecurity

Historically, Information Technology (IT) and Information Security (IS; including cybersecurity) have not been high-priority Board agenda items. The focus of attention has long been directed toward growing a profitable institution. Today, cybersecurity and IT risk management should be a significant component of a Board’s agenda packet, garnering equivalent focus as established agenda topics such as lending, interest rate risk, and compliance. As the significance of cybersecurity continues to expand due to regulatory mandates, implementation of and reliance on new technologies, and the mobility of data, Directors and executive management will frequently be challenged to balance cybersecurity issues and business objectives.


Regulatory Expectations

Regulatory guidance places the burden of setting the tone and direction of the institution’s IT use squarely on the shoulders of its Directors through the approval of the IT Strategic Plan, Information Security Program, and other IT-related policies. To accomplish their responsibilities, Board members need to understand IT activities and their associated risk. While Board members may be comfortable asking questions regarding the lending function of the institutions, often Directors are reluctant to ask questions related to IT or cybersecurity. A hot topic for regulators over the last few years has been Board governance of Information Technology (IT) and Information Security (IS), leaning on the concept of the Directors being a “credible challenge” to IT management. A “credible challenge” involves being actively engaged, asking thoughtful questions, and exercising independent judgment.


Opportunities to be a Credible Challenge

At a minimum, GLBA regulations require that an annual Information Security Report be presented to the Board of Directors. These annual report cards provide an overall status of the Information Security Program, addressing various issues including, but not limited to, risk assessment, third-party management, ISP testing results, security breaches, security awareness training, and recommendations for change.

Often, the Board will delegate the design, implementation, and monitoring of IT activities to a steering committee, which typically reports the status of such activities to the Board through the presentation committee minutes. This type of structure permits the Board to make decisions without participation in day-to-day IT or IS activities. The review of status reports, steering committee minutes, and policy approvals provide excellent opportunities for Directors to actively engage management with questions that help form an independent assessment of the institution’s cybersecurity status.

Institutions today are reliant on technology and external vendors to perform daily operations and ensure customers have constant access to their information and funds. Cybersecurity conversation between employees, the steering committee, and the Board of Directors need to happen on a regular basis, not just once per year. The integrity and availability of institution’s technology and data pose a much greater risk to your organization than nearly anything else, including a bad loan. A data breach, loss of customer data, or significant electronic banking downtime could cause irreparable damage to a community bank whose reputation is its more important asset.


Thoughtful Questions

Board MeetingTo assist in developing a conversation with those responsible for information security management, Board members and executive officers should consider asking and understand the following ten (10) questions:

  1. Which of our IT assets have the highest risk of potential exposure?
  2. Have we chosen to accept any known risk(s)?
  3. What is the greatest risk posed to our institution via our vendors?
  4. Have we adequately addressed the findings and recommendations from our last IT Examination, Vulnerability Assessment, Penetration Test, and IT Audit?
  5. How frequently do we train and test our people regarding cybersecurity?
  6. If the Bank had one extra dollar to spend on cybersecurity, where should we spend it?
  7. How does the Bank educate customers on the threats presented by technology?
  8. Has the Bank experienced a breach or compromise of data?
  9. Have we adequately tested our incident response and recovery plans? What were the results?
  10. Do we have outside resources to assist in investigating and responding to an incident?


Written by: Shane Daniel, CPA, CISA, CIA
Senior Information Security Consultant - SBS CyberSecurity, LLC


SBS Resources:

  • {Service} Cybersecurity Partnership: If you begin to shift your mentality to that of a technology company, but don’t know where to start, SBS CyberSecurity has developed our Cybersecurity Partnership (CSP) program to help organizations just like you. The CSP program is designed to help organizations built a strong Information Security Program (ISP) that helps you make better decisions around information and cybersecurity, such as where to spend your next information security dollar. CSP clients are assigned their own Information Security Consultant to bring training and education, tools, frameworks, and templates to your organization to build an ISP that works for you, rather than simply checking the box for compliance. We will be your partners and guide you as you mature your security posture, as well as keep you up-to-date to the ever-changing regulatory and threat environments.
  • {Service} Executive/Board of Director Training: This training is used to help organizations become more knowledgeable in the topics of information security. This helps lower the risk of falling victim to some of the attacks and methods being used today, along with helping you stay compliant with laws and regulations. Keep in mind that Information Security is the responsibility of everyone at the bank, not just an individual or committee.
  • {Cyber Byte Video} Cybersecurity for Directors: According to FFIEC guidance, the "board of directors sets the tone and direction for an institution's use of IT." What does a Board need to be doing to demonstrate that they value the cybersecurity risk in your Information Security Program and can be a "credible challenge to management"?
  • {Blog} Cybersecuring Your Directors: The most successful financial institutions take the following approach to technology and cybersecurity training.
  • {Hacker Hour} Taking Cybersecurity from the Basement to the Boardroom: For this Hacker Hour, we asked a selection of past attendees to share the most common issues they struggle with when communicating cybersecurity needs to their Board. Join us to discuss how to boost cybersecurity from its hiding spot in the basement to a consistent topic in the boardroom. 


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Executive           

Additional Guidance

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, March 19, 2018
Categories: Blog