ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

Enabling cybersecurity success through governance and risk management

May 18, 2023
Reading Time: 5 mins read
Enabling cybersecurity success through governance and risk management

By fostering collaborative communication, an engaged board and leadership team can ask the right questions and identify potential areas of undue exposure or control gaps.

By Steve Soukup

With increased reliance on technology, rapid digital transformation, and the steady pursuit of growth in the banking sector, the threat to banks of cyber-attacks has become a growing and critical concern. Cybercriminals are increasingly innovative and bold in their attempts to breach systems and infrastructures, and banks are held to a higher standard to ensure they can prevent, detect and mitigate threats.

To succeed in cybersecurity, banks benefit when they establish efficient governance to oversee their program. This requires implementing a cyber risk management system that provides real-time visibility into the program’s successes and deficiencies, enabling banks to measure risk accurately and direct program initiatives effectively.

Prioritizing governance is critical to the success of any financial institution because it ensures compliance, improves communication and decision-making, and increases efficiency.

Governance

rightwards arrow
View more
risk and compliance articles.

An effective governance program starts with a clear framework that outlines how the institution and its employees will operate through established policies, procedures, processes and personnel. The framework should detail appropriate security measures to protect their customers’ data while aligning with the goals, objectives, and expectations established by the board. A strong program is shaped according to regulatory requirements and industry standards and drives effective risk management and compliance.

Once the frameworks are established, the next step is to create a program that will govern and ensure the effective implementation of those directives. Proper governance guarantees the program is working as intended, the risks are being appropriately managed and the bank is staying in compliance. Control testing and sampling are employed to ascertain that the policies are being adhered to and that the designed system of controls is effectively mitigating risks down to a residual risk level within the board-prescribed risk appetite.

Monitoring key metrics and reporting on performance and risk levels to the board and other stakeholders are also key pieces that enable proper governance while helping to inform decision-making and provide assurance that risks are within tolerance. Establishing an efficient governance program serves as a solid foundation, enabling banks to direct their focus toward cyber risk management.

Cyber risk management

With a well-designed, successfully executed and versatile cyber risk management program, banks can effectively prevent, detect, and mitigate potential cyber threats, protect sensitive customer data and assets and ensure compliance with regulatory requirements.

When assessing their cyber risk management strategy, banks benefit when they consider these two core principles:

1. Banks are unique targets. The financial industry is set apart from others due to the responsibility to safeguard high-value assets while grappling with compliance and regulatory pressures.

2. Cyber threats are dynamic and constantly evolving. Threat actors are relentless in their attempts to breach bank systems to gain unauthorized access. With every modification to business operations or adoption of new technology, you are exposed to new risks. So, a reasonable expectation is that banks evolve their cyber risk management strategies in tandem with the evolving threat landscape.

Banks benefit when they ensure that their cybersecurity program, governance over that program, and risk management system around the program are commensurate with other risk management systems employed in the bank, such as their credit risk management or interest risk management programs. Additionally, stakeholders must be engaged and informed to adequately approve and govern the program.

When effective programs are in place, and the appropriate support from stakeholders is employed, the result is an effective cyber risk management solution that swiftly identifies and responds to emerging risks, has sufficient resources to implement the appropriate system of controls to mitigate these dynamic risks and ultimately protects the bank from financial and reputational risks.

Understanding and mitigating risk

What we know: Risk is inherent and constantly evolving. What we need to know: Proper risk management and governance programs are in place.

To ensure the utilization of proper risk management and governance programs, it’s essential to consider the individuals responsible for approving and overseeing the program—namely, the board—and their ability to not only comprehend the objectives of a cybersecurity program but also establish appropriate cultural expectations that drive it.

Historically, boards and CEOs have been less willing to delve into cybersecurity than they are with other key risk areas, such as asset quality or consumer compliance. One of the more common reasons is the perception that the content is too technical. Given the high stakes involved, executive leadership and the board cannot afford to adopt a dismissive attitude of “that is too technical for me” any longer.

It’s impossible to approve a program, make informed decisions about it, or ensure its effectiveness without a clear understanding of the risks driving the program and the directives within it. It’s like trying to build a house without a blueprint.. Simply put, the board and executive team must be willing to understand cyber risks to govern effectively.

