Archive

Go to:

October 2017
SMTWTFS
1234567
891011121314
15161718192021
22232425262728
293031
< Sep Nov >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Cybersecurity Oversight for Boards of Directors and Managers
Friday, January 29, 2016 6:30 AM

By Idrees Rafiq, Jr., AVP IT Consulting, Credit Union Resources

Credit unions are more dependent than ever on information technology to conduct business, and the trend is not declining. The complexity and reliance on third-party resources is also increasing, resulting in amplified cyber threats. As a consequence, it's imperative that the board of directors and managers remain “in the know” about cybersecurity at their credit unions.

The Federal Financial Institutions Examination Council (FFIEC) stated, “Today’s financial institutions are critically dependent on IT to conduct business operation. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management.”

The following is an excerpt from the FFIEC IT Examination Handbook Management November 2015 giving guidance:

The board of directors sets the tone and direction for an institution’s use of IT. The board should approve the IT strategic plan, information security program, and other IT-related policies. To carry out their responsibilities, board members should understand IT activities and risks. The board or a board committee should perform the following:

  • Review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity.
  • Promote effective IT governance.
  • Oversee processes for approving the institution’s third-party providers, including the third parties’ financial condition, business resilience, and IT security posture.
  • Oversee and receive updates on major IT projects, IT budgets, IT priorities, and overall IT performance. The board of directors may need to approve critical projects and activities, such as expanding the institution’s product line to include mobile financial services.
  • Oversee the adequacy and allocation of IT resources for funding and personnel.
  • Approve policies to escalate and report significant security incidents to the board of directors, steering committee, government agencies, and law enforcement, as appropriate.
  • Hold management accountable for identifying, measuring, and mitigating IT risks.
  • Provide for independent, comprehensive, and effective audit coverage of IT controls.

The board may delegate the design, implementation, and monitoring of specific IT activities to management or a committee (e.g., IT steering committee). An IT steering committee generally comprises senior management and staff from the IT department and other business units. Committee members do not have to be department heads, but members should understand IT policies, standards, and procedures (collectively, policies). Each member should have the authority to make and be held accountable for decisions within their respective business units. If the institution has a formal risk management function, risk management staff should participate in an advisory capacity.

Typically, the steering committee is responsible for reporting to the board on the status of IT activities. The reports enable the board to make decisions without having to be involved in routine activities. While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management. The steering committee is typically responsible for strategic IT planning, oversight of IT performance, and aligning IT with business needs. The steering committee should have a charter that defines its responsibilities.

The steering committee should receive appropriate information from IT, lines of business, and external sources. Additionally, it should coordinate and monitor the institution’s IT resources. The steering committee should review and determine the adequacy of the institution’s training, including cybersecurity training, for staff. The steering committee should also document meeting minutes and decisions and inform the board of directors of the committee’s activities.

My tip to the board of directors and the management is to work with their IT departments and/or vendors to determine a baseline security standard. This can be accomplished by reviewing the available reports and identifying anomalies that will invoke your incident response procedures.