Gone are the days where the Board of Directors at a financial institution could assign the responsibility of Information Security (now called cybersecurity) to the IT Committee and get updates on a quarterly or annual basis and everything was good.
With the newest release of the FFIEC IT Management Handbook in November 2015, the expectations of the Board’s level of involvement in and, ultimately, responsibility for IT and Cybersecurity have increased dramatically.
You might be thinking, “Bank examiners have always required the board to be involved in this stuff, it’s no different now…”. And typically I’d agree with you.
But ask yourself this: when describing your board of director’s involvement in cybersecurity and information technology, would use the phrase: "being actively engaged, asking thoughtful questions, and exercising independent judgment”?
To dig a little deeper on how much change there actually is, I recently took the time to compare the 2004 IT Management Booklet (the previous release) with the 2015 version. There definitely is a harder line when it comes to board expectations in the new release.
Some comparisons of actual excerpts from the two:
THEN: "The board of directors should approve IT plans, policies, and major expenditures. To carry out their responsibilities, board members should be familiar with information technology and data center concepts and activities."
NOW: "The board should approve the IT strategic plan, information security program, and other IT-related policies. To carry out their responsibilities, board members should understand IT activities and risks."
THOUGHTS: In 2004, the board only had to be familiar with concepts and activities. Now the board needs to UNDERSTAND not only activities, but also the risk (which is a whole new ballgame).
THEN: "Many boards of directors choose to delegate the responsibility for monitoring IT activities to a senior management committee or IT steering committee."
NOW: "While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management."
THOUGHTS: The board can still use the IT Committee like in the past, but it is now clearly spelled out that they are ultimately responsible and they’ll have to demonstrate a credible challenge on IT and cybersecurity.
BTW - A credible challenge involves being actively engaged, asking thoughtful questions, and exercising independent judgment. (per the Handbook)
THEN: The Handbook called out 5 bullet points that the IT Committee may also perform.
NOW: 7 bullet points assigned directly that the board or a board committee should perform. They include such items as IT and cybersecurity strategy, overseeing process for vendor management, risk management, and updates on major IT projects (and more).
THOUGHTS: The board of directors will no longer be able to take a passive approach to IT and cybersecurity.
While there are other changes, the three examples above stuck out to me as examples of the overall take-away from this new release:
Bank board of directors will need to become more interested in, knowledgeable of, and active in information technology and cybersecurity in the very near future.
What are your thoughts on the IT Management Booklet updates?
Further Discussion:
How do you get your board more proactive on IT and cybersecurity (a few ideas for starters) :
- Make sure your board is getting security awareness training
- Have the ISO or CISO present quarterly updates at the board meetings
- Include Board Members in your IT Committees
- Have your board consider adding a board member with cybersecurity experience
Email or Tweet me your responses.
Like this? Please Share:
[feather_share]