Pub. 15 2020-2021 Issue 3

NEBRASKA BANKERS ASSOCIATION 17 format and frequency of execution. Asking this question will assist in ensuring adequate pol- icy coverage of systems, processes and vendors. 3. How do we have this independently audited? Have our risk assess- ments determined this system, process or ven- dor be high risk? If so, how is this thing tested and how frequently? Is a requirement for testing this thing addressed in our policy? 4. How is our institution addressing this issue? When properl y an- swered, this question will contain informa- tion from the previous three questions. It is risk assessed through this process, which is gov- erned by this policy, and it’s independently tested in this way. However, more elaboration can be provided here. 5. How do we help our customers address this issue? Will this issue affect our customers? If so, what can we do to reduce risk or reduce agitation among our customers? Again, when properly answered, this question will contain in- formation from the first three questions. 6. How do we ensure our vendors have addressed this issue? This ques- tion is only relevant if the system or process in question is outsourced; however, it is important to consider. Your vendor risk assessment should identify your levels of vendor risk. But the answer to this ques- tion may be more issue- specific and rely on the results of an ongoing vendor review to fully understand. It may be a new topic that would not have been covered in a previous review and could warrant a conversation with the vendor to determine how the issue may be addressed. Again, when properly answered, this question will contain information from the first three questions. The Big Takeaway Examiners expect adequate oversight of information secu- rity from the board of directors. The board may delegate these responsibilities, but the board must present a credible chal- lenge to management. Becom- ing a credible challenge means asking better questions to suc- cessfully provide oversight and accountability to seniormanage- ment and the committees with whom responsibility for infor- mation security lies. Appointing an IT or IS expert to your board of directors is an excellent step to becoming a credible chal- lenge, as is outlining a frame- work to ask better questions like those listed above. Hopefully, in time, having Directors with a background in technology be- comes common practice. If this is a step your organization has already taken, great! Until that time, Boards must ensure they provide a credible challenge to information security manage- ment, regardless of expertise.  For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber. com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, on-site and virtual auditing, network security and education. Learn more at www.sbscyber.com. Bridgepoint provides confidential institutional investment banking services delivered by local professionals. • Distressed and bridge financing (equity and non-bank finance) • Capital raising for growth or liquidity • Sell-side M&A advisory services for banks and operating companies • Leveraged finance solutions for community banks • Generous fee-sharing program for bankers CREATIVE SOLUTIONS THAT LEAD TO OPTIMAL RESULTS OFFICES: Omaha • Lincoln • Des Moines • Denver • Chicago NEBRASKA PRINCIPALS: Matt Plooster • Gary Grote Wm. Lee Merritt • Mike Anderson Call Bridgepoint Investment Banking Today 402-817-7900 www.bridgepointib.com [ Securities offered through an unaffiliated entity, M&A Securities Group, Inc., member FINRA/SIPC “Bridgepoint is a true resource and partner for commercial bankers as we all work through one of the most trying years in history. We’re here for you when your clients need creative financial solutions.” – Gary Grote Managing Director