Earlier this month, at Bank Director’s FinTech Day at Nasdaq’s MarketSite in New York City, I noted how many technology firms are developing strategies, practices and tools that will dramatically influence how banking gets done in the future. Concomitantly, I expressed an optimism that banks are learning from these new players, adapting their offerings and identifying opportunities to collaborate with new “digital-first” businesses. Unfortunately, with great opportunity comes significant risk (and today’s post looks at a major one challenging bank CEOs and their boards).
By Al Dominick, President & CEO, Bank Director
To grow your revenue, deposits, brand, market size and/or market share requires both strong leadership and business strategy. Right now, there are a handful of banks developing niche vertical lines of business to compete with the largest institutions. For instance, East West Bancorp, EverBank Financial, First Republic Bank, Opus Bank, PacWest Bancorp, Signature Bank and Texas Capital Bancshares.
Just as compelling as each bank’s approach to growing their business is the idea that new competitors in direct and mobile banking will spur the digitalization of our industry. I am a firm believer that through partnerships, acquisitions or direct investments, incumbents and upstarts alike have many real and distinct opportunities to grow and scale while improving the fabric of the financial community.
However, with myriad opportunities to leverage new technologies comes significant risk, a fact not lost on the bank executives and board members who responded to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. For the second year running, they indicate that cybersecurity is their top risk concern.
More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.
However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Less than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.
For those thinking about the intersection of fintechs and banks, take a look at our just-released 2016 Risk Practices Survey. This year, we examine risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.
Key Findings Include:
- Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. FWIW, bank regulators have started to use the tool in exams, and some states are mandating its use.
- Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.
- The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.
- Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.
- Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.
Clearly, banks are increasingly relying on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — I am pleased to share this year’s report as part of our commitment to providing timely & relevant information to the banking community.