The Federal Deposit Insurance Corporation has long considered a community bank’s board of directors as one of the most important elements in the successful operation of a bank. Nearly thirty years ago, the FDIC issued its Pocket Guide for Directors. While the term “corporate governance” was not in vogue when the Pocket Guide was first published, the guide today is considered a corporate governance primer for directors.
In its April 2016 Supervisory Insights, the FDIC “reflects” on the Pocket Guide. Not surprisingly, the agency does not alter the core corporate governance principles of the Pocket Guide. As important today as they were in the first Pocket Guide published in 1988 are the concepts of independence for directors, their obligation to select and retain competent management; their duty of loyalty; and their duty of due care.
One word that appears in the FDIC’s current reflections on the Pocket Guide that did not appear in its original version thirty years ago is the word “cyber.” In its April 2016 reflective guidance, the FDIC urges bank directors and senior management to engage in sound strategic planning in order to deal with “emerging or unforeseen risks, such as cyber threats…” Similarly, the FDIC reminds community bank directors that they should ensure that senior management has established appropriate risk management policies and procedures for “cyber risk.” The agency reminds directors that it will expect a higher level of board oversight when there are operational problems with “cybersecurity.”
In our August 2015 client advice, “Assessing Your Cybersecurity Preparedness: It May Be Time to Update Your Bank’s Information Security Plan and Response Program,” we noted that there was increasing regulatory scrutiny of risks related to cybersecurity. We continue to urge community banks to be proactive in managing this risk. Specifically, we encourage banks to undertake a self-assessment of their current cybersecurity preparedness.