The fight against cybersecurity is being waged more than ever in the boardroom.
As the threat of information-security breaches continues to rise, more institutions are actively recruiting directors with background in technology.
Huntington Bancshares in Columbus, Ohio, is the latest example after convincing Chris Inglis, a former deputy director at the National Security Agency, to join its board. In a potent illustration of the increasing need to fight cybersecurity, Inglis said he was personally recruited by Steve Steinour, the $72.6 billion-asset Huntington's chairman, president and chief executive.
Steinour "asked a mutual friend if he knew anyone with particular skills, attributes and expertise in cybersecurity and that friend mentioned my name," Inglis, who served as the NSA's deputy director from 2006 to 2014, said. "He ended up calling me."
Inglis' appointment is the banking industry's latest high-profile board addition.
Capital One Financial in February added Peter Killalea, a former chief information security officer at Amazon, to its board. The $330 billion-asset company's shareholders recently approved Killalea for a full term.
Wells Fargo in San Francisco recruited retired Major General Suzanne Vautrinot to its board last year, and Bank of Hawaii in Honolulu added Victor Nichols, a former chief executive of Experian North America, in 2014.
"There's a bit of a trend in building cybersecurity expertise on boards," Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association, said. "Companies want to be sure they're thinking about cybersecurity when they consider major strategic initiatives."
Since Target fell victim to a breach compromising up to 70 million customer records in December 2013, more retailers, financial service providers and government agencies have been burned by major breaches. In December, a bill was introduced to require public companies to disclose "cybersecurity experts" serving on their boards; companies without experts would be required to explain why none were deemed necessary.
Unfortunately, a dearth of candidates and geographical constraints make it challenging for smaller banks to add technology experts. Still, many are working to educate directors about cybersecurity issues, Johnson said.
Other banks are determined to find tech savvy directors in spite of the challenges, said Robert Kafafian, president and chief executive of the Kafafian Group in Parsippany, N.J. "It's one area I clearly hear banks talk about," he said.
"Community banks are evolving" from consisting primarily of small-business owners to "including professionals that have broader backgrounds that can be helpful to their banks," Kafafian added.
Cybersecurity is dominating banks' agendas, regardless of who sits on the board.
Nearly 80% of the 161 directors and senior executives surveyed in Bank Director's 2016 risk practices survey ranked cybersecurity as their top concern.
Johnson, meanwhile, said interest in cybersecurity has grown dramatically in the 17 years he has handled risk management and cybersecurity issues for the American Bankers Association. Sessions on the topic, which were once sparsely attended, are now "fairly full and attendees are very attentive," he said.
Cybersecurity is at the top of the agenda at virtually every bank Kafafian advises, garnering more attention that credit or interest-rate risk. "The thing that's scaring everybody the most is data security," he said.
Spending on cybersecurity is also rising at many institutions.
The $2.4 trillion-asset JPMorgan Chase disclosed in its quarterly report that is expects to spend more than $600 million this year on cybersecurity. The $1.8 trillion-asset Wells Fargo noted in a recent filing that personnel spending increased $194 million in the first quarter from a year earlier due largely to costs tied to "the heightened industry focus on regulatory compliance and evolving cybersecurity risk."
Community banks, many of which have limited resources to spend on cybersecurity, need to invest more time on training, while letting investors know what steps they are taking to prevent breaches from taking place, said Ric Marshall, executive director at investment research firm MSCI.
"There has to be some sort of mechanism to address this issue and include it in [corporate] reporting,'' Marshall said. "Right now, there isn't any requirement or consistent pattern. … We're not seeing enough banks identify [cybersecurity] as a risk and identify who is responsible" for overseeing it.
Inglis, who teaches cyber studies at the U.S. Naval Academy in Annapolis, Md., agreed that community banks need to do more to combat the threat, stressing that smaller firms need to approach cybersecurity with the same urgency of larger rivals to avoid becoming the industry's "weak flank."