Banks are doing a disservice to shareholders on cybersecurity. The issue is a top risk concern for 82 percent of the industry’s top brass, according to new research by industry publication Bank Director. But the survey shows that less than a fifth of bank boards review the issue at every meeting. The biggest U.S. lenders scarcely mentioned cyber risks in so-called proxy documents prepared for their annual shareholder meetings in 2014, and so far have addressed them only a little more this year.
The annual proxy is in many respects the best place to elucidate a bank’s cybersecurity strategy. It lays out for investors the priorities that dictate board composition, executive pay and where oversight and accountability are concentrated.
Financial risks, regulation and other concerns have traditionally dominated. Cybersecurity, though, has rocketed up the agenda – just 51 percent of respondents cited it as a top risk in Bank Director’s previous survey. Prominent breaches at retailers Target and Home Depot, Sony Pictures Entertainment and JPMorgan, where information on 83 million customers was compromised, helped change things.
Ironically, JPMorgan Chief Executive Jamie Dimon has been in the vanguard, drawing attention to cybersecurity in his letter to shareholders both a year ago – when he pledged to commit $250 million a year and 1,000 people to the battle – and in April 2013. Robert Wilmers, boss of regional M&T Bank, isn’t far behind, laying out how much his firm is spending, the rate of increase in cyberattacks and phishing and how many debit and credit cards it had to reissue.
Bank of America boss Brian Moynihan told Bloomberg earlier this year that his bank spends more than $400 million a year on cyber risks. Such costs will rise as new technologies penetrate banking and raise bank cybersecurity to a level not far from key financial risks.
Board priorities have not caught up, judging by proxy statements. Investors deserve to know things like what relevant skills directors have, which board committee is responsible, how a bank ensures that technology vendors are doing their job and what plans are in place should a debilitating hack occur. BofA, Wells Fargo and Citigroup only addressed the first point this year.
Dimon may say more in this year’s letter, due next month. But banks’ proxy statements should say more about cyber defenses, too. As the industry’s most public hacking victim, it would be fitting if JPMorgan becomes the bank to set a new standard.