A board’s primary responsibility is to manage risk of all types in the bank, including information security risk. Carrying out good risk management also helps the director to avoid personal liability.
To perform top-level oversight and monitoring of information security as regulators require, the board needs accurate and high-quality information. There are several ways to think about what kinds of IT information the board should receive, and how much:
Directors Should Receive the Information That Regulators Expect the Board to Review. The FFIEC outlines what types of systems reports and due diligence information a bank should obtain from “critical activities” IT-related vendors.1 Someone at the bank—usually the IT Officer—must carefully review the details of this vendor material and report on it to the IT Committee and the board.
The board doesn’t need to look at a full-length version of the vendor’s information. It’s enough if someone at the bank is capable of preparing and providing to the board an accurate summary and analysis of this documentation, including at least the important points, as well as pointing out any serious concerns raised by what is contained in or missing from the vendor’s documents.
Directors Should Be Given Information That May Significantly Assist Them in Carrying Out Their Responsibilities. If some directors are not very familiar with topics that the board will take action on, such as IT, management should consider providing supplemental information to get those directors up to speed.
But providing more and more information is not the ultimate goal. The quality, accuracy, and relevance of information to be provided are all more important than increasing the quantity. Depending on the specific issue, a well-prepared summary of key information is often more appropriate than giving the board a lot of very lengthy materials.
Directors Should Have Enough Information to Feel Comfortable Discussing Key Issues in a Board Meeting. A director who lacks confidence that he or she understands a subject well enough is unlikely to participate in board discussions about that matter. Having enough information encourages directors to express their opinions more freely, to ask good questions about what the board is considering, and to vote with confidence.
Directors Need to Receive Enough Information to Provide a “Credible Challenge” to Management. Regulators want the board to have enough details to be able to probe and discuss any important issue presented by management, not simply voting as management suggests because the directors may not understand the subject well enough.
Providing a “credible challenge” doesn’t mean that directors should disagree with whatever management recommends. Rather, the board should exercise its own judgment. When appropriate the board should ask management to explain or defend any suggested approaches or actions. If management’s recommendations are good, they will still be good after discussion.
Directors Need Enough Information to Meet Their Fiduciary Duty. If board members do not fulfill their duty to monitor and manage all critical risks in the bank, not only the bank’s customers and shareholders could be harmed, but even the FDIC insurance fund — and directors could be financially liable. If there is any high-risk area that a director is not very familiar with — including information security — it’s important to deliberately spend more time studying and managing it, in order to satisfy the director’s fiduciary duty.
From an examiner’s standpoint, a further step is also needed—proper documentation of the board’s review process. A bank should be careful to record in the board minutes the specific information that has been presented to the directors and reviewed, including if appropriate any response by the board to that information. For example, “a summary of ‘due diligence’ information provided by Vendor XYZ was reviewed by the board and determined to be satisfactory.”
1FFIEC – IT Examination Handbook Infobase
See separate IT handbooks on Information Security; Outsourcing Technology Services; Supervision of Technology Service Providers; and Management.