Banks are doing a disservice to shareholders on cybersecurity. The issue is a top risk concern for 82 per cent of the industry's top brass, according to new research by industry publication Bank Director. But the survey shows that less than a fifth of bank boards review the issue at every meeting. The biggest US lenders scarcely mentioned cyber risks in so-called proxy documents prepared for their annual shareholder meetings in 2014, and so far have addressed them only a little more this year.
The annual proxy is in many respects the best place to elucidate a bank's cybersecurity strategy. It lays out for investors the priorities that dictate board composition, executive pay and where oversight and accountability are concentrated.
Financial risks, regulation and other concerns have traditionally dominated. Cybersecurity, though, has rocketed up the agenda - only 51 per cent of respondents cited it as a top risk in Bank Director's previous survey. Prominent breaches at retailers Target and Home Depot, Sony Pictures Entertainment and JPMorgan, where information on 83 million customers was compromised, helped change things.
Ironically, JPMorgan Chief Executive Jamie Dimon has been in the vanguard, drawing attention to cybersecurity in his letter to shareholders both a year ago - when he pledged to commit $250 million a year and 1,000 people to the battle - and in April 2013. Robert Wilmers, boss of regional M&T Bank, isn't far behind, laying out how much his firm is spending, the rate of increase in cyberattacks and phishing and how many debit and credit cards it had to reissue.
Bank of America boss Brian Moynihan told Bloomberg earlier this year that his bank spends more than $400 million a year on cyber risks. Such costs will rise as new technologies penetrate banking and raise bank cybersecurity to a level not far from key financial risks.
Board priorities have not caught up, judging by proxy statements. Investors deserve to know things like what relevant skills directors have, which board committee is responsible, how a bank ensures that technology vendors are doing their job and what plans are in place should a debilitating hack occur. BofA, Wells Fargo and Citigroup only addressed the first point this year.
Dimon might say more in this year's letter, due next month. But banks' proxy statements should say more about cyber defenses, too. As the industry's most public hacking victim, it would be fitting if JPMorgan becomes the bank to set a new standard.
The annual proxy is in many respects the best place to elucidate a bank's cybersecurity strategy. It lays out for investors the priorities that dictate board composition, executive pay and where oversight and accountability are concentrated.
Financial risks, regulation and other concerns have traditionally dominated. Cybersecurity, though, has rocketed up the agenda - only 51 per cent of respondents cited it as a top risk in Bank Director's previous survey. Prominent breaches at retailers Target and Home Depot, Sony Pictures Entertainment and JPMorgan, where information on 83 million customers was compromised, helped change things.
Ironically, JPMorgan Chief Executive Jamie Dimon has been in the vanguard, drawing attention to cybersecurity in his letter to shareholders both a year ago - when he pledged to commit $250 million a year and 1,000 people to the battle - and in April 2013. Robert Wilmers, boss of regional M&T Bank, isn't far behind, laying out how much his firm is spending, the rate of increase in cyberattacks and phishing and how many debit and credit cards it had to reissue.
Bank of America boss Brian Moynihan told Bloomberg earlier this year that his bank spends more than $400 million a year on cyber risks. Such costs will rise as new technologies penetrate banking and raise bank cybersecurity to a level not far from key financial risks.
Board priorities have not caught up, judging by proxy statements. Investors deserve to know things like what relevant skills directors have, which board committee is responsible, how a bank ensures that technology vendors are doing their job and what plans are in place should a debilitating hack occur. BofA, Wells Fargo and Citigroup only addressed the first point this year.
Dimon might say more in this year's letter, due next month. But banks' proxy statements should say more about cyber defenses, too. As the industry's most public hacking victim, it would be fitting if JPMorgan becomes the bank to set a new standard.
You’ve reached your limit of {{free_limit}} free articles this month.
Subscribe now for unlimited access.
Already subscribed? Log in
Subscribe to read the full story →*Subscribe to Business Standard digital and get complimentary access to The New York Times
Smart Quarterly
₹900
3 Months
₹300/Month
SAVE 25%
Smart Essential
₹2,700
1 Year
₹225/Month
SAVE 46%
*Complimentary New York Times access for the 2nd year will be given after 12 months
Super Saver
₹3,900
2 Years
₹162/Month
Subscribe
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app
SAVE 25%