How Good is Your Company’s Cyber-Security?
Those who have been in residential lending more than ten years remember a time when they didn’t know what the term “cyber” meant. But in recent years that has changed. Every lender of any size has a “head of IT,” a “chief information officer (CIO), and/or a “chief information security officer” (CISO), often with a staff of technicians, who reports directly to the CEO. Why? Because a lender that is not vigilant about cyber-security can find itself with a data breach resulting in damages running well into the millions of dollars.
Given all the cyber-risk in lending these days, lenders are frequently asking STRATMOR what job duties a CISO should have. IT teams wear multiple hats, so it isn’t uncommon for the CISO job to exist within the CIO position. The roles are distinctly different, however. The CIO handles all things technology systems and the support around that, while the CISO is responsible for managing the security risks in and around these systems and what is inside them. The CISO focuses on protecting financial data and information — both personal and corporate — by actively managing risks around improper systems access, cyber-crime and other evolving threats.
STRATMOR has seen prudent lenders focus on information security. And as it has become an increasingly concerning and important issue, especially for banks, more and more lenders are looking into hiring an experienced CISO. But, given the over-arching demand for information security professionals across all industries, hiring a solid CISO can be difficult. So, that puts smaller lenders and community banks in a bind. It can be particularly difficult for such lenders to find someone to fit the role.
Consider also the regulatory view of things. The latest Federal Financial Institutions Examination Council (FFIEC) IT Management booklet calls for a more strategic role for the top information security professional at a bank. The management and IT staff at every lender, not just banks, should be familiar with this information as the booklet is designed to provide guidance to examiners and outline principles of overall IT governance. Basically, since technology supports most of a lender or bank’s business, it requires a more robust risk management framework to support that risk profile.
This latest version of the booklet updates the role of the information security officer to one that is a more strategic and integral part of the business. As a result, many STRATMOR clients have re-designed their organization chart so that this person reports directly to the CEO or owner; that is, if a lender or bank can find someone with the appropriate CISO skill set and experience.
From a regulatory standpoint, the FFIEC says the CISO is typically responsible for several areas. The first is developing and implementing a board-approved information security strategy, including the implementation of strategies to monitor and address both current and emerging risks. As regards the latter, the CISO engages with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks. Further, as an ongoing matter, the CISO works with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information.
Other job duties include informing the board, management and staff of information security and cybersecurity risks and the role of staff in protecting information. Included here is pushing security awareness and training programs out to loan officers along with the staff, participating in industry collaborative efforts to monitor, share and discuss emerging security threats and reporting significant security events.
And the CISO’s duties don’t stop at the day-to-day activities. A surge in regulatory scrutiny around cybersecurity and reported breaches in multiple industries, including lending, has increased the importance of this issue in bank M&A transactions too. Diligence teams now include risk management, cyber, financial crime and other such areas of expertise when reviewing M&A opportunities.
So, what’s a lender to do — especially a smaller independent lender or bank — given the high stakes of cyber-security and the scarcity of cyber-talent relative to the demand across industries? I wish there was a simple answer. But, at the risk of sounding like a “shill” for STRATMOR or other consultants, the first step, if you haven’t done it already and before you do anything else, is to get an unbiased, in-depth assessment or audit of your current risk situation. Are your risk management strategies, processes and organization in-line with the latest FFIEC IT Management booklet? How good are your defenses against penetration of your LOS and other systems? And, importantly, do you have the right people in place?
To be blunt about it, few CEOs and other top-level mortgage executives have the background and training to intelligently assess what they are hearing about risk from their in-place CTO and CISO (if they have one). Faced with “techno-babble,” most CEOs simply accept what they hear from their CTO/CISO with fingers crossed. Very risky! Get a second opinion. And consider contacting Len Tichy, STRATMOR’s technology Guru, at firstname.lastname@example.org.
Rob Chrisman Rob Chrisman's Blog