Cybersecurity Threats Demand Small-Bank Directors' Attention

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.americanbanker.com/issues/179_166/cybersecurity-threats-demand-small-bank-directors-attention-1069631-1.html

Directors at community banks are adding cybersecurity to a growing list of
priorities.

Boards are increasingly becoming more involved in cybersecurity matters as
breaches against retailers and other companies mount. Though boards don't
need to be involved in the minutiae of information security, it is
important for them to provide strong oversight and ask management tough
questions, industry observers said.

Directors "have to understand that there are people out there trying to
access information and deny customers access to their banks' services,"
said Jeffry Powell, director of sales at Diligent Board Member Services.
"These are threats on a constant basis."

Increased board involvement with cybersecurity has "been a steady drumbeat
over the last two years," said Doug Johnson, vice president for risk
management policy at the American Bankers Association. The association has
found that many institutions have been affected by a denial-of-service
attack, sometimes indirectly through a vendor.

There has also been a wave of high-profile breaches, including the theft of
4.5 million patient records from Community Health Systems in Franklin,
Tenn. Retailer Target has also yet to fully recover aftermillions of
shoppers were affected by a breach last fall. These events have put banks
and their boards on high alert.

"All banks right now are under a huge amount of pressure," said Vann
Abernethy, a senior product manager at NSFOCUS Information Technology.
"We're beginning to see threats we've never seen before. This used to only
impact major corporations, but we're starting to see this bleed into the
smaller business world."

Bank directors, meanwhile, have seen their workloads spike in recent years,
so it's important for them to balance cybersecurity concerns with their
other duties. Boards should focus "on governance as opposed to decision
making," Johnson said.

"The foundation of the bank-customer relationship is trust," said Sari
Stern Greene, founder of Sage Data Security. "It is the responsibility of
the institution to honor that trust and that emanates from the top."

Education is critical and boards must understand the risks their
institutions face, Greene said. For instance, this could mean learning
about concepts such as CryptoLocker, a ransomware trojan, and then using
that knowledge to question management about its preparedness.

Executives responsible for overseeing cybersecurity need to make sure they
provide information to the board in layman's terms, rather than technical
jargon, said David Baris, president of the American Association of Bank
Directors and a partner at BuckleySandler. Management, at a minimum, should
provide briefings on a quarterly basis.

Boards should also make sure the institution is running appropriate
exercises to test its security and reviewing polices annually, industry
experts said. A few directors may even want to be included in annual
training so they can provide more details later for the other directors,
Greene said.

In addition, regulators have been pushing banks to step up oversight of
third-party vendors. The greatest threats for a breach come from outside
vendors, so this is an area of importance for directors, Baris said. The
attack on Target, for instance, began with a heating and air conditioning
vendor that worked for the retailer.

Directors should instruct management to check that contracts with outside
parties protect the bank if something happens, Baris said. Banks also need
to find out if the vendor will be using subcontractors, then perform due
diligence on those additional firms, when appropriate.

"Management has to carry the ball but the board needs to ask these
questions," Baris said. "Many institutions are appreciating the need to
look at these areas and take steps that might limit damage from a
cyberattack."

Northwest Financial has seen increased board participation in its
information-technology decisions, said Jeff Plagge, the Arnolds Park, Iowa,
company's president and chief executive. That partly stems from the $1.6
billion-asset company's decision to upgrade some of its systems, including
its data disaster recovery plan, but also because of recent breaches at
other companies.

Directors receive quarterly updates on Northwest's projects in addition to
big picture discussions about security, Plagge said. The board is often
informed of technology decisions that don't necessarily need their
approval, he added.

Boards must remember that, even if a service is outsourced, the process
still needs to be managed. That requires training and resources.

"Allocating resources in this space is critical," Plagge said. "You can get
shortsighted on providing resources and then it ends up costing you a lot
more if something happens."

Though most directors aren't security experts, they can still bring
something to the table regarding cybersecurity, said Shirley Inscoe, a
senior analyst at Aite Group. Still, if a board vacancy comes up, banks
should consider a technology expert, she added.

"There's mutual benefit to be had here," Inscoe said. "A lot of directors
are small-business owners and their own businesses are susceptible to
hacking. If they've had experiences with their own businesses in
cybersecurity that is something they can bring to the bank."

Despite regulatory pressure on banks, the possible loss of customer trust
and reputation should serve as a greater motivation to get cybersecurity
right, industry experts said. A small institution "could be put out of
business with a $5 million or $10 million loss," Inscoe said.

"This is an issue that is and will become increasingly important," Johnson
said. "We want to ensure that the directors have the proper tools to
perform their responsibilities for good business reasons. That is ancillary
to the regulatory responsibility. It just makes good business sense to have
this right. It is a business imperative."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!