The United States has experienced an increase in the number and severity of high-profile cyberattacks in recent months, a trend that shows no signs of easing. From large financial institutions and brokerages to blue-chip retailers, hackers are gaining traction and notoriety as they breach systems with greater impact. Every organization is susceptible to these attacks and banks and brokerage firms are challenged to protect proprietary information, client data, and in many cases, shareholder value. According to findings from the Ponemon Institute’s 2014 annual study on data breach preparedness, an astounding 43 percent of U.S. companies experienced a data breach in the past year, which is a 10 percent increase from the results in 2013.
Brokers, banks, and the U.S. capital markets as a whole are especially at risk from these data breaches. Cyberattacks have the potential to not only dramatically affect an individual company’s short-term revenue, but also could affect the organization’s long-term growth and stability. The 2014 Cost of Data Breach Study by IBM and the Ponemon Institute reveals that the average cost to a company from a data breach was approximately $3.5 million per breach in 2014 -- a 15 percent increase since last year. Monetary losses aren’t the only casualty in a cyberattack. A company’s intellectual property and customer data may be compromised.
Given this stark reality, it’s essential for management teams and boards of directors to be aware of cybersecurity and have a clear-cut strategy for both preventing and responding to cyberattacks.
Understanding the risks
One of the most indispensable, and often overlooked, ways in which boardrooms can increase the company’s resiliency in the face of cyberattacks is by ensuring that each director is well-informed on cybersecurity risks. The findings from the 2014 Cost of Data Breach Study by IBM and the Ponemon Institute echo the importance of management and preparedness: factors that decrease the cost of a data breach include having a strong security posture, incident response plan, and CISO appointment. Every director should make cybersecurity a topic on the board’s agenda and ask questions if there is any confusion or doubt.
Best-practices for bank boards to manage cybersecurity risks
Directors equipped with the proper tools and information about cybersecurity are more prepared and versed on the topic in case of a crisis. It is critical that there be a clear understanding among all levels of the financial institution’s management team about who is responsible for managing this issue. Directors who are familiar with their company’s IT department are better able to determine whether the team is equipped to effective address cybersecurity. When the senior management team ensures that cyber policies are up to date, understood by all, and frequently tested, companies decrease their chance of exposure. For directors at financial institutions, here are four key strategies to improve cybersecurity defenses and awareness:
- Secure communication: Implement secure communication measures for critically sensitive board information; never communicate material information via email in order to prevent inadvertent oversharing.
- Understand the cloud: Understand cloud services, public or private, for file sharing or downloading to ensure maximum security; while cloud solutions can offer easy uploading and downloading of files as well as security features like encryption and authentication, many have been successfully hacked, compromising private files and email addresses.
- Collaboration is key: Every director should make cybersecurity a topic on the board’s agenda and ask questions if there is even the slightest confusion, doubt, or uncertainty; determine whether responsibility for managing cybersecurity is the purview of the audit committee, a separate committee, the company’s IT department, or CIO.
- Education and preparation: Ensure board members educate themselves on cybersecurity to understand the risks and be prepared for whatever comes their way; this is where many vulnerabilities surface, not because a board lacks the appetite, but because directors are not provided with the proper tools and information.
As boards continue to grapple with ways in which they can protect, confront, and manage issues around cybersecurity, they should continue to embrace new strategies and technologies in order to ensure secure, but fast and accessible, communication. Team members must be well-briefed on these issues; cybersecurity training should be more prevalent and detailed. Throughout history, financial institutions have constantly evolved to reflect greater societal and market changes. Cybersecurity presents a new challenge, and it is one that can be confronted successfully with the correct management strategy and tools.Jeffry Powell serves as Diligent Board Member Services' Executive Vice President, Director of Sales, where he is responsible for the development and execution of client acquisition strategies throughout the Americas. Throughout his five years with Diligent, Jeffry has advised ... View Full Bio