As cell phone photography proliferates, we pause to pay homage to the man who revolutionized the world of amateur photography. Edwin Land, the co-founder of the Polaroid Corporation, was the man behind the camera--the bloke who unveiled a process in the 1940s that produced a full-fledged photograph in one minute. In the blink of an eye, the world of instant photography took off, and Polaroid, still a market leader, continues to develop this popular niche of cameras.
Through the lens of Bank Director's 2016 Risk Practices Survey, it is clear banks still need to enhance cybersecurity. The results suggest that while progress has been made, many community banks in particular, are still not doing enough to protect themselves and their customers from cyber threats.
The survey came from a poll of 161 chief risk officers, senior executives and independent directors at US banks with more than $500mm in assets. Along the needs improvement line, consider that the survey found the majority of bank boards are still not addressing cyber threats at every board meeting and as many are not even talking about it. This is particularly troubling given how prominent cyber attacks have become in our world. All banks are at risk because after all, it is nearly impossible to stop countries from hacking in and the government right now seems nearly powerless to stop these attacks.
Certainly some progress in the cyber arena has occurred over the past year in the banking industry, however. In this year's survey, 34% of respondents reported that their board reviews cybersecurity at every meeting vs. 18% last year.
It's also encouraging that 78% now say their bank employs a full time chief information security officer vs. 64% last year. Also, nearly 50% say their bank has a chief risk officer exclusively focused on risk, while 37% said their risk officer is also focused on other areas of the bank.
This survey and others indicate there's still room for significant improvement. For instance, consider a CRO report that finds 54% of respondents say their bank has a chief risk officer, but the board never meets with them. Further, only 21% say the CRO's performance is reviewed, and compensation determined by, the board or a board committee. Also concerning is that more than 50% of banks don't have a separate board-level risk committee exclusively dedicated to risk governance. To manage risk, it is important that transparency is there and both directors and managers are involved from top to bottom.
Certainly, community banks can't be expected to expend the same resources to erect cyber defenses as their large bank counterparts. In 2015 for example, Bank of America spent $400mm on cybersecurity and JPMorgan said it is going to spend $500mm this year.
That said, it is important not to fall into the trap of believing that being a community bank makes you an undesirable target for cyber thieves. Here, you only have to go as far as your email to find fake CEO requests to send wires.
Cyber thieves are everywhere and their sophistication has ramped up significantly in past years. They now use fake emails, fake websites and fake people augmented with insiders as they attempt to steal money from banks. That's also why protecting against cyber risk is a full time project and an urgent area of concern for bankers and regulators alike.
If you would like to hear more on this topic from industry experts, including the US Secret Service and other experts, attend one of our Road Tour events happening across the country this year. We will be covering this issue, CECL, regulatory concerns and much more, along with ways to enhance profitability and capture more customers.