Stakeholders must comprehend the risks and understand why the existing mitigating controls are appropriate for overseeing the program. They must be adequately informed on the successes and gaps of the program to make the right decisions around resource allocation and risk priority. It’s crucial for them to define the risk appetite, and the metrics for monitoring against the risk appetite, identify tolerance levels for those metrics, and receive consistent, meaningful reporting on identified key metrics. This is indicative of a mature risk management program. Unfortunately, we are not seeing this level of risk management around cyber risk throughout banking, and we cannot wait for an event to mature the cyber risk management program.

Further, it is the board that sets cultural expectations that are exemplified and disseminated by executive leadership. Culture is a key factor in supporting a program, ensuring that policy directives are adhered to daily on the front lines and that risk decisions align with the institution’s risk appetite. It’s worth examining whether or not an influential security culture bolsters the bank’s cybersecurity program. If leadership does not understand cybersecurity, the culture is likely not as strong as it should be.

Bridging the gap

While we recognize the significance of aligning the board and leadership on matters of cybersecurity, the real obstacle lies in determining the most effective first step to bridge the knowledge gap. A productive approach is for banks to be intentional in the way they engage with and educate stakeholders to ensure that their programs are adequately governed.

Engagement will support a security-focused culture, ensure resources are adequately allocated, and provide the program with effective challenge, strengthening the program and ultimately protecting the bank and its customers. By fostering collaborative communication, an engaged board and leadership team can participate in asking the right questions and identify potential areas of undue exposure or control gaps. This ensures the program continues to grow and mature, enabling the bank to better prevent and respond to potential events. A mature risk management system holds immeasurable value, and an engaged and informed board can only benefit leaders overseeing cybersecurity programs.

Unify for success

The growing prevalence of cyber threats drives a crucial need to evolve the risk management systems surrounding cyber and information security programs. It is imperative to design and implement governance programs comparable to governance seen in other areas of the bank, which requires leadership and the board to be united with the same goal. When an effective security culture is established at the top levels, it permeates the entire institution. So, the time is now to bridge the gap in knowledge and facilitate productive engagement to build an efficient governance program, which will ultimately guarantee success.

Steve Soukup is CEO of DefenseStorm.

Tags: Cyber crimeCybersecurityRisk management
ShareTweetPin

Related Posts

FDIC withdraws proposed rules on brokered deposits, corporate governance, executive pay

Small Business Bank in Kansas closed by regulators

Community Banking
July 17, 2026

Kansas regulators closed Small Business Bank in Lenexa, Kansas, and appointed the FDIC as receiver. The Farmers State Bank of Oakley, Kansas, agreed to assume substantially all deposits and purchase certain assets.

FDIC issues relief guidance for Mississippi, Tennessee banks affected by storms

FDIC issues relief guidance for banks serving tribes in Arizona, Montana affected by severe weather

Compliance and Risk
July 17, 2026

The FDIC has released guidance with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of the San Carlos Apache Indian Reservation in Arizona, and the Fort Peck Indian Reservation and the Crow...

ABA, 52 state bankers associations urge Congress to close stablecoin interest loophole

ABA, associations seek agency alignment on Genius Act implementation

Compliance and Risk
July 17, 2026

The National Credit Union Administration should coordinate with the banking agencies to ensure that Genius Act implementation is substantially similar among all federal payment stablecoin regulators, the American Bankers Association and three other banking sector associations said.

ABA: OCC should revise proposed changes to bank merger application process

ABA: OCC policy changes create uncertainty about minority deposit institution status

Community Banking
July 17, 2026

In a new letter, ABA cited several concerns about the OCC’s recent revisions to its standards for designating minority deposit institutions, saying the changes create uncertainty for institutions seeking to qualify or maintain MDI designation.

ABA, associations propose improvements to federal data privacy law

Banking agencies promise new approach for handling sensitive information

Compliance and Risk
July 16, 2026

The Federal Reserve, FDIC and OCC announced a “coordinated approach” for handling sensitive information used in bank examinations, including a new pledge to notify banks about data breaches that threaten to expose that information.

AI’s rapid rise compels smart risk management for banks

Risk and compliance as strategic growth partners

Compliance and Risk
July 16, 2026

Risk leaders must build relationships, credibility and trust at the bank so their input is valued.

NEWSBYTES

Small Business Bank in Kansas closed by regulators

July 17, 2026

Texas Bankers Foundation reopens flood relief fund following severe storms

July 17, 2026

FDIC issues relief guidance for banks serving tribes in Arizona, Montana affected by severe weather

July 17, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.