Risk Practices Survey – About That Ratio

November 10, 2016November 17, 2016

5 Cybersecurity Companies Bank Execs & Board Members Need to Know

When it comes to cybersecurity, the best defense might just be a great offense. Whereas cybersecurity once focused on how banks could avoid losing money, my team and I are working on a program for 2017 to help officers and directors a ddress potential scenarios (and develop realistic response plans) should a hack, breech or attack occur. Indeed, protecting the bank against a cyber attack is a core responsibility of every member of a bank’s board and executive team.

In recent posts, I’ve highlighted various fintechs that I find compelling given their relationships with financial institutions. In terms of cybersecurity, I’ve had the chance to learn more about companies like DefenseStorm (given their support of companies like nCino and LiveOak Bank) that I greatly respect. Below are five more companies that I think bank leadership teams need to know:

Cognizant

A global cybersecurity solution and service provider, Cognizant supports multiple industry verticals and information security service lines. I encourage you to take a look at their thoughts on what traditional banks can do to rebuild trust in the digital era.

Centrify

California-based Centrify offers identity & access management solutions to help secure enterprise identities against cyberthreats that target today’s IT environment of cloud computing. Banking customers include such recognizable names as BB&T, SunTrust, Citi and RBS.

Lookout

Lookout has taken a mobile-first approach to security. Indeed, one of the world’s largest investment management firms chose Lookout to provide threat and data leakage protection to over 10,000 managed iOS and Android devices.

Feedzai

Founded by data scientists and aerospace engineers, Feedzai’s mission is to “make commerce safe for business customers and create a better experience for their consumers through artificially intelligent machine learning.”

Brighterion

Since the founding of Brighterion, its core technology has been adapted and improved for real-time applications in the fields of payment, healthcare, marketing and homeland security. For instance, its analysis of payments provides “unprecedented behavioral insights,” from the spending behavior of customers to the constantly evolving techniques of fraudsters.

As a complement to these five businesses, let me wrap up by sharing a recent FinXTech article:Emerging Technologies Combat Cybercrime. As you will read, banks are doing everything they can to reassure customers that their digital information is safe and secure.

March 21, 2016

Cybersecurity and the Fintech Wave

Earlier this month, at Bank Director’s FinTech Day at Nasdaq’s MarketSite in New York City, I noted how many technology firms are developing strategies, practices and tools that will dramatically influence how banking gets done in the future. Concomitantly, I expressed an optimism that banks are learning from these new players, adapting their offerings and identifying opportunities to collaborate with new “digital-first” businesses. Unfortunately, with great opportunity comes significant risk (and today’s post looks at a major one challenging bank CEOs and their boards).

By Al Dominick, President & CEO, Bank Director

To grow your revenue, deposits, brand, market size and/or market share requires both strong leadership and business strategy. Right now, there are a handful of banks developing niche vertical lines of business to compete with the largest institutions. For instance, East West Bancorp, EverBank Financial, First Republic Bank, Opus Bank, PacWest Bancorp, Signature Bank and Texas Capital Bancshares.

Just as compelling as each bank’s approach to growing their business is the idea that new competitors in direct and mobile banking will spur the digitalization of our industry. I am a firm believer that through partnerships, acquisitions or direct investments, incumbents and upstarts alike have many real and distinct opportunities to grow and scale while improving the fabric of the financial community.

However, with myriad opportunities to leverage new technologies comes significant risk, a fact not lost on the bank executives and board members who responded to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. For the second year running, they indicate that cybersecurity is their top risk concern.

More respondents (34 percent) say their boards are reviewing cybersecurity at every board meeting, compared to 18 percent in last year’s survey, indicating an enhanced focus on cybersecurity oversight. Additionally, more banks are now employing a chief information security officer (CISO), who is responsible for day-to-day management of cybersecurity.

However, the survey results also reveal that many banks still aren’t doing enough to protect themselves—and their customers. Less than 20 percent of respondents say their bank has experienced a data breach, but those who do are just as likely to represent a small institution as a large one, further proof that cybersecurity can no longer be discussed as only a “big bank” concern.

For those thinking about the intersection of fintechs and banks, take a look at our just-released 2016 Risk Practices Survey. This year, we examine risk governance trends at U.S. banks, including the role of the chief risk officer and how banks are addressing cybersecurity. The survey was completed in January by 161 independent directors, chief risk officers (CRO), chief executive officers (CEO) and other senior executives of U.S. banks with more than $500 million in assets.

Key Findings Include:

Sixty-two percent of respondents indicate their bank has used the cybersecurity assessment tool made available by the Federal Financial Institutions Examination Council, and have completed an assessment. However, only 39 percent have validated the results of the assessment, and only 18 percent have established board-approved triggers for update and reporting. FWIW, bank regulators have started to use the tool in exams, and some states are mandating its use.

Seventy-eight percent indicate that their bank employs a full-time CISO, up from 64 percent in last year’s survey.

The majority, at 62 percent, say the board primarily oversees cybersecurity within the risk or audit committee. Twenty-six percent govern cybersecurity within the technology committee.

Forty-five percent indicate that detecting malicious insider activity or threats is an area where the bank is least prepared for a cyberattack or data breach.

Just 35 percent test their bank’s cyber-incident management and response plan quarterly or annually.

Clearly, banks are increasingly relying on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — I am pleased to share this year’s report as part of our commitment to providing timely & relevant information to the banking community.

