FFIEC Emphasizes Board Involvement in Cybersecurity

The Federal Financial Institutions Examination Council’s updated guidance for bank examiners emphasizes that executives and boards of directors must approve IT plans that contain strategies for addressing emerging and ongoing cyber threats.

This guidance focuses on three key areas:

  1. IT governance for boards of directors: They must review and approve IT strategic plans that include security strategies for addressing ongoing and emerging threats, including cyber threats;
  2. Risk management for operational risks: Institution management should ensure that effective IT controls are in place, either through direct oversight or by holding lines of business accountable; and
  3. IT risk management: Management should identify IT assets that are controlled internally or by third parties and ensure they are adequately measuring and mitigating risks to those assets.

Boards of directors have to get involved, governance is critical to the success of a security program. Unfortunately, a top-down approach is needed here, as cybersecurity and IT risk management can no longer be relegated to the IT department. These revisions clarify regulatory expectations and encourage executives to invest more resources toward cybersecurity.

Cybersecurity and the cybercrime prevention landscape are constantly changing making it critical to ensure constant education. Threat surfaces change so quickly, it seems nearly impossible to be fully protected. This guidance is designed to help institutions move forward on cybercrime initiatives.

The Board’s Role

Regulators clearly are demanding more board involvement in cybersecurity and overall risk management. Banks are going to have to do a lot of education of board members. Directors cannot effectively perform their role without fully understanding it, and most bankers don’t fully understand risk management as well as needed in today’s environment. While most board members are savvy businessmen and women, the high rate of data breaches demonstrates the need for more security and regulators have an obligation to set guidance that ensures financial institutions maintain a strong cybersecurity framework.

If you have questions about your bank’s cybersecurity readiness or cybersecurity education, call ITPAC today.