With an uptick in cyberattacks against financial institutions, regulators are putting financial leaders on notice.
"The cyber threat has to become urgent," Benjamin Lawsky, the superintendent for the New York State Department of Financial Services, said in a recent article in the Financial Times. "It's got to be at the chief executive level. It is not an IT problem. It is a bank problem."
Lawsky's words come at a time when too many financial leaders have been content to abdicate their cybersecurity responsibilities to the chief information officer and employees. They see the issue as too complex and technical to manage directly, or simply believe that it isn't of board-level importance.
But regulators won't allow executives and board members to stay on the sidelines of cybersecurity for long. Officials at the Securities and Exchange Commission have been turning up the volume on cybersecurity since issuing informal guidance on the subject in 2011. Regulators have been pushing for financial institutions to disclose network vulnerabilities. And earlier this year, SEC Commissioner Luis Aguilar said that mere disclosure isn't good enough: banks leaders need to engage in proactive cybersecurity management.
In a speech at the New York Stock Exchange, Aguilar said that too many boards are failing in their duties to mitigate cybersecurity risk. Aguilar warned that company executives and boards will be subject to personal litigation if they keep dragging their feet. "Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril," he said.
Regulators will soon issue fines to negligent bank leaders and may even require that offending companies be supervised by outside monitors. All this should prompt financial services executives to stop passing the buck and spearhead the effort to improve cyber risk management.
Leaders of financial firms looking to get out front on this issue should consider the following five points.
First, information technology is just one part of a united front against attackers. Compliance professionals and legal counsel must also advise on areas that intersect with this risk such as policies that permit employees to bring their own devices to work, cloud-storage practices, vendor relationships and mergers and acquisitions. Human resources must help manage risks originating inside firm walls. Communications executives must have a strategy for breach-related press inquiries and communications with employees, investors and customers. Only executive leadership can oversee all departments essential to cyber risk mitigation.
Second, the information governance structure must support constant vigilance. Financial firms need to assign responsibility for information management to a C-level executive and establish management responsibilities including ongoing reporting, monitoring and review of information risks and controls. Leaders must also work with IT to ensure that access to sensitive information is limited to those who need it.
Third, bank leaders need to have a plan in place should a breach occur. Preparing for the worst is not an admission of a weak or susceptible network. On the other hand, a delayed, bumbling response to a security breach can lead to increased data loss, exposure to regulatory action and reputational damage.
Executives must also be aware of their bank's greatest risks in order to build a strong defense. A comprehensive risk assessment includes learning where sensitive information is stored and how it's protected, exploring information security at third parties like law firms and evaluating data destruction protocols. Not only must financial companies disclose any network vulnerability as part of their fiduciary responsibility, they should use this knowledge to direct their resources.
Lastly, there is no such thing as an impregnable network. Even networks secured with the latest technologies and best practices will remain vulnerable to breaches. However, financial companies that provide proper disclosure, proactively assess cybersecurity risks, comply with all guidelines, and effectively respond to an incident are best able to mitigate the legal, regulatory and public fallout.
Financial services executives often believe they have IT security under control. The reality is that most have delegated away responsibility and are ill-equipped to assess vulnerabilities. This strategy is already too risky in today's environment. The risks will only be compounded as regulators and lawyers seize upon leaders who linger on the cybersecurity sidelines.
Chad Pinson is a managing director at the cybersecurity consultancy Stroz Friedberg and head of the firm's Dallas office.