2019 Risk Survey: Cybersecurity Oversight
Bank leaders are more worried than ever about cybersecurity: Eighty-three percent of the chief risk officers, chief executives, independent directors and other senior executives of U.S. banks responding to Bank Director’s 2019 Risk Survey say their concerns about cybersecurity have increased over the past year. Executives and directors have listed cybersecurity as their top risk concern in five prior versions of this survey, so finding that they’re more—rather than less—worried could be indicative of the industry’s struggles to wrap their hands around the issue.
The survey, sponsored by Moss Adams, was conducted in January 2019. It reveals the views of 180 bank leaders, representing banks ranging from $250 million to $50 billion in assets, about today’s risk landscape, including risk governance, the impact of regulatory relief on risk practices, the potential effect of rising interest rates and the use of technology to enhance compliance.
The survey also examines how banks oversee cybersecurity risk.
More banks are hiring chief information security officers: The percentage indicating their bank employs a CISO ticked up by seven points from last year’s survey and by 17 points from 2017. This year, Bank Director delved deeper to uncover whether the CISO holds additional responsibilities at the bank (49 percent) or focuses exclusively on cybersecurity (30 percent)—a practice more common at banks above $10 billion in assets.
How bank boards adapt their governance structures to effectively oversee cybersecurity remains a mixed bag. Cybersecurity may be addressed within the risk committee (27 percent), the technology committee (25 percent) or the audit committee (19 percent). Eight percent of respondents report their board has a board-level cybersecurity committee. Twenty percent address cybersecurity as a full board rather than delegating it to a committee.
A little more than one-third indicate one director is a cybersecurity expert, suggesting a skill gap some boards may seek to address.
Additional Findings
- Three-quarters of respondents reveal enhanced concerns around interest rate risk.
- Fifty-eight percent expect to lose deposits if the Federal Reserve raises interest rates by more than one hundred basis points (1 percentage point) over the next 18 months. Thirty-one percent lost deposit share in 2018 as a result of rate competition.
- The regulatory relief package, passed in 2018, freed banks between $10 billion and $50 billion in assets from stress test requirements. Yet, 60 percent of respondents in this asset class reveal they are keeping the Dodd-Frank Act (DFAST) stress test practices in place.
- For smaller banks, more than three-quarters of those surveyed say they conduct an annual stress test.
- When asked how their bank’s capital position would be affected in a severe economic downturn, more than half foresee a moderate impact on capital, with the bank’s capital ratio dropping to a range of 7 to 9.9 percent. Thirty-four percent believe their capital position would remain strong.
- Following a statement issued by federal regulators late last year, 71 percent indicate they have implemented or plan to implement more innovative technology in 2019 to better comply with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. Another 10 percent will work toward implementation in 2020.
- Despite buzz around artificial intelligence, 63 percent indicate their bank hasn’t explored using AI technology to better comply with the myriad rules and regulations banks face.
To view the full results of the survey, click here.