© 2019 SourceMedia. All rights reserved.

Bank data security heads seen in need of more CEO face time

(Bloomberg) -- Just 8 percent of cybersecurity heads at U.S. financial firms report to the chief executive officer directly and more should do so to improve decision-making, according to the Financial Services Information Sharing & Analysis Center.

The industry group’s first-ever survey on the topic showed that 39 percent of chief information security officers report directly to the chief information officer, followed by 14 percent who said they answer to the chief risk officer.

Before the 2008 financial crisis, most risk chiefs didn’t report directly to the CEO, reflecting a lack of influence at the biggest banks just as the industry was piling on more risk. After the crisis, risk managers had considerably more clout.

voting cybersecurity.jpg
A student types code on a laptop computer during a cyber-defense programming class in the "War Room" at Korea University in Seoul, South Korea, on Thursday, Nov. 26, 2015. In a darkened "war room" dozens of South Korea's brightest college students are practicing hacking each other as part of a government program to train them to battle some of the world's best -- the shadowy techno-soldiers of Kim Jong Un's regime. Photographer: SeongJoon Cho/Bloomberg

“Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision-making,” the group said in a statement accompanying the survey, to be published Monday.

The most critical defense against cyberattacks is employee training, according to 35 percent of those surveyed, ahead of network defense and infrastructure upgrades (25 percent) and breach prevention (17 percent). Protective measures on a firm’s computer system can still fail if a worker clicks on a link or downloads an email attachment carrying malicious code.

A majority of respondents, 54 percent, said they send quarterly reports to their companies’ boards, while 18 percent said they do so twice a year and 16 percent annually. The survey was conducted in the fourth quarter of last year, with 102 chief information security officers responding.

A related survey from Accenture Plc found that financial-services firms face the highest cyber-crime costs of all industries. Financial companies deal with an average of 125 breaches a year, resulting in annual costs of about $18 million per firm, according to the survey, scheduled for release on Tuesday. That’s up 10 percent from a year ago and 40 percent in three years. Accenture’s survey was conducted in the third quarter and involved 42 financial companies.