Compliance Learning Curve for Directors
The involvement of bank directors with information security awareness training has been a long-standing cornerstone for building an effective information security program. This year ushers in a considerable amount of new information to provide the board. Examiners will want to see that directors are both educated and playing an active role in your compliance and security initiatives. Specific areas of focus for your 2014 educational sessions should include social media, cyber security and mobile devices.
Social media. In late 2013, the FDIC released FIL-56-2013 on Social Media Guidance indicating that examiners will expect to see that the board is aware of the new initiatives associated with the guidance in 2014. This guidance provides expectations for compliance risk management and explicitly states that the board “directs on how using social media contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities.” It further requests that the board be involved with “periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.” If there has not been a prior effort to involve the board in your social media initiatives, now is the time.
Cyber security. Examiners are expected to make your bank’s cyber security initiatives a top priority this year. A prime indicator to support this theory is the recent speech by Comptroller of Currency/Chairman of the FFIEC, Thomas J. Curry, who clearly stated that one of his objectives is to focus on “operational risk posed by cyberattacks.” For example, he discussed emerging threats such as distributed denial of service attacks and their potential to disrupt critical systems that support financial institutions. While Curry believes the national banking system is prepared for the challenges, he also expressed the critical need for institutions to stay ahead of these threats by working with regulatory agencies.
Curry also emphasized the importance of directors being aware and engaged in cyber security initiatives, that they understand the risks posed by these threats and the security measures needed to address them. Board members can be valuable in creating a culture of risk management and emphasizing the importance of identifying and escalating risks internally and communicating enterprise-wide about these risks. To Curry’s point: financial institutions have been made aware that the board is responsible for overseeing the development, implementation and maintenance of the information security program. It is their responsibility to oversee the strategic planning process, to incorporate information security into all decisions and protect non-public customer information.
However, in practice, communication with the board regarding Information Technology (IT) and cyber security is often limited because the technology is perceived as a profit-consuming area that takes away from the bottom line. This is a big mistake! Cyber security is rapidly evolving into a standard practice that saves institutions from significant financial and reputational losses. A residual financial benefit of the board’s focus on cyber security is that it helps focus resources on the most significant areas of concern.
Mobile devices. Board members also need to be included in your bank’s “acceptable use policy” regarding mobile devices. Any exceptions create vulnerabilities where the bank’s information infrastructure can be exposed. Consider the guidance across all devices. This policy varies per institution, but one example might be that if a board member has his or her own iPad, then it should be held to certain security standards, such as keeping the apps up-to-date in order to reduce risks.
Ultimately, bank directors face unique challenges because their responsibilities differ from those of other corporations. The Gramm-Leach-Bliley Act and Section 216 of the Fair and Accurate Credit Transaction Act have required strict safeguards for information security and identity theft compliance. Bank board members are accountable not only to shareholders and to depositors, but also to regulators. Managing risks to serve these interests is a critical challenge and board members need information security training to keep them up-to-date on the latest information specific to their needs. If your board members are reviewing the same PowerPoint presentation each year, it is time to get them acclimated with today’s real threats and prevention techniques.
Prepare to incorporate these areas of increased regulatory expectations during board meeting discussions. Board members should be familiar with their own responsibilities as well as the responsibilities of the organization. Knowing the risks associated with information security awareness will help your board realize the value of this effort to your bank’s overall fiscal health while stressing that importance throughout the entire organization.