+ The FFIEC has been talking about the Board and cybersecurity a lot… do they need to be involved?
Absolutely, they need to be involved. Board involvement, referenced in the Cybersecurity Assessment General Observations, was a major point of the FFIEC Cybersecurity Assessment that was performed in the second half of 2014, and now the Cybersecurity Assessment Tool. The tool specifically mentions Board involvement TWENTY-ONE (21) times in the Cybersecurity Maturity section, just in case you didn’t think the FFIEC is taking Board involvement seriously. Domain 1 - Cyber Risk Management and Oversight talks about Board involvement on an increasing frequency to go with increasing maturity, particularly in the “Oversight” component of the “Governance” factor, mentioning the Board fourteen (14) times alone.