Pub. 15 2020-2021 Issue 3

WWW.NEBANKERS.ORG 16 I F WE’VE LEARNED NOTHING else from the COVID-19 Pandemic, it’s that you may consider yourself a financial institution, but you’re really a technology company. We rely on technology to operate our busi- nesses and support our custom- ers. Imagine where we would be, right now, without technology! Appointing an IT or IS expert (there is a difference) to sit as a full-timemember of your board of directors is an excellent next-step tomaking sure your organization is appropriately protecting its technology investment. There’s a good chance your board consists of ownership, certainmembers of senior management, and external advisors that provide valuable insight that assists in your busi- ness model or market. Why not have a dedicated technology or information security expert as a board resource also? Finan- cial institutions are starting to explore this option. Perhaps do- ing so isn’t in the cards for your financial institution; however, the responsibility to become a “credible challenge” to IT or IS decisions still falls to the board. Regulation The FFIEC defines a “cred- ible challenge” as being actively engaged, asking thoughtful ques- tions, and exercising independent judgment. The FFIEC mentions being a credible challenge in three sections of two Handbooks, specifically the Management and Business Continuity Handbooks in the following excerpts: TECH TALK Cody Delzer, Vice president / Information Security Consultant - SBS CyberSecurity, LLC Becoming a Credible Challenge for Information Security Management Handbook Section I.A.1 board of directors Oversight states, “While the board may delegate the design, imple- mentation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activi- ties and should provide a credible challenge to management.” Management Handbook Section III.D.7 Reporting states, “Recipients of IT risk re- ports should have the authority and respon- sibility to act on the reported information, provide a credible challenge for the informa- tion contained in the reports, and be held accountable for the outcomes.” Business Continuity Handbook Section IX Board Reporting states, “Board minutes should reflect business continuity discussion (including credible challenges) and approvals. Becoming a Credible Challenge It is expected that the board of directors take an active involvement in the oversight of information security by becoming a credible challenge. While the appointment of an IT or IS expert to your institution’s board can help improve your institution’s insight and cred- ibility regarding cybersecurity, in some cases, such an appointment is simply not feasible. Additionally, adding an IT or IS expert to the board does not automatically make you a credible challenge. Improving any Board’s ability to be a credible challenge starts with learning how to ask better cybersecurity questions. Here’s a list of better questions to ask when new technology is being evaluated, or threats are identified to help you get start - ed. The first three questions pertain directly to governance, and the last three questions have to do with operations: 1. How is this addressed in our risk as- sessment process? There are many types of risk assessments, but all systems, processes, and vendors must be included in a risk assess- ment. Those risk assessments should determine if the system, process, or vendor fits the board’s risk appetite. Asking this question will assist in providing greater insight to the board as to how the risk assessment process works, and where these individual topics fit in. 2. How have we covered this in our policy? Policy needs not to detail how things are accomplished, but rather who is responsible for the policy’s execution, along with the expected