Boards Struggle With Overseeing Cyber-Security Risks

With cyber-attacks becoming more frequent and costly for companies, boards are looking to provide more oversight on cyber-security risks, but many are stuck on just how to do it.

Earlier this month, during a speech, Securities and Exchange Commission member Luis Aguilar expressed his hope that public companies will consider board-level risk committees to address the problem.

While that may be a novel idea for some businesses, these committees are already being implemented at nearly all financial firms. How their risk committees will ultimately evolve and whether they are equipped to take on the role of providing oversight on cyber-risks, however, remains to be seen.

Enhanced prudential standards for banks, established by a rule finalized in March by the Federal Reserve, require publicly traded bank holding companies with $10 billion or more in consolidated assets—and that includes foreign banks with U.S. operations—to establish board-level risk committees. The regulations further specify that these committees must include at least one risk-management expert, “having experience in identifying, assessing, and managing risk exposures of large, complex firms.”

After a slow start, banks are gradually meeting the new requirements, says Lisa Zonino, a director search consultant at executive search firm Egon Zehnder. Last year, when her firm analyzed boards at 35 of the largest banks in the United States, it found that 29 percent did not yet have a stand-alone risk committee; 14 percent lacked a qualified risk-management expert; and 14 percent lack both a stand-alone risk committee and qualified risk-management expert. Only 43 percent of those banks would be in compliance with the Fed rule that was subsequently finalized.

Over time, however, many are getting their act together. “Banks continue to make improvements,” Zonino says, citing a greater focus on board-level risk expertise. “As board members retire and roll off, they are replaced with new board members with more sophistication and deeper risk-management skill sets and experience.”

While most of the larger domestic banks already have board-level risk committees, the new requirements need to filter down to mid-sized and foreign banks with U.S. operations, says Edward Hida, global leader of risk and capital management at the auditing firm Deloitte.

The Office of the Comptroller of the Currency has also stepped up with new risk-management demands as well. Earlier this year it issued new guidelines that establish standards for risk oversight by the board of directors, Hida explains. Those requirements include identifying the roles and responsibilities within a risk-management program and best practices for the collection and analysis of risk-related data.

“There has been certainly a focus by banks on improving their governance and risk oversight in a post-financial crisis environment, Hida says. “Organizations may have been generally moving in the right direction but not completely consistent or to the specific standards expected by the regulators. What the enhanced prudential standards have done is provide clarity and definition and also served to institutionalize risk management and make it an ongoing expectation. It is pretty clear we are going to have strong board risk committees moving forward.”

Building a Risk Committee

When creating a risk committee, boards need to carefully consider the organizing charter, Hida says. Composition is important and the inclusion of two independent directors is required. There needs to be a diversity of expertise to represent different aspects of the banks’ operations. The charter should also define the scope of the risks it covers and be updated annually to keep pace with how those threats evolve. This committee will also be tasked with overseeing annual stress tests.

A challenge inherent in the Fed rulemaking is the call to include a “risk-management expert” on risk committees. “The definition remains vague and subject to interpretation,” Zonino says. “Some firms think that if you’ve been on the board of a bank for a number of years, and actively involved in their issues, that you should be a qualified risk expert. But there really is no test.”

Risk committees are tacking not just financial risks, but operational risks and things like cyber-risk and terrorist threats, and “the definition of what would make a qualified risk expert continues to evolve as the definition of risk is broadened,” she says.

In Zonino’s view, an ideal candidate for the role would be a former or current chief risk officer, CFO, or chief investment officer with the comprehensive understanding of the bank’s risk profile that is needed to both challenge and authoritatively advise management.

Focus on Cyber-Risks

Risk committees will also need to address how the bank protects itself against cyber-security threats. Banks traditionally have focused risk assessments on such core matters as liquidity and risk appetite, but should someone with a strong technology or security background have a seat on the board?

Adding cyber-security expertise to the board can also be easier said than done, Zonino says. “The responsibility of a board is to help the CEO with strategic direction of the firm,” she says. “If you load your board up with technical specialists, when does the CEO get to put on the board five or six previous CEOs who can give good guidance on how to handle the competition, how to direct the strategy of the firm, and how to handle employees?”

The trend, as Zonino sees it, is that banks are more inclined to add someone who can bring a broad strategic view of technology issues to the board. While breaches are costly and compromise a bank’s reputation, other technology risks—including those associated with Big Data usage—are also of the utmost concern.

Putting Risk on the Board’s Agenda

The following is a selection from the Federal Reserve’s proposed rule on enhanced prudential standards for large banks.

The proposal would require that a foreign banking organization with combined U.S. assets of $50 billion or more establish a risk committee to oversee the risk management of the combined U.S. operations of the company. The proposal would also require a foreign banking organization with combined U.S. assets of $50 billion or more to appoint a U.S. chief risk officer with responsibility for implementing the company’s risk management practices for the combined U.S. operations.

The U.S. risk committee would be required to review and approve the company’s liquidity risk tolerance for its U.S. operations at least annually, with the concurrence of the company’s board of directors or the enterprise-wide risk committee (if a different committee than the U.S. risk committee).6 In reviewing its liquidity risk tolerance, the risk committee would be required to consider the capital structure, risk profile, complexity, activities, and size of the company’s U.S. operations in order to help ensure that the established liquidity risk tolerance is appropriate for the company’s business strategy.

Under the proposed rule, the U.S. chief risk officer would be required to review the liquidity risk management strategies and policies and procedures established by senior management. These strategies and policies and procedures should include those relating to liquidity risk measurement and reporting systems, cash flow projections, liquidity stress testing, liquidity buffer, contingency funding plan, specific limits, and monitoring procedures required under the proposed rule. The proposal also would require the U.S. chief risk officer to review information provided by the senior management of the U.S. operations to determine whether those operations are managed in accordance with the established liquidity risk tolerance. The U.S. chief risk officer would additionally be required to report at least semi-annually to the risk committee and enterprise-wide risk committee on the liquidity risk profile of the combined U.S. operations of the company.

Source: Federal Reserve.

In his speech earlier this month, the SEC’s Aguilar warned that many companies may not be doing as much at the board level as they can to address cyber-risk. Frequently, the board’s risk-oversight function lies either with the full board or is delegated to the board’s audit committee. But many boards lack the technical expertise necessary to be able to evaluate whether management is taking appropriate steps to address cyber-security issues, and the audit committee may not have the expertise, support, or skills necessary.

As an alternative, Aguilar suggested that public companies create a separate enterprise risk committee on the board, to foster a “big picture” approach to company-wide risk. He cited research by the Ponemon Institute and HP Enterprise Security that 48 percent of corporations currently have board-level risk committees that are responsible for privacy and security risks, a dramatic increase from the 8 percent that reported having such a committee in 2008.

Following Banks’ Lead

Banks, Aguilar suggested, could take on a leadership role that that other industries will follow.

“Boards have become very sensitized in a very short period of time to the threats to their company,” Zonino says. “The issue of cyber-risk is being talked about in all boardrooms and might even be more of an issue in retail than it is in banking.”

Zonino points out that, while banks may still be getting the hang of their new standards, the Federal Reserve has always had prudential standards on how banks manage technology in terms of data protection, resiliency, security, and continuity. “Those standards became a blueprint for what is good risk management,” she says.

“In many ways, these new expectations for banks are setting the standard for any industry,” Hida says. “Others should look at this as an example for their own enhanced board level risk oversight.”