Bringing Cybersecurity into the Boardroom: The Evolving Role of Banking Executives

As computing matures, miniaturises, and rapidly gains speed and power, the future of banking is further entrenched in the realm of technology. The rise of Fintech to enable new ways to bank and transact is just one example of how technology is forcing traditional banking to innovate. However, broader tech exposure comes with a higher risk of cyber-threat.

The increased risk of cyberattack and the ramifications of even a small breach can destroy consumer trust and confidence in your financial organisation, and the road back to the public’s good graces can be a long, unforgiving climb. While most of the top tier banks have strong cyber security strategies in place, mid-tier financial institutions still have a way to go – and cyber criminals know this, making them a prime target for attack.

According to Wayne Byres, chairman of Australian Prudential Regulation Authority, “The risks, as we see them, are growing all the time and the sophistication of the actors is also growing all the time.” Describing the financial system as “a piece of Australia’s critical infrastructure like the electricity or telecommunication network,” he told The Australian Financial Review that banks, insurers and super funds should never consider work on cyber defence completed.

Top-down buy-in is crucial to managing cyber-risk, but how do you get banking executives to understand, accept, and act on the fact cybersecurity is their responsibility?

Measuring the impact of cyber-risk

Traditional risks for the financial sector are easy to define and measure. You can attribute a dollar impact to any known threat, and estimate the likelihood of an incident such as using actuarial models to estimate fraud risk. Cyber risks such as denial of service attacks that disrupt mobile banking or retail EFTPOS systems, identity theft that enable fraudulent transactions (fraudulent credit cards and mortgages taken out in the name of an identity theft victim) are harder to pin down, and are constantly evolving.

In addition, customers see their bank as being responsible for protecting the personal information and money that they hold on their customer’s behalf, but a big part of a bank’s risk is from third party suppliers. For example, IT firm SolarWinds was the subject of a cyberattack that spread to its clients and went undetected for months. To protect their business and reputation, banks must take a holistic view of cyber risks across their supply chain. For this reason, The Monetary Authority of Singapore (MAS) has introduced strict new rules that requires all financial institutions to assess the suppliers of their technology vendors.

Your organisation will need to evolve to meet new challenges and maintain a consistent standard of care to prevent customer churn, avoid regulatory fines and so on. Two factors make cyber-threats dangerous in a way other risks are not.

• First, while most directors are aware of cyber risks, they don’t understand the details and can be paralysed by indecision in the unknown. It’s not the physical risk they are familiar with, but one that can come from many directions and be manipulated using tools outside of your organisation’s control.
• Second, today’s financial institutions have become almost completely reliant on the internet for basic functionality. This dependence on internet technology to complete any transaction creates risks unlike any other the board has had to deal with.

3 critical questions to answer about cybersecurity

Governance challenges are increasing due to cyber-threats. To begin the process of strengthening your institution’s defenses, ask these three questions:

1. How are your new security challenges substantially different than old ones?

Cyber-threats can feel unusually unfamiliar, since they change rapidly and are constantly evolving. Former risk governance models may now be ineffective in the face of cyber-risk. How can your organisation protect digitised assets from cyber-attack? The answer partially lies in increasing investments in cybersecurity resources and reframing your approach to risk management.

Larger banks are already expanding in this area; as reported by ZDNet, National Australia Bank announced it plans to increase its already substantial cybersecurity budget ($AU100 to $A150 million annually) exponentially year over year in the immediate future. Smaller banks may have less to work with, but can and must allocate funding to provide a defense against cyber-threats.

2. How is your board structuring cybersecurity oversight?

King & Wood Mallesons notes that financial companies now face the possibility of legal action for failing to have and implement cybersecurity measures, and points at the possibility that directors may in the future be held liable for breaches caused by negligence in this area.

According to the 2019-2023 Corporate Plan created by the Australian Prudential Regulation Authority, (APRA), improving cyber resilience across the financial system is one of four key community outcomes identified by the Authority. The increasing dependence on remote employees increases risks, but Artificial Intelligence and automation can help reduce those risks.

APRA-regulated entities (including banks and insurers) are monitored for compliance with Prudential Standard CPS-234 for resilience against information security incidents. CPS-234 clearly states that The Board must “clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions.”

3. Who has your board made responsible for cybersecurity?

As tech and IT roles slowly become more visible in the financial sector, consistency of role responsibilities has failed to coalesce. Your board must accurately assess existing committees, and then make the decision whether to assign cybersecurity to the audit committee, nomination and governance, the risk committee, or a special cybersecurity committee developed specifically for this purpose.

This may mean allocating extra dollars to focus on forming or expanding a specific committee, as well as budgeting for expert help, but most executives are prepared to take this step. According to the Australian Cyber Security Growth Network, 47% of senior executives surveyed said they see investment in cybersecurity increasing from FY 2020-2021 to FY 2021-2022.

The only way to drive home the importance of cybersecurity for your organisation is to educate your board and ensure that they have at least a basic understanding of the risks. Directors may hesitate to take ownership of cyber-risks, but shuffling the responsibility to IT isn’t a sufficient response.

According to CPS-234, “The Board of an APRA-regulated entity is ultimately responsible for the information security of the entity.” Your full board bears ultimate responsibility for cybersecurity, and board-wide accountability needs to be part of your cyber-risk management plan.

With Unisys, you can help your board and banking executives identify, articulate, and measure successes on the cyber side of risk management. Explore our banking industry resources to learn more.