A culture of cybersecurity vigilance begins at the top of the organization.
But when you’re on the board of directors, building that ethic and safeguarding your information requires focus, commitment, and the determination to hold senior leadership accountable.
Often, board members lack the time and expertise to get their hands dirty with the complex, nitty-gritty of cybersecurity infrastructure, so they must rely on experts and senior leadership to guide them to effective, potent defenses against would-be hackers.
“It’s incumbent on them to ask questions that hold people in senior leadership and vendors accountable,” says Cary Conrad, chief development officer at SilverSky, a cybersecurity solutions provider.
NCUA regulations call for board members to oversee the development, maintenance, and implementation of information security programs and to have a fully integrated response plan to manage data breaches.
Experts say the best approach for boards is asking questions, challenging management, and bringing in outside experts and internal auditors to ensure the credit union is protected.
“Always think about the five W’s of any project: who, what, when, where, and why,” Conrad advises. “Who’s going to do it? When is it going to get done? How are they going to get it done? As a board member, you shouldn’t have to go much below that.”
If board members aren’t satisfied with the answers or have further questions, they should seek more detailed answers from outside experts.
“How senior management reacts to that is usually indicative of whether they have controls in place or not,” says Conrad.
At Hiway Credit Union, the board recently appointed an associate board member with technology and cybersecurity expertise.
“Security and technology have been a focus for our board,” says Dave Boden, CEO at the $1.7 billion asset credit union in St. Paul, Minn.
Bolstering this expertise improves the full board’s understanding of cybersecurity issues, he adds.
Hiway’s supervisory committee is responsible for monitoring security issues at the credit union. Boden says open communication allows board members to understand threats and respond appropriately.
Senior management also encourages board members to attend industry events to learn about cybersecurity and invite outside speakers to address the issue.
“We try to keep them informed, not only of what we’re seeing but of what people see on the news and what’s happening in the world,” Boden says. “There’s a lot of scary stuff out there.
“It’s incumbent on us to give them the information they need because they mostly don’t have that skill set,” he continues.
Rayleen Pirnie, an adviser at NEACH Payments Group, often speaks about information security to credit union directors.
“Directors are just as responsible as executive management for making sure all of this is done,” Pirnie says.
She urges directors to be endlessly curious when discussing cybersecurity with the executive team, vendors, and information technology experts.
“You’re only going to have enough knowledge if your executive team is giving you the right digestible pieces of information,” she says. “If you don’t understand what your CEO is telling you, make them stop and provide the details you need to make an informed decision, just as you would for any other area of their report.”
The same is true with third-party vendors, Pirnie says, adding it’s critical to know these companies’ reputation, security ethic, and infrastructure.
“If they’re compromised and they’re connected to your network, what risk does that present?” she says. “You can contract the job. You can’t contract away the liability if that solution provider is compromised and results in your member information or network being compromised.”
Pirnie notes that directors should size up areas in which they need outside expertise to provide a fresh perspective or a second opinion.
“It’s a constantly changing environment and can be challenging if a credit union has one technology person and three people in executive management,” she says. “It’s hard to keep up with your job and with what the future of cybersecurity could look like.”
Plans for crisis response in the event of a breach is another area of oversight that requires board attention.
“Even with the best planning and mitigation, incidents can still happen,” Pirnie says. “How do you respond to meet the obligations of the code of federal regulations and ensure minimal, if any, member disruption?”
Internal audit also plays a strong role in providing board members with an independent perspective on cybersecurity. Those insights should be shared directly with the board, Conrad says.
“Internal auditors need to report not only to the CEO, but also to the board exclusive of the CEO,” he says. “They provide two lines of reporting, which is standard governance for all financial institutions.”
In dealing with outside vendors and big-ticket infrastructure purchases, Conrad cites the old banking adage, “don’t buy a vault that costs more than what you’re protecting.”
Start with fundamentals, including a risk assessment, he advises. “A targeted, well-thought-out risk assessment will go a long way toward board members understanding whether they’re protecting what’s near and dear to the credit union.”