March 24, 2015

About That Elephant Coming Out of the Corner (*hello cyber security & banking)

Last summer, a cyberattack on JPMorgan Chase by Russian hackers compromised the accounts of 83 million households and seven million small businesses. While the New York Times reports the crime did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank. A data breach like this illustrates the clear and present danger cyber criminals pose to the safety and soundness of the financial system. In my opinion, there can be nothing more damaging to the reputation of, and confidence in, the industry as a whole than major security breaches.

Yesterday, Bank Director released its annual Risk Practices Survey, sponsored by FIS, the world’s largest global provider dedicated to banking and payments technologies. As I read through the results, it became immediately apparent that cyber security is the most alarming risk issue for individuals today. So while I layout the demographics surveyed at the end of this piece, it is worth noting that 80% of those directors and officers polled represent institutions with between $500 million and $5 billion in assets — banks that are, in my opinion, more vulnerable than their larger counterparts as their investment in cyber protection pales to what JPMorgan Chase, Wells Fargo, etc are spending. In fact, the banks we surveyed allocated less than 1% of revenues to cybersecurity in 2014. Accordingly, I’m gearing my biggest takeaway to community bankers since those individuals most frequently cited cyber attacks as a top concern.

Interestingly, individual concern hasn’t yet translated into more focus by bank boards. Indeed, less than 20% say cybersecurity is reviewed at every board meeting — and 51% of risk committees do not review the bank’s cybersecurity plan. As I read through our report, this has to be a wakeup call for bank boards. While a number of retailers have made the news because of hacks and data thefts, this remains an emerging, nuanced and constantly evolving issue.

It would not surprise me if bank boards start spending more time on this topic as they are more concerned than they were last year. But I do see the need to start requiring management to brief them regularly on this issue, and start educating themselves on the topic. In terms of where to focus early conversations if you’re not already, let me suggest bank boards focus on:

The detection of cyber breaches and penetration testing;
Corporate governance related to cyber security;
The bank’s current (not planned) defenses against breaches; and
The security of third-party vendors.

Personally, I don’t doubt that boards will spend considerably more time on this issue — but things have changed a lot in the last year in terms of news on data breaches. If bankers want to start assessing the cybersecurity plan in the same way they look at the bank’s credit policies and business plan, well, I’d sleep a lot sounder.

So I’ll go on record and predict that boards will become more aware and take on a more active role in the coming months — and also expect that regulators will start demanding that boards review cybersecurity plans, and that all banks have a cybersecurity plans. To take this a step further, check out this piece by the law firm Arnold & Porter: Cybersecurity Risk Preparedness: Practical Steps for Financial Firms in the Face of Threats.

About this report

Bank Director’s research team surveyed 149 independent directors and senior executives of U.S. banks with more than $500 million in assets to examine risk management practices and governance trends, as well as how banks govern and manage cybersecurity risk. 43% of participants serve as an independent director or chairmen at their bank. 21% are CEOs, and 17% serve as the bank’s chief risk officer.

March 17, 2015March 17, 2015

Risk Management: Most Certainly An Ongoing Process

Next week, Bank Director releases its annual Risk Practices Survey. In advance of that report, let me share an excerpt from a risk management-focused piece by KPMG’s Lynn McKenzie and Edmund Green — How a Board Can Credibly Challenge Management on Risk — that foreshadows some of the results.

As our industry evolves, banks increasingly rely on complex models to support economic, financial and compliance decision-making processes. Considering the full board of a bank is ultimately responsible for understanding an institution’s key risks — and credibly challenging management’s assessment and response to those risks — let me share the eight considerations that KPMG wrote about for board members as they evaluate their risk oversight.

(1) Do our board members (particularly directors on audit or risk committees) know our bank’s top enterprise risks — those that threaten our bank’s strategy, business model, or existence?

(2) Does our bank have a formal risk management process? Do directors know how management identifies and manages risks, both existing and emerging, and if there is a process of accountability? Does the board have comfort that management has the proper talent to manage today’s risks?

(3) Does the bank have a formal risk appetite statement? If not, how does the board oversee that management is not taking risks outside of the bank’s stated risk tolerance? Is there a protocol to escalate a risk issue directly to the board? Is there evidence that management recognizes the critical need to timely communicate risk issues to board members? Is there a process for the board to evaluate the impact of compensation on management’s risk-taking?

(4) As the bank takes on new initiatives or offers new products and services, does the board understand the process to evaluate the risks prior to decisions being made? Is there a clear threshold for when items need to be brought to the board before finalizing a decision?

(5) In examining management’s reporting process, are directors concerned whether they are getting relevant data? Are they getting so much detail that it cannot be absorbed? Are they getting data at such a high level that it’s impossible to evaluate risk?

(6) Does the board recognize that risk management done well adds competitive advantage and value by addressing gaps in operations? Viewing risk management solely as a compliance function increases the chances of wasting time and money.

(7) Is the board ensuring that, in dealing with the regulators, the bank is “getting credit’’ for the risk management activities it is doing well by being able to describe the programs that have been instituted—or actions taken—that will enable the bank to “harvest value” from its enterprise risk management process?

(8) Finally, given the importance of “tone at the top,’’ are directors satisfied that the proper culture of “doing the right thing’’ exists across the organization?

As many know by now, the 2,300+ page Dodd-Frank Act requires publicly traded banks with more than $10 billion in assets to establish separate risk committees of the board, and banks over $50 billion to additionally hire chief risk officers. Not surprisingly, many institutions under these thresholds have similarly established committees and recruited executives into their bank.

By taking a more comprehensive approach to risk management, I continue to see institutions reap the benefits with improved financial performance… and yes, this too foreshadows next week’s research report. To view the entire KPMG article, here is the link (don’t worry, no registration required). I’ll post more about the Risk Practices Survey along with a link to both the full results and summary report here next week.