Last summer, a cyberattack on JPMorgan Chase by Russian hackers compromised the accounts of 83 million households and seven million small businesses. While the New York Times reports the crime did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank. A data breach like this illustrates the clear and present danger cyber criminals pose to the safety and soundness of the financial system. In my opinion, there can be nothing more damaging to the reputation of, and confidence in, the industry as a whole than major security breaches.
Yesterday, Bank Director released its annual Risk Practices Survey, sponsored by FIS, the world’s largest global provider dedicated to banking and payments technologies. As I read through the results, it became immediately apparent that cyber security is the most alarming risk issue for individuals today. So while I layout the demographics surveyed at the end of this piece, it is worth noting that 80% of those directors and officers polled represent institutions with between $500 million and $5 billion in assets — banks that are, in my opinion, more vulnerable than their larger counterparts as their investment in cyber protection pales to what JPMorgan Chase, Wells Fargo, etc are spending. In fact, the banks we surveyed allocated less than 1% of revenues to cybersecurity in 2014. Accordingly, I’m gearing my biggest takeaway to community bankers since those individuals most frequently cited cyber attacks as a top concern.
Interestingly, individual concern hasn’t yet translated into more focus by bank boards. Indeed, less than 20% say cybersecurity is reviewed at every board meeting — and 51% of risk committees do not review the bank’s cybersecurity plan. As I read through our report, this has to be a wakeup call for bank boards. While a number of retailers have made the news because of hacks and data thefts, this remains an emerging, nuanced and constantly evolving issue.
It would not surprise me if bank boards start spending more time on this topic as they are more concerned than they were last year. But I do see the need to start requiring management to brief them regularly on this issue, and start educating themselves on the topic. In terms of where to focus early conversations if you’re not already, let me suggest bank boards focus on:
- The detection of cyber breaches and penetration testing;
- Corporate governance related to cyber security;
- The bank’s current (not planned) defenses against breaches; and
- The security of third-party vendors.
Personally, I don’t doubt that boards will spend considerably more time on this issue — but things have changed a lot in the last year in terms of news on data breaches. If bankers want to start assessing the cybersecurity plan in the same way they look at the bank’s credit policies and business plan, well, I’d sleep a lot sounder.
So I’ll go on record and predict that boards will become more aware and take on a more active role in the coming months — and also expect that regulators will start demanding that boards review cybersecurity plans, and that all banks have a cybersecurity plans. To take this a step further, check out this piece by the law firm Arnold & Porter: Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats.
About this report
Bank Director’s research team surveyed 149 independent directors and senior executives of U.S. banks with more than $500 million in assets to examine risk management practices and governance trends, as well as how banks govern and manage cybersecurity risk. 43% of participants serve as an independent director or chairmen at their bank. 21% are CEOs, and 17% serve as the bank’s chief risk officer.