The Financial Conduct Authority (FCA), the U.K. watchdog, released the findings of a study Wednesday (Dec. 12) showing that boards and management committees at companies don’t have an understanding of the cyber risks that pose a threat to their organizations.
In a press release announcing the results, the FCA said that despite growing public awareness about cybersecurity and increased regulation placed on companies, the board members of scores of companies have a limited understanding of the risks. According to the FCA, in late 2017 and early 2018, it conducted a cyber review of multiple firms, using a sample of 20 businesses operating in asset management and the wholesale banking sectors. It asked board and management committee members to describe their companies’ cyber risks in an effort to ascertain their level of knowledge.
Nearly all of the board members and senior management that didn’t have an information technology background told the FCA that it was hard to understand and explain the cybersecurity risks their company faced. According to the FCA, that shows firms can do more to educate board members and senior management about cyber risks.
“Many bank boards still do not understand the cyber threat. They see the information security budget and feel they are taking action, but they don’t fully engage with the CISO and their team,” said Stephen Gailey, solutions architect at security company Exabeam, in a statement to PYMNTS. “The reality is that while budgets have increased over the last 10 years or so, much of that spend has focused on compliance and the insider threat.”
What’s more, Gailey said the way boards are comprised ensures that there is no IT experience at that level, nor are there security professionals who can lay out the threats and challenges to board members in laymen terms. “There is little doubt that many bank boards are complacent about cyber threats due in no small part to the lack of cyber experience of their members,” the Exabeam executive said. “We may have to wait for a new generation of bank executives until we see significant change in this situation, but until then, CISOs must fight for their budgets and for the right emphasis on spending.”