Venable partner Ron Glancz and managing director of cybersecurity services Ari Schwartz were quoted in the September/October 2016 issue of ABA Banking Journal on information technology oversight by bank boards. While many large banks have board-level IT committees to address cybersecurity challenges, it is more common for them use IT steering committees that report to the full board.
"At smaller banks with less than $1 billion in assets, cybersecurity and technology deliberations are likely to be at the full board level" rather than in a committee, said Glancz. Added Schwartz, "It is often a knowledgeable director on the audit, risk, or compliance committee who takes the lead."
Pointing to President Obama's last meeting with independent financial regulators, Schwartz noted that "three-quarters of the session was focused on cybersecurity, and national security concerns were directly communicated to regulators." Citing a recent, high-profile example of malware attacking a company's point-of-sale terminal network that came from an HVAC vendor, Schwartz said, "A lot of the cybersecurity risk emerges from working with vendors…Large banks have certainly addressed that. Less so, medium and small banks."
Schwartz also emphasized the importance of setting baselines to control IT risks, especially in cybersecurity. "Board members must ask, where are we today, where do we want to go by the next board meeting, and where do we want to go in two years? It’s a journey, not a destination, because the actors in this space continually evolve."