Eight Security Risk Management Questions That Boards of Directors Need to Ask

The past few years have seen a marked increase in the frequency of cyber-attacks, data breaches and fraud, with the targeted companies often being household names. It has become clear to boards of directors that cybersecurity is more than an IT issue — it’s a major business risk that needs a proactive action plan.

For financial institutions, there are additional regulatory expectations for the board to provide oversight of cybersecurity risk and to hold management accountable. In fact, the FFIEC Cybersecurity Assessment Tool identifies the following board responsibilities to meet the minimum or “baseline” requirements:

• Boards must hold management accountable for security and business continuity.
• Management must provide a written report on security and business continuity program status annually.
• Board must approve policies commensurate with risk.
• Management should present an annual report of security incidents or violations to board annually.

But while an institution’s board of directors is responsible for its overarching governance, oversight and strategy, in most cases it doesn’t have the cybersecurity knowledge and experience required to break down the risks to its business and the actions it must take. What the board does know is that shareholders and customers alike won’t be very forgiving if its institution is the next one in the news. That’s why a growing number of boards are asking tough but relevant questions, shining light on security processes that previously had little transparency.

While certain risks may be unique for an institution, there are a few high-level risks that apply to all and should rise to the Board’s attention because of potential legal, reputational, regulatory and financial impact.

• Unauthorized access to account information (e.g., external hack, internal fraud, or a trusted third party)
• Unauthorized funds transfer (e.g., account hijacking or email impersonation requesting a wire transfer to a fraudulent account)
• Data loss or extended disruption (e.g., ransomware, IT or telecommunication outage or natural disasters)
• Key service provider outage or security breach (e.g., service interruption experienced by an outsourced core banking service provider or a data breach a payroll provider or statement processor)

The Questions You Need to Ask

Security leaders and other management should be able to answer their board of directors’ questions, recommend strategies and processes and implement the solutions the board decides are necessary. But as a member of the board, make sure you ask both high-level and detailed questions to identify any shortfalls in your security program, because the range of cybersecurity issues is far wider than you may expect. 

Here are eight questions we recommend asking your security leaders:

1. What are the top cybersecurity risks facing the institution?
2. How are we managing these risks?
3. How are employees and customers made aware of their role related to cybersecurity?
4. Are external and internal threats considered when planning cybersecurity program activities?
5. How is security governance managed at the institution?
6. In the event of a serious breach, has management developed a robust response protocol?
7. What cybersecurity insurance does the bank have, and what does it cover?
8. How do financial statement auditors consider cybersecurity risk and disclosures, and what impact would a cybersecurity breach have on an auditor’s assessment of our internal controls?

Our observation is that Boards that are provided education on the cybersecurity risks to financial institutions, as well as regulatory oversight expectations, are engaged, if presented at the appropriate level. The focus must be on business risks and not on reviewing the intricate details of vulnerability assessment reports. Once the Board is engaged, it is easier to develop a cadence of annual review of the institution’s cybersecurity program and education on new threats to the industry.

For most institutions, other than the annual review, cybersecurity does not need to be a topic of discussion at each board meeting. But it is a good practice to have the following question asked by the Board at each meeting and documented in the meeting minutes: 

“Have there been any cybersecurity incidents that have the potential to lead to legal, regulatory, financial or reputation impacts that should be reported to the Board?”

Don’t Overlook Your CPA’s Capabilities

Since financial statement auditors look at cybersecurity risks that affect financial reporting, some CPA firms offer cybersecurity services to help mitigate those risks. As a CPA and consulting firm, Wipfli provides a range of cybersecurity solutions that help businesses ask the right questions, analyze security risks and implement robust cybersecurity programs.

If you would like to learn more about how Wipfli can help educate your board of directors on cybersecurity, please contact Jeff Olejnik or your Wipfli Relationship Executive.