Board of Directors Responsibilities
Financial institutions are economic engines that drive our communities. At the head of each financial institution is a Board of Directors, who oversee and provide direction for the Institution to ensure operation and meet its customer needs. The responsibility for such oversight is massive and has evolved greatly over the last ten years to include investments in technology and cybersecurity. The Board of Directors is held accountable to the Institution's shareholders, employees, depositors, the community they serve, and the regulators for the operations of an efficient, safe and sound institution.
Each Institution is examined and measured on the Capital, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market risk, which is known as the CAMELS rating. An Institution’s Information Security Program (ISP) is measured in the Management component of the CAMELS rating and, when managed proactively, provides safe and sound risk management practices for the operations of the Institution.
Managing the ISP is a team effort and includes all operational areas of the Institution. To establish an organization that proactively manages the ISP, the Board of Directors annually appoints an Information Security Officer (ISO) to oversee the activities involved in maintaining a well-managed ISP. Though the Board of Directors is ultimately held responsible for the ISP, the ISO oversees day-to-day information security activities and reports to the Board of Directors at least annually on the overall status of the ISP. Additionally, the Board of Directors appoints an Information Technology (IT – or similarly named) Committee to oversee the day-to-day IT operations and Information Security risk management of the Institution. The Board of Directors appoints members and the Chairperson of the IT Committee, including the ISO as a member or as the Chairperson. The Board reviews and offers credible challenges to IT Committee minutes and reports provided, and as oversight, provides an acceptance or approval.
Much of proactive management is delegated to the ISO and the IT Committee; however, the Board of Directors sets the organizational culture regarding security (mindset) and provides the direction for investing in technology and protecting that investment. The Board of Directors ultimately determines, intentionally or unintentionally, whether an Institution has a reactive or a proactive cybersecurity mindset.
Reactive Mindset vs. Proactive Mindset
A recent PwC Global CEO Survey indicated that cybersecurity is the #1 concern for North American CEOs, which follows a trend among recent surveys. However, less than half of CEOs regularly review their cybersecurity strategies, according to a survey from Forcepoint, and only 11% of organizations feel a “high degree of confidence” in their cybersecurity resilience, according to a Microsoft 2019 Global Cyber Risk Perception Survey.
Each Institution chooses – knowingly or unknowingly – to take a stance when it comes to its cybersecurity mindset. The different types of mindsets, typically driven by a “sudden need,” include:
- Passive: taking the compliance-driven approach by choosing only to meet regulatory standards, which does not offer protection from today’s cyber threats.
- Reactive: a step beyond Passive, but only to include reacting to findings and recommendations from IT exams and audits, which can provide some additional protection, but not enough to prevent or properly respond to a cyber incident.
- Proactive: strategic thinking that moves beyond basic compliance to understand today’s threats and build an ISP that can get out in front of today’s cyber threats and still meet regulatory compliance.
- Innovative: using IT and information security risk assessments to make better, more-informed decisions that can quantify risk and deploy the right controls to mitigate the most risk of a cyber incident.
Shifting from a reactive mindset to a proactive mindset is one of the key decisions a Board of Directors can make to protect the investments made in technology and an Institution’s confidential information.
Results of a Reactive Mindset
When a Board of Directors continues to have a reactive mindset, the Institution will lack good risk management practices, feel frustrated, and may respond to events without proper preparation, which can result in losing control of spending and costing more to recover from a cyber incident than necessary. The mindset is revealed when an audit or exam results in a long list of items not meeting regulatory guidance or industry-standard risk management practices. A reactive mindset can also reveal itself when a cybersecurity incident takes the Institution out of operation for extended periods of time with significant financial impacts, or a natural disaster destroys the Institution's facilities, and customers are not able to be served the way they need to be served.
Continuing to live in the reactive mindset yields fear and uncertainty, generating a mentality of waiting for an auditor or examiner to tell you what you need to do. In this mindset, there may be a false sense of security (“hey, we got a clean exam!”), and uncertainty wondering if you have done enough to protect your Institution. The environment becomes inefficient, and the costs of managing the Institution reactively becomes a guessing game.
Benefits of a Proactive Mindset
An Institution with a proactive mindset strives not only to achieve a high rating for the Management component of the CAMELS rating, but also to do whatever needs to be done to protect the investments it has made. The Board of Directors' responsibility for oversight of the ISP is better managed proactively. Proactive management does not wait for an audit or exam to tell the Institution what needs to be done. The proactive mindset takes control and regularly risk assesses all areas of the ISP to act and mitigate the identified risks before threats are realized.
An example of a proactive mindset is playing out in front of us today. For months, the Institution has managed how to operate during the COVID-19 pandemic crises. The Institution proactively developed a Pandemic Preparedness Plan and annually tested the plan through tabletop exercises. The results of those exercises were used to improve the plan and set the Institution up to handle a pandemic like this with little issue relating to customer service or how employees can work. The COVID-19 crises have made the Pandemic Preparedness Plan critical to the regular operations of the Institution. The benefits of a proactive mindset prepared the Institution to make decisions quickly and take action to operate and serve customers.
There are many strategic advantages to managing the ISP with a proactive mindset, and some are easy to recognize. At the same time, some are intangible and not as easily recognized until there is reflection. The mindset to be proactive reveals itself in the results of an audit, exam, a cybersecurity incident, or a disaster recovery event. Adopt a process to assess the risk, implement controls, audit the controls, educate people around the three (3) pieces of your business processes.
A proactive mindset provides a member of the Board of Directors and senior management with clarity to handle situations. It allows for a better sleep at night knowing the Institution has proactively identified and planned for information security risks.
The Board of Directors Sets the Culture
The Board of Directors chooses to have a culture of a proactive mindset or stay in a reactive mindset. The results will reveal which mindset has been set over time. A proactive mindset will reduce financial losses, have more efficient processes, gain control of the challenges to the Institution, and gain a competitive advantage over the competition. The choice has been made, and the results are in for review. Take time to reflect on the results and ask yourselves if you are proactive or reactive. Make the adjustments needed for yourselves, the Institution's shareholders, employees, depositors, and the community you serve.
Here are four questions to ask yourself to help determine your cybersecurity mindset:
- Are we discussing cybersecurity as a Board of Directors regularly and growing in our ability to be a “credible challenge” to cybersecurity-related decisions (proactive), or are we just waiting to get through the minimum necessary cyber discussions so we can get back to “real business” (reactive)?
- Are we measuring cybersecurity risk and using the results of our risk assessments to make better, more informed cybersecurity decisions (proactive), or are we checking the box when it comes to ISP-related risk assessments (reactive)?
- Do we know what our most important IT assets, vendors, and business process are, as well as the top threats to our Institution right now (proactive), or are we just reviewing the results of those risk assessments and moving along (reactive)?
- Have we made the proper investments (people, resources, training, and/or money) when it comes to protecting our investments and confidential information (proactive), or do we still treat IT and cybersecurity as an expense (reactive)?
