Pub. 7 2016 Issue 1

What are the effects on an institution? a. Lost financial assets b. Reputational damage, loss of trust or brand confidence by custom- ers and shareholders c. Business disruption d. Stolen intellectual property e. Stolen customer information f. Legal and regulatory attention The answers to the questions are illustrative to the breadth and com- plexity of the risks that the board must understand. If a board does not understand or appreciate cyber-threats, then it cannot adequately assess the capabilities, plans and sufficiency of the resources being expended to protect the institution. As SECCommis- sioner Luis A. Aguilar more ably said in 2014, “Put simply, boards that lack an adequate understanding of cyber-risks are unlikely to be able to effectively oversee cyber-risk management.” The board cannot leave cyber-preparedness to management; leadership needs to be shown. To help Boards in showing the necessary leadership, the National Association of Corporate Directors released its Cyber Risk Oversight Handbook in 2014. It identified five principles for effective board oversight of cyber-risks. Those key principles for each board are: 1) To understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue; 2) To understand the legal implications of cyber-risks to their compa- ny; 3) To maintain adequate expertise to engage cyber-risk issues and make cyber-risk issues a regular topic of board discussion; 4) To set an expectation that management has an enterprise-wide cyber-risk management framework with adequate staffing and budget; 5) To identify which risks to avoid, accept, mitigate or transfer through insurance, as well as establish specific plans for each approach. If followed, these principles will serve to protect both the bank and the board members personally from lawsuits including sharehold- er derivative actions, such as was brought as a result of the Target breach. The Federal Financial Institutions Examination Council (“FFIEC”) has taken steps to help educate boards and manage- ment but also to help the Board hold management accountable. In June 2015, the FFIEC released its Cybersecurity Assessment Tool (the “Assessment”), which likely will be incorporated into regula- tory examinations in 2016. The Assessment will assist boards and executive management in identifying the institution’s inherent risks and determining its cybersecurity preparedness. The Assessment is divided into two principal parts: Inherent Risk Profile and Cybersecurity Maturity. 1. The “Inherent Risk Profile” examines an institution’s inherent cy- bersecurity risk, such as technologies and connection types, delivery channels, online/mobile products and technology services, organi- zation characteristics, and external threats. It does not include any mitigating controls, but incorporates the type, volume and complexity of the institution’s operations and threats directed against it. 2. The “Cybersecurity Maturity” examines five domains, namely cy- ber-risks and oversight, threat intelligence and collaboration, cyberse- curity controls, external dependency management, and cyber-incident management and resilience. These domains are graded on a five-point scale ranging from Baseline to Innovative. Each domain includes assessment factors and contributing components that must be satisfied prior to its being able to move up a maturity grade towards Innovative. The Assessment’s two parts are analyzed in tandem to discern the optimal level of alignment between the Inherent Risk Profile and its Cybersecurity Maturity for the institution and where the institution presently sits on the scale. In theory, as inherent risks rise, an institu- tion’s maturity level should increase. As such, the Assessment should be done at least periodically (or when material changes are being considered to services, products or vendor relationships) to ensure sufficient risk mitigation and controls are in place. Over time, it will allow the executive officers, directors and examiners to measure the institution’s progress or, worse, its ongoing failure to prepare for cyber-incidents. There is little certainty in the financial industry, except that banks of all sizes will be a target and a victim of a cyberattack. It is only by having an educated and a diligent board that is prepared for the eventuality that a bank can minimize the intrusion’s impact to its reputation and operations. n Timothy R. Moore is a Member attorney in Spilman Thomas & Battle’sWinston-Salem, North Carolina office. His practice focuses on advising and representing financial institutions with regard to regulatorymatters and a variety of other issues. He can be reached at tmoore@spilmanlaw.com or 336.631.1059. Jeffrey Gunter of Clear Mountain Bank was recently hired as vice president of audit, compliance and risk management. In his position, Gunter will be responsible for oversight of the bank’s internal auditing activities, compliance management program, and enterprise risk management process. Bryan Whetsell was recently hired as branch manager of the bank’s Suncrest office. In his position, Whetsell will be responsible for promoting the bank by servicing and developing relationships with existing customers and attracting new customers with both loan and deposit products. Bank Notes