Views & Analysis from our Experts

Creating a culture of cybersecurity awareness

Best practices for educating your financial institution’s board of directors on cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined. Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

The financial services industry has always led the way with internal controls, vendor management, and now with cybersecurity for one simple reason—you are in the business of money and it is critical to protect it.
That said, cybersecurity controls require more than just a strong IT department—an effective cybersecurity program, much like ethical behavior, depends on culture. Since your organization’s leadership plays a key role in driving your cybersecurity culture, boards of directors and senior management need a solid understanding of cybersecurity risks and impacts.

According to a 2018 Technology Survey of bank directors by Bank Director, 79% say they need to enhance their level of technology expertise. Many board members come from non-technology backgrounds and careers, and though they are able to support their institution’s mission and drive growth, they may not be able to provide direction in the areas of information technology and security. They may also not recognize what attractive targets they make for phishing and other cybercrimes due to their high level of access to valuable information, their ability to send and receive data from financial institution personnel, and their potential exemption from certain employee policies.

Keeping board members up to date on the evolving landscape of cybersecurity risks can present a serious challenge due to board members’ time constraints. To help, here are some best practices you can follow to make educating your institution’s board and senior management a relatively simple and sustainable process.

Leverage existing cybersecurity training resources

In most cases, you already provide and require cybersecurity training for employees, typically through internal IT experts, third-party vendors, or self-paced courses available online. Board members should complete the same training at least annually.

Require board members to comply with information security policies

Despite their high-risk profile, board members are often exempted from policies applicable to employees, including password requirements and other critical information security policies. Given the sensitive information and levels of access board members have, it is imperative that they fully comply with all information security policies.

Facilitate regular review of information security audits and assessments

Information security audits and assessments provide valuable insights into areas for improvement. Keep your board members aware of any findings, recommendations, or potential risks noted in recent audits and assessments. Provide a regular status report to the board of ongoing efforts and progress to resolve or mitigate findings and risks. Use these regular communications as an opportunity to provide cybersecurity education to the board, and don’t hesitate to speak up about any specific areas and emerging risks you may be concerned about.

Regular cybersecurity updates and discussions

Keep the board and senior management updated on cybersecurity threats, incidents, and any changes to the bank’s cybersecurity program. Provide this information on a quarterly basis and include the cause of and any remediation for such events, as well as any trends in incidents. Regular updates to the board and senior management provide guidance for budgets, goals, and overall strategic direction. With more awareness of security incidents and events, trends in occurrences, and potential risks, the board and senior management are more likely to support greater investments in the bank’s security efforts.

Annual board approval of information security plans and policies

The board should review and approve all information security policies and relevant procedures on an annual basis, as these board-approved policies will establish the financial institution’s directive for effective internal control and cybersecurity programs. Important examples include Information Security and Acceptable Use Policies, Cybersecurity Policy, Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan.

Knowing your current position and having a plan are key. Through continuous assessment of your board’s fluency with cybersecurity and establishing a process of ongoing education that’s both effective and manageable, your financial institution can improve its culture of cybersecurity awareness—helping reduce the likelihood of future security incidents and events that could adversely impact your board, your financial institution’s employees, and your customers.

Upcoming event

Join us for an upcoming event for credit unions—Better address IT security risks and be prepared for future challenges. Register here.

Leave a comment