As I travel the country facilitating long-term strategy sessions for community banks, one topic that is increasingly of interest to the directors and senior officers is planning for technology issues.
As I have previously mentioned in this blog, long-term planning of a strategic nature (30,000-foot level) is critical for community bank leaders. This is to be distinguished from operational and tactical planning, which is an obligation of the management team.
In the typical long-term, strategic planning session, there is some discussion of threats to the organization’s very existence. On top of that list of threats, usually right behind risks associated with federal regulators and what they are going to do next, is information technology security.
When I ask community bankers and directors what causes them to lose sleep at night, IT security is one of the most common responses.
“When will my bank be hacked?”
After the data breaches of Target, Home Depot, Neiman Marcus, and others, community bankers are generally wondering when the next shoe is going to drop—on them.
Community banks have handled the back end of the data security breaches—i.e., replacing credit and debit cards, dealing with customer concerns, and monitoring of their information, and the like.
However, smaller banks haven’t really experienced the front end of cyber threats—a hacker penetrating the community bank’s walls and gathering information from their systems.
Many of the banks I have talked to wonder how—and when—a hacker is going to get in and which community bank is going to be the first to get hit, take a loss, and ultimately fail.
As a result of these concerns, community banks are focusing very heavily on technology security planning. For most, that involves dealing with their vendors on their core processing systems. Community banks are obligated to make sure their vendors are up-to-speed. After all, banks are liable for their vendors’ failures if they do not mitigate risks appropriately.
In some cases, the community bank has a tech-savvy young gun or rising star that can spearhead many of these efforts. Even then, however, it is usually up to some third-party to either code a program or make changes to the bank’s systems.
Decide today what you want to be
These issues have also caused boards to seriously consider where the bank should be on the “technology continuum.” This is a 0 to 10 scale with 0 as a “slow follower” and 10 as the “bleeding edge.”
I generally ask the board to consider where they are now, where they want to be strategically, and whether they are willing to commit the resources to get there. All this must be considered against the backdrop that technology is a moving target.
Although community banks are focused heavily on providing products and services to their customers through or using technology, they are also seriously concerned about the security risks associated with new and emerging technologies. That being the case, security must always be a focus of long-term planning on technology.
I am increasingly hearing from banks getting into social media that many board members, particularly the older ones who do not fully understand social media (and don’t want to), are concerned about the security risks associated with social media.
This is the new reality for community banks. We can no longer ignore the internet or figure that the younger generation will catch the bank up to speed once we leave the helm.