Pub. 15 2020-2021 Issue 4

NEBRASKA BANKERS ASSOCIATION 17 An institution with a proactive mindset strives not only to achieve a high rating for the management component of the CAMELS rating, but also to do whatever needs to be done to protect the investments it has made. The Board’s responsibility for oversight of the ISP is better managed proactively. Shifting from a reactive mindset to a proactivemindset isoneof thekeydecisions a Board of Directors can make to protect the investments made in technology and an institution’s confidential information. Results of a Reactive Mindset When a Board continues to have a reactive mindset, the institution will lack good risk management practices, feel frustrated, and may respond to events without proper preparation, which can result in losing control of spending and costing more to recover from a cyber incident than necessary. The mindset is revealed when an audit or exam results in a long list of items not meeting regulatory guidance or industry-standard risk man- agement practices. A reactive mindset can also reveal itself when a cybersecu- rity incident takes the institution out of operation for extended periods of time with significant financial impacts. The environment becomes inefficient, and the costs of managing the institution reac- tively become a guessing game. Benefits of a Proactive Mindset An institution with a proactive mind- set strives not only to achieve a high rating for the management component of the CAMELS rating, but also to do whatever needs to be done to protect the investments it has made. The Board’s responsibility for oversight of the ISP is better managed proactively. Proactive management does not wait for an audit or exam to tell the institution what needs to be done. The proactivemindset takes con- trol and regularly risk assesses all areas of the ISP to act and mitigate the identified risks before threats are realized. There are many strategic advantages to managing the ISP with a proactive mindset, and some are easy to recognize. At the same time, some are intangible and not as easily recognized until there is reflection. The mindset to be proac - tive reveals itself in the results of an audit, exam, a cybersecurity incident or a disaster recovery event. A proactive mindset provides a member of the Board and senior management with clarity to handle situations. It allows for better For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@ sbscyber.com . SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, on-site and virtual auditing, network security and education. Learn more at www.sbscyber.com. sleep at night, knowing the institution has proactively identified and planned for information security risks. The Board of Directors Sets the Culture The Board chooses to have a culture of a proactive mindset or stay in a reactive mindset. A proactive mindset will reduce financial losses, have more efficient pro - cesses, gain control of the challenges to the institution, and gain a competitive advantage over the competition. Here are four questions to ask your- self to help determine your cybersecu- rity mindset: 1. Are we discussing cybersecurity as a Board regularly and growing in our ability to be a “credible challenge” to cybersecurity-re- lated decisions (proactive), or are we just waiting to get through the minimum necessary cyber discussions so we can get back to “real business” (reactive)? 2. Are we measuring cybersecurity risk and using the results of our risk assessments to make more informed cybersecurity decisions (proactive), or are we checking the box when it comes to ISP-re- lated risk assessments (reactive)? 3. Do we know what our most im- portant IT assets, vendors and business processes are, as well as the top threats to our institution right now (proactive), or are we just reviewing the results of those risk assessments and moving along (reactive)? 4. Have we made the proper in- vestments (people, resources, training, and/or money) when it comes to protecting our invest- ments and confidential informa - tion (proactive), or do we still treat IT and cybersecurity as an expense (reactive)? 