Cybersecurity and Your Board
This blog was authored by my colleague, Sundeep Bablani, Director of IT Audit.
Cybersecurity has always been an area that struggles to find its way to the forefront of Board discussions. Discussions around this topic are primarily held to either meet compliance requirements or if the financial institution has experienced an incident. The Board relies on management to ensure they are updated on the current state of cybersecurity risk and the financial institution’s cyber-maturity is in line with existing risk. It is critical for the Board to be educated and informed about cybersecurity risk management as part of their fiduciary responsibilities.
The COVID-19 pandemic has challenged financial institutions to identify new technologies and possibly explore features of existing technology to meet the needs of customers and to continue to perform daily operations. The Board, along with management, needs to ensure the financial institution is adequately prepared without foregoing data security. Cybersecurity risk assessment tool has been used to provide management with the existing state of cybersecurity; however, this assessment tool can further assist in the development of an overall strategy to achieve the next level of cyber-maturity. Meeting the minimum regulatory requirements will check the required boxes; however, this might not meet the overall needs of the financial institution.
In today’s environment of virtual and digital business, cybersecurity should be a routine consideration as part of any decision-making process for new products and services as well as for the overall strategic plan of the financial institution. Cybersecurity risks should be evaluated alongside the enterprise-wide strategic plan for both short- and long-term goals. The Federal Financial Institution Examination Council’s Information Technology Examination Handbook offers some direction to ensure business decisions include technology considerations. This should be further enhanced to question implications on cybersecurity and if there is a need for additional people, technology or collaboration with external organizations.
The COVID-19 pandemic and technology environment have made it easier to outsource services and certain aspects of the operational responsibility. As a result, it is even more important to question if vendors have adequate controls in place to protect their data. Furthermore, have subcontractors (fourth party risk) been identified as part of the due diligence efforts and do they have the required level of security established? Has adequate due diligence been conducted by management to satisfy the standards established by information security policies?
Logging, monitoring and alerting are some key controls that help combat existing cyber threats. Has the Board evaluated if the financial institution has the required resources to prevent and respond timely to these incidents? Have these controls been independently tested to ensure they are meeting the requirements? Logging and monitoring are both a detective and a preventative control that are required to be constantly reviewed and configured due to continuous changes in the threat environment. These controls are required to be implemented by financial institutions as well as any outside parties handling sensitive data. Training is a key component of this process as the responsibility is now shared at all levels of the financial institution. As a result, it is critical to ensure all stakeholders are provided the necessary resources to identify and timely respond to ongoing threats.
As the business environment continues to evolve further into the virtual and digital spaces, Boards and management teams should consider increasing the frequency of cybersecurity related discussions and training. Cybersecurity is expected to remain a high risk into the future and financial institutions are responsible for protecting vast amounts of data. The frequency of these discussions should include training for the Board on the current risks in the cyber environment as well as how existing tools can be used to assist with the decision-making process.
How can we help?
CLA is here to know you and help you. October is National Cybersecurity Awareness Month, and CLA supports the efforts of the National Cyber Security Alliance and the U.S. Department of Homeland Security to promote internet safety. CLA will be hosting a series of webinars to educate Board members and management on cybersecurity and provide additional information on the right questions to ask, current regulatory guidance and best practices as it relates to cyber strategy. You can register here. We have a team of cybersecurity professionals ready to help you evaluate your cyber risks. Please contact your CLA representative anytime for more information.
Susan is a CPA with more than 20 years of combined experience in public accounting and the financial institution industry, including experience with Fortune 500 financial services companies. Susan serves as the managing principal of CLA’s financial services group. Her responsibilities include providing engagement oversight in the areas of assurance and internal audit. In addition, Susan provides board advisory and management consulting services in the areas of strategic planning and mergers and acquisitions. Susan has been involved in multiple mergers and acquisitions of sizes ranging from $150 million to $500 billion with engagement at all stages of the process.
Hi, I’ve been looking for cyber training webinars for our board, so was happy to see this. However, i wanted to be sure it was going to be recorded so they could watch the webinars on their own schedule? From what’s posted, it looks like the sessions are only available in live format.
Thanks!