If we’ve learned nothing else from the COVID-19 Pandemic, it’s that you may consider yourself a financial institution, but you’re really a technology company. We rely on technology to operate our businesses and support our customers. Imagine where we would be, right now, without technology!

Appointing an IT or IS expert (there is a difference) to sit as a full-time member of your board of directors is an excellent next-step to making sure your organization is appropriately protecting its technology investment. There’s a good chance your board consists of ownership, certain members of senior management, and external advisors that provide valuable insight that assists in your business model or market. Why not have a dedicated technology or information security expert as a board resource also? Financial institutions are starting to explore this option. Perhaps doing so isn’t in the cards for your financial institution; however, the responsibility to become a “credible challenge” to IT or IS decisions still falls to the board.

Regulation

The FFIEC defines a “credible challenge” as being actively engaged, asking thoughtful questions, and exercising independent judgment. The FFIEC mentions being a credible challenge in three sections of two Handbooks, specifically the Management and Business Continuity Handbooks in the following excerpts:

Management Handbook Section I.A.1 board of directors Oversight states, “While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge to management.”

Management Handbook Section III.D.7 Reporting states, “Recipients of IT risk reports should have the authority and responsibility to act on the reported information, provide a credible challenge for the information contained in the reports, and be held accountable for the outcomes.”
Business Continuity Handbook Section IX Board Reporting states, “Board minutes should reflect business continuity discussion (including credible challenges) and approvals.

Becoming a Credible Challenge

It is expected that the board of directors take an active involvement in the oversight of information security by becoming a credible challenge. While the appointment of an IT or IS expert to your institution’s board can help improve your institution’s insight and credibility regarding cybersecurity, in some cases, such an appointment is simply not feasible.

Additionally, adding an IT or IS expert to the board does not automatically make you a credible challenge. Improving any Board’s ability to be a credible challenge starts with learning how to ask better cybersecurity questions. Here’s a list of better questions to ask when new technology is being evaluated, or threats are identified to help you get started. The first three questions pertain directly to governance, and the last three questions have to do with operations:

1. How is this addressed in our risk assessment process? There are many types of risk assessments, but all systems, processes, and vendors must be included in a risk assessment. Those risk assessments should determine if the system, process, or vendor fits the board’s risk appetite. Asking this question will assist in providing greater insight to the board as to how the risk assessment process works, and where these individual topics fit in.
2. How have we covered this in our policy? Policy needs not to detail how things are accomplished, but rather who is responsible for the policy’s execution, along with the expected format and frequency of execution. Asking this question will assist in ensuring adequate policy coverage of systems, processes and vendors.
3. How do we have this independently audited? Have our risk assessments determined this system, process or vendor be high risk? If so, how is this thing tested and how frequently? Is a requirement for testing this thing addressed in our policy?
4. How is our institution addressing this issue? When properly answered, this question will contain information from the previous three questions. It is risk assessed through this process, which is governed by this policy, and it’s independently tested in this way. However, more elaboration can be provided here.
5. How do we help our customers address this issue? Will this issue affect our customers? If so, what can we do to reduce risk or reduce agitation among our customers? Again, when properly answered, this question will contain information from the first three questions.
6. How do we ensure our vendors have addressed this issue? This question is only relevant if the system or process in question is outsourced; however, it is important to consider. Your vendor risk assessment should identify your levels of vendor risk. But the answer to this question may be more issue-specific and rely on the results of an ongoing vendor review to fully understand. It may be a new topic that would not have been covered in a previous review and could warrant a conversation with the vendor to determine how the issue may be addressed. Again, when properly answered, this question will contain information from the first three questions.

The Big Takeaway

Examiners expect adequate oversight of information security from the board of directors. The board may delegate these responsibilities, but the board must present a credible challenge to management. Becoming a credible challenge means asking better questions to successfully provide oversight and accountability to senior management and the committees with whom responsibility for information security lies. Appointing an IT or IS expert to your board of directors is an excellent step to becoming a credible challenge, as is outlining a framework to ask better questions like those listed above. Hopefully, in time, having Directors with a background in technology becomes common practice. If this is a step your organization has already taken, great! Until that time, Boards must ensure they provide a credible challenge to information security management, regardless of expertise.