The Board of Directors plays a critical role in overseeing all affairs of the bank. While the board typically delegates the day-to-day operational responsibilities of conducting the bank’s business to its officers and employees, it cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices, whether they involve lending, investing, cybersecurity and IT practices, or any other banking activity.
Board engagement has become more important than ever. Both the FFIEC Management Handbook updated in 2015, and the Information Security Handbook just updated in September focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not adhere to these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. From January 1, 2009, through October 20, 2016, the FDIC has authorized suits in connection with 151 failed institutions against 1,213 individuals for Director and Officer liability.
Understanding the Regulatory Responsibilities of Officers and Directors
The FDIC states that they will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation. The key to proper deliberation is that Board members be fully informed, and that requires accurate, timely and relevant information. Not just data, but actionable information, and this is where the ISO plays a critical role.
The Role of the Information Security Officer
A bank cannot just add the title ISO to an IT administrator or employee. The ISO must be a separate role. In fact, the guidance clearly states that it cannot be a production resource assigned to the IT department. Banks that do not have a separation of roles will be cited with what is known as a “Concentration of Duties” finding, which must be resolved in a specified timeframe to avoid a downgraded score or additional penalties.
The ISO is responsible for overseeing the IT budget, performance management, professional development and training, participating in planning activities and ensuring the bank is in compliance with and adhering to government regulations. This reporting role, to ensure independence, should report to the Board and not to IT operations management. While this separation of duties can pose a challenge for smaller community banks that have limited staff and resources, banks need to keep in mind that while cost and benefit decisions must always be considered, this is not the place for cost reductions. The overall IT and compliance issues and decisions of a bank are of the utmost importance.
According to the guidance, the Information Security Officer (ISO) is required to provide an information security update to the Board at least annually. Presenting information in a manner the Board will truly understand is the key to successful Board engagement. The ISO must present information in a manner whereby the Board is able to consume, digest, and take action on it. A simple summary report of what the bank did this year is not sufficient to engage the Board or give them the kind of information they need to make the right decisions for the institution. The pace of change in technology requires a more frequent reporting schedule.
The Board is expected to provide a “credible challenge” to management in the oversight of IT initiatives. Too often, when management brings something to the Board, they approve it without discussion. However, examiners are now expecting the Board to ask probing questions, understanding not only what they are approving, but also why, making sure it is the right strategic decision for the bank, and comprehending the consequences and risks of not taking action. Responses to questions such as: “Why are we doing this?,” “What are we doing?,” “What’s the significance of this?,” “What’s the risk?,” “What if we do it the wrong way?,” “What if we don’t do it”, and “What if it fails?,” should all be asked, answered, and documented.
The ISO needs to ensure that the Board truly understands the “why” behind the bank’s actions. The Board of Directors must get information they can digest and make sense of, and it is the responsibility of the ISO to provide such information. If the Board shows a lack of understanding, the consequences could range from a Matter Requiring Board Attention (MRBA) finding in an examination report, to an informal enforcement action; such as a Board resolution or Memorandum of Understanding, to a formal action; up to and including a Cease and Desist order and civil money penalties. In 2015, 36 percent of examinations of satisfactorily rated (CAMELS 1 or 2) institutions resulted in MRBAs.
Increasingly, community banks are being stretched to gather more and more information and develop detailed reports and summaries in order to remain compliant. Working with an outsourced service provider, such as Safe Systems, can help streamline this process. With the reports and comprehensive information Safe Systems provides banks, the ISO is able to more efficiently communicate with the Board, helping them to make the right decision for the bank. For more than 20 years, Safe Systems has successfully helped financial institutions improve their CAMELS Score, avoid (and remedy) enforcement orders, and fill in cybersecurity gaps to ensure IT audits and exams go smoothly, and all regulators expectations are met.