It wasn’t in response to a cybersecurity event or a nudge from regulators that prompted Huntington Bancshares' board to create a Significant Events Committee in early 2018.
Instead, says Dave Porteous, lead director at the $108 billion bank based in Columbus, Ohio, it was old-fashioned governance principles that drove Huntington’s board to establish the ad hoc committee responsible for responding to the biggest risk faced by banks today: cybersecurity threats.
“Particularly over the last 10 years, the world is changing so quickly it has really become incumbent upon all boards, in my view, to continually be evaluating their governance structure and whether or not they need to make adjustments … to how the world is changing,” Porteous says.
Ask any bank executive or director right now to name the things that cause them to lose sleep at night and cybersecurity will almost invariably be at the top of the list.
Millions of personal records have already been compromised globally, and it can cost even a small bank millions of dollars to rectify a single cyber event. Yet, while it is a common topic in boardrooms, it hasn’t yielded widespread governance restructuring at banks across the United States.
Bank Director’s 2018 Technology Survey found that 93 percent of the 161 chief bank executives, senior technology officers and directors said cybersecurity is an issue of focus by their board.
But a 2018 analysis by Harvard Law School found that just 7 percent of all S&P 500 companies have separate technology committees, though 29 percent of large public bank holding companies above $10 billion in assets have set up just such a thing. This is significant because, as the study noted, cybersecurity is often the responsibility of the technology committee.
Significant events have over time produced mandated changes in corporate structure, like the requirement in Dodd-Frank requiring banks above $10 billion in assets to have a separate risk committee, or the requirement in Sarbanes-Oxley that an audit committee oversee a bank’s independent auditor.
But Porteous argues that banks should not wait for changes in the law to force them into structural changes. The changes should emerge instead from ongoing conversations at institutions about new trends and threats.
“To me the critical thing is constantly be assessing and challenging yourself as a board on the way in which you govern and not to be afraid to make adjustments,” Porteous says. “In other words, create committees to address the current or upcoming issues that enhance the focus (of the board).”
For Huntington, the establishment of the Significant Events Committee was years in the making, but finally came after the board realized it was having similar discussions about the same topic at the board level and in separate committees.
“It was a natural thing for us to take these discussions we were having, both at the board meeting and various committee-level meetings, and then decide that we were spending a significant amount of time in those discussions that it was going to be critically important,” Porteous says.
When formed, the committee included Huntington CEO Stephen Steinour, who chaired the committee; the lead director; the chairs of the technology, risk and audit committees and the “lead cyber director,” the 2018 company proxy said. The committee has since been folded into the broader Technology Committee because of overlapping skill sets, Porteous says, but the bank can reestablish it or other ad hoc committees as necessary.
One such committee was Huntington’s Integration Committee, created when the bank acquired FirstMerit Corp. in 2016. The committee met three times in 2017 after the acquisition and was later dissolved.
But it’s not just cybersecurity or M&A that should qualify as a significant event worthy of a board’s attention. Recurring natural disasters, for instance, including hurricanes in the Southeast and wildfires in the West are examples that might merit a similar response.
Whatever the issue, Porteous suggests boards continually assess their governance structure through annual board-level assessments or just paying attention to what’s in the newspaper every day.
“It’s critical to make those adjustments or adapt to the changing world,” Porteous says.