Directors at community banks are adding cybersecurity to a growing list of priorities.
Boards are increasingly becoming more involved in cybersecurity matters as breaches against retailers and other companies mount. Though boards don't need to be involved in the minutiae of information security, it is important for them to provide strong oversight and ask management tough questions, industry observers said.
Directors "have to understand that there are people out there trying to access information and deny customers access to their banks' services," said Jeffry Powell, director of sales at Diligent Board Member Services. "These are threats on a constant basis."
Increased board involvement with cybersecurity has "been a steady drumbeat over the last two years," said Doug Johnson, vice president for risk management policy at the American Bankers Association. The association has found that many institutions have been affected by a denial-of-service attack, sometimes indirectly through a vendor.
There has also been a wave of high-profile breaches, including the theft of 4.5 million patient records from Community Health Systems in Franklin, Tenn. Retailer Target has also yet to fully recover after millions of shoppers were affected by a breach last fall. These events have put banks and their boards on high alert.
"All banks right now are under a huge amount of pressure," said Vann Abernethy, a senior product manager at NSFOCUS Information Technology. "We're beginning to see threats we've never seen before. This used to only impact major corporations, but we're starting to see this bleed into the smaller business world."
Bank directors, meanwhile, have seen their workloads spike in recent years, so it's important for them to balance cybersecurity concerns with their other duties. Boards should focus "on governance as opposed to decision making," Johnson said.
"The foundation of the bank-customer relationship is trust," said Sari Stern Greene, founder of Sage Data Security. "It is the responsibility of the institution to honor that trust and that emanates from the top."
Education is critical and boards must understand the risks their institutions face, Greene said. For instance, this could mean learning about concepts such as CryptoLocker, a ransomware trojan, and then using that knowledge to question management about its preparedness.
Executives responsible for overseeing cybersecurity need to make sure they provide information to the board in layman's terms, rather than technical jargon, said David Baris, president of the American Association of Bank Directors and a partner at BuckleySandler. Management, at a minimum, should provide briefings on a quarterly basis.
Boards should also make sure the institution is running appropriate exercises to test its security and reviewing polices annually, industry experts said. A few directors may even want to be included in annual training so they can provide more details later for the other directors, Greene said.
In addition, regulators have been pushing banks to step up oversight of third-party vendors. The greatest threats for a breach come from outside vendors, so this is an area of importance for directors, Baris said. The attack on Target, for instance, began with a heating and air conditioning vendor that worked for the retailer.
Directors should instruct management to check that contracts with outside parties protect the bank if something happens, Baris said. Banks also need to find out if the vendor will be using subcontractors, then perform due diligence on those additional firms, when appropriate.
"Management has to carry the ball but the board needs to ask these questions," Baris said. "Many institutions are appreciating the need to look at these areas and take steps that might limit damage from a cyberattack."
Northwest Financial has seen increased board participation in its information-technology decisions, said Jeff Plagge, the Arnolds Park, Iowa, company's president and chief executive. That partly stems from the $1.6 billion-asset company's decision to upgrade some of its systems, including its data disaster recovery plan, but also because of recent breaches at other companies.
Directors receive quarterly updates on Northwest's projects in addition to big picture discussions about security, Plagge said. The board is often informed of technology decisions that don't necessarily need their approval, he added.
Boards must remember that, even if a service is outsourced, the process still needs to be managed. That requires training and resources.
"Allocating resources in this space is critical," Plagge said. "You can get shortsighted on providing resources and then it ends up costing you a lot more if something happens."
Though most directors aren't security experts, they can still bring something to the table regarding cybersecurity, said Shirley Inscoe, a senior analyst at Aite Group. Still, if a board vacancy comes up, banks should consider a technology expert, she added.
"There's mutual benefit to be had here," Inscoe said. "A lot of directors are small-business owners and their own businesses are susceptible to hacking. If they've had experiences with their own businesses in cybersecurity that is something they can bring to the bank."
Despite regulatory pressure on banks, the possible loss of customer trust and reputation should serve as a greater motivation to get cybersecurity right, industry experts said. A small institution "could be put out of business with a $5 million or $10 million loss," Inscoe said.
"This is an issue that is and will become increasingly important," Johnson said. "We want to ensure that the directors have the proper tools to perform their responsibilities for good business reasons. That is ancillary to the regulatory responsibility. It just makes good business sense to have this right. It is a business imperative."