Heightened Expectations, Cybersecurity, and the Board’s Role in Risk Management

Heightened Expectations, Cybersecurity, and the Board’s Role in Risk Management

Apr 30, 2014 | Cyber Risk, Cybersecurity, Operational Risk, Risk Management

How to Strengthen Cybersecurity Defenses

The first quarter of 2014 has been marked by an increasing focus on the board’s role in risk management, not just in the financial services industry (where in January the OCC issued proposed rules detailing how a board of directors should oversee risk ((OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170, January, 2014)) ) but more widely in other vertical sectors. As The Conference Board noted in its March 2014 Director Notes ((The Board’s Role in Cybersecurity”, Director Notes, The Conference Board, March, 2014)), 2013 was the year when the more and more evident consequences associated with cybersecurity risks – financial and reputation loss, operational disruption, legal liability, and competitive disadvantage – forced oversight of cybersecurity risk from the IT department to the boardroom. While a shift to greater board involvement in risk management is appropriate, it comes with at least two notable risks.

These board related risks are most evident in the banking business, where the clear trend is to ask boards to play a larger and larger risk management role. In fact the OCC’s proposed January language uses wording that’s unusual as it relates to board roles, including provisions calling for boards to “ensure that the bank establishes and implements an effective risk governance framework…provide active oversight of management…to question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.” ((See “Standards for Boards of Directors,” Proposed OCC Guidance, in Appendix A)) That’s strong and unusually detailed language, and as many observers have said seems to go well beyond the board’s traditional oversight function. While the guidelines will formally effect only a limited number of the country’s larger national banks, those are the banks that have generated the headlines around data breach, denial-of-service attacks, and other risk management lapses.

The OCC’s proposed guidance raises two key questions:

  • How far should the board go in fulfilling its role to “ensure” (that is, make certain) that management implements an effective risk governance framework, potentially usurping the traditional role of senior management?
  • What kind of incremental liability would these new requirements impose on board members, and is it enough to have an impact on directors’ willingness to serve?

Every board has the responsibility to oversee management and organizational performance, but at what level should that oversight occur? Boards micromanage solutions at their own peril. Boards, on the other hand, clearly should hold senior management responsible for the demonstrated effectiveness of solutions that management proposes, in this case the effectiveness of a risk management governance framework recommended by senior management and approved by the board. If a risk management framework proves to be ineffective, the traditionally effective board role would be to question senior management about the process through which the framework was developed and the competency of individuals who oversaw development. It is not the board’s role to develop an alternative risk management framework. The OCC’s current proposed guidance does little to sharpen the line between board and senior management roles, and arguably blurs it.

When regulators are perceived to push board members into “active oversight of management, questioning, challenging, and where necessary opposing…decisions made by management” ((See “Standards for Boards of Directors,” proposed OCC Guidance, in Appendix A)) around a specific issue, they change the nature of traditional board oversight. Under these circumstances, especially in the glare of regulatory oversight, there is increased risk that board members may elect not to serve. In fact, in April 2014, the American Association of Bank Directors reported that Directors and Officers (D&O) insurance carriers have refused to cover regulatory risk for an increasing number of banks, and that almost a quarter of survey respondents said that had either lost a director, been refused by a perspective new director, or had directors decline to serve on specific committees because of liability concerns. ((“AABD Survey Results – Measuring Bank Director Fear of Personal Liability,” April, 2014, American Association of Bank Directors.))

However well-intentioned the proposed OCC guidance may be, the rule of unintended consequences provides a caution not just in banking, but in other critical infrastructure verticals where cyber and other operational risk issues are taking on potential headline significance. And in areas outside of banking, where cyber/data security risks may not be as well understood at the c-suite and board levels, there will be a steep learning curve (the just released “Excellence in Risk Management XI” ((Special Report: Excellence in Risk Management XI – Risk Management and Organizational Alignment: A Strategic Focus, April 2014, Marsh)) survey found that risk professionals ranked data security as their number one top risk in 2014, while c-suite respondents in the same survey group did not even put that issue on their top ten risk list). Settling on the proper roles for the board and senior management in risk management must be an immediate priority, and industry clearly needs to increase the level of discussion around this topic before events overtake us.

Appendix A

Proposed OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170
III. STANDARDS FOR BOARD OF DIRECTORS
A. Ensure an effective risk governance framework. Each member of the bank’s board of directors has a duty to oversee the bank’s compliance with safe and sound banking practices. Consistent with this duty, the board of directors should ensure that the bank establishes and implements an effective risk governance framework that meets the minimum standards described in these Guidelines. The board of directors or the board’s risk committee should approve any changes to the risk governance framework.
B. Provide active oversight of management. The bank’s board of directors should actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the risk governance framework. In providing active oversight, the board of directors should question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.
C. Exercise independent judgment. When carrying out his or her duties under III.B each member of the board of directors should exercise sound, independent judgment.
D. Include independent directors. To promote effective, independent oversight of bank management, at least two members of the board of directors should not be members of the bank’s management or the parent company’s management.7
E. Provide ongoing training to independent directors. To ensure each member of the board of directors has the knowledge, skills, and abilities needed to meet the standards set forth in these Guidelines, the board of directors should establish and adhere to a formal, ongoing training program for independent directors. This program should include training on:
(i) Complex products, services, lines of business, and risks that have a significant impact on the bank;
(ii) Laws, regulations, and supervisory requirements applicable to the bank; and
(iii) Other topics identified by the board of directors.
F. Self-assessments. The bank’s board of directors should conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards in section III of these

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics