Do boards have role in cyber-risk?

The Heartbleed security bug. The Target stores data breach. A new “oops” at Facebook or some other social media platform. The latest lapse in security reported in the morning’s paper … or tomorrow’s.

Many such incidents have, or have the potential to, impact your bank quite directly. The damage may be to the bank’s wallet, its operations, or to its reputation—or all three. But what can a bank board do about cybersecurity threats?

One thing you can’t do is escape responsibility.

“When you strip away the surface of what most companies do today, what you have left is a technology company,” says Gary Owen of Promontory Financial Group, LLC. “Banks are technology companies. And if the technology fails, then the business stops operating.”

Wait, you may be thinking. We’re a community bank. We’re all about personal service. Yes, Owen, a director at Promontory, agrees, but “it’s service wrapped around technology.” Ultimately, a bank is data. That  is why cybersecurity threats rank so high now.

However, the typical bank director is not a technocrat. He or she may understand the concept of the threat that this virus or that attack may pose to the bank, but otherwise the details are a mystery. This may frustrate you and your fellow board members. But Owen, who previously led security-incident response and threat management at Goldman Sachs & Co. before consulting for Promontory, says there’s no need for angst.

The key to getting this growing part of the director’s job done is treating it like many other aspects of enterprise risk management. Your job is not to address and attack the threat directly, but to oversee the processes and people that do.

Demand clarity, action

Owen says board members must accept two key points.

First, they cannot become experts in data breaches and similar threats.

Most directors have been selected for bank board service because they are talented generalists. One facet of that is having the ability, and experience, of operating through oversight and delegation, and demanding performance from those to whom duties have been delegated.

Second, and related to Owen’s first point, is communication.

The board is in the position to insist that staff handling such threats be able to communicate about the risks in a straightforward, clear way. “There has to be a common nomenclature,” says Owen, or the board can’t properly oversee what’s going on.

Once those two points have been accepted, the board and its employees can concentrate on an ongoing agenda:

• What are the bank’s risks and exposures?

• What is the bank doing about them?

• What are the relevant policies and practices?

• How well is the bank carrying all this out, and where are the gaps?

If this sounds like many other aspects of bank governance, that’s because the board’s job doesn’t change in concept here from any other source of risk and responsibility. Owen says that a key duty, whether you are discussing preparedness for tomorrow’s cybersecurity incident or reaction to today’s, is to ask simple, but direct and probing questions of your people.

That said, Owen warns directors that communication is a two-sided responsibility. Board members must be careful what they bring up and how they bring it up, when communicating with technology staff. Bankers take what the board says quite seriously. When strong interest and concern is read from a director’s question or comment, staff will make things happen.

“The board must take care not to stir things up so that they launch a lot of activity that wasn’t desired,” says Owen. Staff has to be able to distinguish between the merely informational question; the long-term concern; and “We want action—now!” The board should strive for a consistency of tone so it is always clear to staff what’s expected next.

Setting tech risk appetite

A broader but very related matter is the board’s risk appetite in the technology area, according to Owen.

Often, when the topic of “risk appetite” comes up, some directors may respond, “none wanted, thank you.” But that’s far from the case. Banking is a risk business and the issue is how much will be tolerated, how much will be protected against, and how quickly bank staff will respond to various threat levels. Avoiding tech risk would mean disconnecting the internet and going back to the abacus—and even then you’d have to be sure no one stole any beads overnight.

One example of setting risk appetite in this context is how quickly a board expects technology staff to have a long-term solution in place to a newly identified threat. Two days? Ten days? The appetite will drive the expenses of closing off a vulnerability.

“Technology risk is difficult to describe a risk appetite for,” says Owen, “but you can put some descriptors around it.”

Part of the value of those descriptors, he says, is that they can become checkpoints for later behavior. If, say, the board or the technology staff sets a standard that any significant software vulnerability be patched within ten days of its identification, that accomplishes two purposes.

 First, it gives staff a sense of priority over other tasks. Second, should the resolution of the problem slip, that time frame becomes a variance from policy that should be reported back to senior management, or, when warranted, the board—with an explanation for the delay.

However, in setting such expectations, Owen warns boards not to attempt to be too specific. “If your technology risk policy becomes too granular, it will become ineffective,” he explains.

Point of contact for tech risk

“Technology risk is clearly a part of operational risk,” says Owen, “but technology risk is something best reviewed independently of operational risk, as well.”

Who, then, should be the board’s key contact on cybersecurity and other technology risks? On one hand there is the bank’s Chief Risk Officer, the CRO. On the other is the CIO, the Chief Information Officer, who may report to the board directly or through the CRO. In some organizations, there may also be a CISO—Chief Information Security Officer, who will likely manage cybersecurity directly.

Even if a CISO is on the scene, Owen believes that “both the CIP and CRO should have an understanding of technology risks and cybersecurity. The CIO should be able to represent the risk from a technology perspective and actions being taken to manage the risks. The CRO should be able to represent the risk from an enterprise perspective and the tradeoffs to address risks.”

In some banks, where the CRO is seen as a higher-ranking executive, it may make sense for that officer to be the board’s cybersecurity contact point. Lines of accountability may also be a factor.

However, Owen says the board must also strike a balance between seniority and responsibility. If the board’s inquiries concern detail, someone closer to the matter must be tapped—such as a CISO.

What about vendors? Should your board meet with them, or with consultants, about cybersecurity issues? Again, there is a balancing act here.

Bringing in either is a good way to “check the math of your own team,” says Owen, and a fresh viewpoint can help. However, there can also be a tendency for outsiders to come in and give the board a show.

“A risk management framework that looks good in a PowerPoint may not help on the ground,” says Owen.

Do you need a cyber-risk expert on board?

Ever since passage of the Sarbanes-Oxley Act, there has been a tendency to think in terms of adding specific types of expertise to the board itself. Banks of certain size, for example, are expected to have an audit committee financial expert on the board. Given the challenge of cybersecurity issues, and the potential risks, should your board recruit someone with expertise in this area?

Owen thinks such skills and background would be too specific for most bank boards. In keeping with a board’s oversight role, it makes more sense to continue to recruit generalists who have dealt with technology issues, where cybersecurity is a subset, but from a managerial perspective, not at a practitioner level.

Such experience will do the board more good than specific background, says Owens. In part, that’s because it will have prepared them to weigh tech officers’ reports realistically. These can range from “We’ve got this covered” to  “The sky is falling!” When a board hears things from either extreme, directors ought to be concerned. Attacks can be expensive, but he says that they are rarely brand new. Threats tend to evolve and can be seen impacting others. That gives everyone else time to address the vulnerability.

 A reality lesson helps here: “Technology breaks—at all firms,” says Owen. “The board must hear both good and bad news from the bank’s technology organization, so they can approach shortfalls as a business issue, not a panic.”