How Is Corporate Governance Evolving to Manage Cybersecurity in the Banking Industry?

Nicholas J Price
6 min read

The banking institutions have had more than their fair share of public and private scrutiny over corporate practices in recent decades. In many ways, that’s a good thing because it has forced corporations to conduct business in more transparent, accountable ways. In addition to having a heavy focus on best practices for corporate governance practices, there’s been a strong and simultaneous focus on cybersecurity within the banking industry.

The internal IT departments within the banking industry are working continually and diligently to monitor and protect their systems. Corporations are also relying on corporate best practices to make sure boards of directors are performing due diligence with oversight and compliance. Some state governments are now taking action on cybersecurity measures, which is causing corporations in those states to tighten up their cybersecurity measures. Finally, corporations are joining forces to establish cybersecurity principles that will serve as a model for the industry to improve cybersecurity across the board within their industry.

Cybersecurity Within the Banking Industry Experiences Flurry of Activity

Technology has opened up numerous lucrative opportunities for corporations to develop new avenues for profit. At the same time, the growth of the Internet has increased the surface area and opportunities for cyber threats. The IoT (Internet of Things) Journal states that there will be 8.4 billion electronic devices in use by the end of this year. However, with solutions such as board portals, there is an opportunity to remain secure while still using electronic devices.

The days of merely having a good anti-virus software program for an entire network are long gone. In an effort to protect their customers, the banking industry has had to develop entire IT departments that are devoted to cybersecurity, due to the vastness of computer and Internet networks.

IT directors have no small task ahead of them, as unknown threats are lurking in cyberspace, ready to pounce and squeeze their way into any opening they can find. The attack surface has increased greatly, creating billions of points of entry. The constant threat of cyber risk makes IT managers feel unprepared for cyber threats. Most are hypervigilant about protecting systems.

IT managers are on a continual lookout for sources of new threats and vulnerabilities, particularly if they are building, rebuilding or adding onto existing networks. Seasoned IT managers are also on the lookout for certain types of vulnerabilities that pose more risks than others.

IT department strategies include securing Web interfaces and endpoints. Complex systems create more endpoints, so IT managers need to make sure they protect every endpoint with anti-virus software so that viruses don’t creep in and infect an entire system. They also need to monitor how endpoints behave and interact with the rest of the network. Sensors can provide a warning to alert IT workers to potential threats or problems. IT departments need to establish guidelines to address sensor activity that signals trouble.

As additional strategies, IT departments need to change all default passwords, and use encrypted connections whenever possible.

While all of this is complicated and confusing for non-IT people, for boards of directors to properly oversee cybersecurity risks, they need to know exactly what the IT department is doing to keep their systems safe. They need to put in the time to understand IT reports and systems, and they need to ask enough questions to comprehend it all.

Best Practices for Corporate Governance Protect Banking Institutions

Having a strong and competent IT department is crucial to protecting investors, but there’s more that board directors can do besides appropriately oversee IT. Corporations took the first step in trying to help themselves when 13 of the top corporate CEOs developed the Commonsense Corporate Governance Principles. Collectively, they developed the following eight commonsense principles for all corporations to emulate:

  1. Composition of the board and internal governance
  2. Board of director responsibilities
  3. Shareholder rights
  4. Public reporting
  5. Board leadership
  6. Management succession planning
  7. Management compensation
  8. Asset managers’ role in corporate governance

J&K Bank is a good example of a bank that took best practices for corporate governance to heart when they recently made a point to elect new independent directors to their board who are eminent professionals in the banking industry. J&K now has one-third independent directorship. The new directors include a woman, Dr. Vijayalakshmi Iyer, who brings a wealth of expertise from her former role as chairperson of the Central Bank of India.

New York Takes the Lead in Cybersecurity Regulations

The state of New York took the lead in the financial industry cybersecurity regulations that entered into effect on March 1, 2017. The new regulations require all banking, insurance and financial institutions to formally assess their cybersecurity risks and establish and maintain a robust cybersecurity program.

These regulations come on the heels of a 2015 cyberattack on Anthem, Inc. where 78 million records that included personal information were stolen from the company, as a result of unencrypted programs. The Bank of Bangladesh also suffered a cyberattack in 2016 where $81 million in funds was illegally transferred from the Federal Reserve Bank of New York.

The state of New York holds these new regulations as the minimum standard for every company.

The Financial Industry Establishes Their Own Principles

More than two dozen companies met recently to establish principles that would better inform boards of directors about cybersecurity ratings. The U.S. Chamber of Commerce brought the group together, which included notable corporations like JP Morgan Chase & Co., Goldman Sachs Group, Inc., Morgan Stanley, Starbucks Corp., Aetna, Inc. and Home Depot.

The group is concerned about the lack of transparency on how companies like BitSight Technologies, RiskRecon and SecurityScorecard design cybersecurity ratings. The ratings companies agree that they can be an instrumental part of the process that establishes sound cybersecurity principles for the banking industries.

Putting It All Together to Effectively Manage Cybersecurity in the Financial Realm

Because of the vast amounts of money and personal information that transcend the Internet every day, we can reasonably expect state and federal governments to adopt measures to address cybersecurity among banks, insurance companies and financial institutions. New regulations will force companies to continually assess and manage cyber risk because of the escalating concern over cyberattacks.

The government plays a role in regulating cyber risk to protect the public and the overall economy, but this is only part of the solution. Adequately addressing cyber risk requires advanced technology strategies. It also requires increased human oversight within the IT departments as well as by the boards of directors.

It’s important to note that the financial industry is also concerned about the risks of cybersecurity. Many of the solutions may originate from within the financial industry, as demonstrated by J&K Bank, the Commonsense Corporate Governance Principles and the group that the U.S. Chamber of Commerce brought together. Many forces are at work creating cyber risk and the banking industry needs many forces to combat it.