Pub. 14 2019-2020 Issue 4

NEBRASKA BANKERS ASSOCIATION 19 Tech Talk — continued on page 20 Defining “Normal” Cybersecurity Spend Per FTE Chief Information Security Officers (CISOs) have found themselves at a disad- vantage when directors or executive peers challenge the cost of their cybersecurity spend since little-to-no peer information is available. Bankers have often utilized regulatory call report information for peer analysis, measuring their institu- tion’s financial performance compared to competitors. While call reports provide key financial performance indicators, de- tailed information related to cybersecu- rity and information technology budgets are not easily attained. A recent report titled “Pursuing Cy- bersecurity Maturity at Financial In- stitutions,” released by Deloitte and the FS-ISAC, estimates that responding fi- nancial institutions spendbetween$1,300 and$3,000per full-time equivalent (FTE) employee for cybersecurity annually with an average of $2,300 being the norm. The report estimated responding financial institutions spend 6% to 14% of the IT budget on cybersecurity, withanaverage of 10% being the norm. While beneficial, the more interesting item in the report is that these figures decipher to a range of 0.20% (20 bps) to 0.90% (90 bps) of responding financial institution’s revenue with an average of 0.30% (30 bps) being the norm. Are Community Financial Institu- tions Lagging in Cybersecurity? While 97 companies participated in the report, with representation spanning multiple revenue levels and various finan- cial sectors, we can apply these results to the community based financial institution segment. Respondents were delineated by revenue into the following categories: • Large (more than $2B in revenue) with 38 respondents; • Midsized (more than $500M, but less than $2B in revenue) with 23 respondents; and • Small (less than $500 million in revenue) with 36 respondents. Assuming that a community based financial institution should spend be- tween 20 bps to 90 bps of revenues on cybersecurity, we can use available call report information to estimate what the average cybersecurity spend is in this seg- ment of the financial institution universe. According to the June 30, 2019, Uni- form Bank Performance Report (UBPR) Peer Group Average Distribution Report (by Percentile Rank) of the 5,352 banks that reported, the following peer averages were available: • Interest Income (as a percentage of average assets): 4.34% • Non-Interest Income (as a per- centage of average assets): 0.60% • Assets per Employee ($ mil- lion): 5.25 Thus, a typical community based financial institution will have revenues that are roughly 4.94% (4.34% + 0.64%) of average assets and have one employee for every $5.25million in assets. Applying the ratios across a various range of asset size, the $2,300 per FTE estimate from the Deloitte report appears to be at the 90 bps range for the average performing community based financial institution. The Deloitte report noted small re- spondents budgeted a lesser percentage of their revenue (20 bps) on cyber than did midsize (50 bps) or large companies (40 bps). While small respondents’ average spend of $2,100 per FTE matched that of Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value FROMONE COMMUNITY BANK TOANOTHER. Country Club Bank Capital Markets Group has assisted community banks build high- grade bond portfolios that reflect specific markets expectations, product preference, income goals and overall risk parameters, since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellow community bankers. We keep investing simple so that banks can focus on what really matters— lending to the communities who support us. • Portfolio Strategy, Fixed Income Sales and Service • Bond and Securities Underwriting/Trading • balanCD Brokered CD and TBA Programs We speak the same language.