During the past financial crisis, it could certainly have been argued that, at the board of directors level, the complexity of products on the financial market were not understood well enough to make the appropriate risk appetite decisions that best-served financial institutions.
The same situation now exists for cyber-fraud threats: at the board level, a deep understanding of these imminent threats is just not fully understood. A recent article in the Wall Street Journal titled “Hacking Into Tomorrow’s Banking Crisis” by David Reilly addresses this subject directly by citing examples of how some of the CEO’s of the country’s largest banks are beginning to address this very topic through new approaches to people, process, and technology.
However, I would like to see this action taken a step further and perhaps moved higher up into the organization’s management. I think that CEO’s should be taking their Chief Security Officers (CSO’s) to regular board level meetings and placing these issues as a priority on the board’s agenda. Ensuring that this routine action is part of a strategic risk plan that provides current data on hacking and cybercrime on a regular basis, educates on current risks and emerging risks, and is stepped up during a crisis to address gaps, is core to an organization’s risk strategy.
The recent Heartbleed incident, for example, is an important crisis use case that garnered board attention “after the fact” in most instances. It is certainly clear that boards always benefit from receiving more proactive information and education from the right subject matter experts early on, so a “black swan” cyber event or similar significant event can be understood, and solutions and crisis plans developed and put in place in advance on the breaking crisis.
This governance routine provides the CEO and the CSO the right setting for the board to understand and support efforts that ultimately affect sound investment and protection decisions – in addition to effectively managing the crisis itself. Over time, this approach provides “upskilling” of the board’s members so that they ask the right questions moving forward – and more swiftly make the right decisions on risk-related concerns.
Certainly, this recommendation does not only apply to large financial institutions: banks with smaller assets, credit unions, and even non-financial institutions need to smartly and routinely support board members with the latest information regarding potential security threats.
Increasingly sophisticated cyber fraud risks are emerging daily. Situational awareness, coupled with well-informed boards and CEO’s will be a step ahead of the threats and make better risk appetite decisions if the dialogue is active and intentional. So attention CEO’s and boards – take a CSO to work in your boardrooms more frequently. I am looking forward to hearing more discussions surrounding this potential partnership in my interactions with financial institution executives.