AVP IT Consulting,
Credit Union Resources, Inc
Credit Unions are more dependent than ever on information technology to conduct business, and the trend is not declining. The complexity and reliance on third party resources is also increasing, resulting in the amplified cyber threats. As a consequence, it is imperative that the board of directors and managers remain “in the know” of cyber security at their credit unions.
The FFIEC stated, “Today’s financial institutions are critically dependent on IT to conduct business operation. This dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management.”
The following is an excerpt from the FFIEC IT Examination Handbook Management November 2015 giving guidance:
The board of directors sets the tone and direction for an institution’s use of IT. The board should approve the IT strategic plan, information security program, and other IT-related policies. To carry out their responsibilities, board members should understand IT activities and risks.
The board or a board committee should perform the following:
• Review and approve an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity5
• Promote effective IT governance.
• Oversee processes for approving the institution’s third-party providers, including the third parties’ financial condition, business resilience, and IT security posture.
• Oversee and receive updates on major IT projects, IT budgets, IT priorities, and overall IT performance. The board of directors may need to approve critical projects and activities, such as expanding the institution’s product line to include mobile financial services.
• Oversee the adequacy and allocation of IT resources for funding and personnel.
• Approve policies to escalate and report significant security incidents to the board of directors, steering committee, government agencies, and law enforcement, as appropriate.
• Hold management accountable for identifying, measuring, and mitigating IT risks.
• Provide for independent, comprehensive, and effective audit coverage of IT controls.
The board may delegate the design, implementation, and monitoring of specific IT activities to management or a committee (e.g., IT steering committee). An IT steering committee4 generally comprises senior management and staff from the IT department and other business units. Committee members do not have to be department heads, but members should understand IT policies, standards, and procedures (collectively, policies). Each member should have the authority to make and be held accountable for decisions within their respective business units. If the institution has a formal risk management function, risk management staff should participate in an advisory capacity.
The steering committee typically is responsible for reporting to the board on the status of IT activities. The reports enable the board to make decisions without having to be involved in routine activities. While the board may delegate the design, implementation, and monitoring of certain IT activities to the steering committee, the board remains responsible for overseeing IT activities and should provide a credible challenge6 to management. The steering committee is typically responsible for strategic IT planning, oversight of IT performance, and aligning IT with business needs. The steering committee should have a charter that defines its responsibilities.
The steering committee should receive appropriate information from IT, lines of business, and external sources. Additionally, it should coordinate and monitor the institution’s IT resources. The steering committee should review and determine the adequacy of the institution’s training, including cybersecurity training, for staff. The steering committee should also document meeting minutes and decisions and inform the board of directors of the committee’s activities.
My tip to the board of directors and the management is to work with their IT Department and/or vendors to determine a baseline security standard. This can be accomplished by reviewing the available reports and identifying anomalies that will invoke your incident response procedures.