Empowering Boards to Lead from the Top in the Fight Against Cyber Threats 

In today’s rapidly evolving threat and regulatory landscape, cybersecurity is no longer just an information technology (IT) issue – it’s a strategic priority requiring leadership involvement at the highest level. Financial institutions face increasing threats from ransomware, social engineering, data breaches and third-party vendor vulnerabilities. The impact of these events can be severe, affecting not only systems and finances, but also member/customer trust and regulatory standing. For credit unions and banks of all sizes, protecting member/customer data, maintaining trust and ensuring operational continuity depend on effective cybersecurity oversight. 

The National Credit Union Administration’s (NCUA) 2024 Letter to Credit Unions (24-CU-02) highlights a growing regulatory emphasis on the role of Boards of Directors in cybersecurity governance. Whether your financial institution is large or small, the message is clear: directors must be actively engaged in overseeing their institution’s cyber risk posture. Doeren Mayhew’s IT advisory pros offer key items to consider for board members and executives seeking to better understand their role in cybersecurity oversight—and what questions they should be asking. 

Why Boards Should Care and Why Leadership Involvement Matters 

Cybersecurity risks can no longer be delegated solely to the IT department. Boards and executives are ultimately responsible for ensuring the bank or credit union has adequate safeguards in place to protect member/customer data, maintain service availability and comply with regulatory expectations. 

The financial services industry is a top target for cybercriminals. Attacks like ransomware, phishing and third-party data breaches can cause: 

• Service outages or downtime affecting member/customer access. 
• Regulatory violations tied to Gramm-Leach-Bliley Act (GLBA), NCUA Part 748 and Federal Financial Institutions Examination Council (FFIEC) guidelines. 
• Reputation damage, particularly when sensitive data is exposed. 
• Financial loss, either through fraud or recovery costs. 

Effective cybersecurity oversight by the Board and leadership can help: 

• Prevent or minimize the impact of cyber incidents. 
• Ensure proper funding and prioritization of security efforts. 
• Foster a culture of awareness and accountability. 
• Support strategic alignment of cybersecurity initiatives and business objectives. 

Key Questions Board Members Should Ask 

To provide effective governance, directors don’t need to become cybersecurity experts. However, they should understand the institution’s cybersecurity posture at a high level and ask the right questions, such as: 

• Have we adopted a cybersecurity framework, such as National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) or center for internet security (CIS) Controls? With the FFIEC Cybersecurity Assessment Tool (CAT) sunsetting August 31, 2025, Boards should have a plan for what will fill that gap. 
• What is our process for conducting risk assessments and how often are they updated?  Boards must treat cyber risk as evolving and align them with enterprise risk. What emerging risks (artificial intelligence (AI), supply chain, cloud) may affect us next? 
• Have we tested our incident response plan and who is involved in that process? Are we aligned with the incident reporting windows, such as the NCUA 72-hour rule? 
• How often do we test our business continuity/disaster recovery plans under realistic, full‑scope simulations? What were the lessons learned, and what have we changed as a result? 
• What are the results of our latest vulnerability assessments or penetration tests and how were issues addressed? 
• How do we vet and monitor the cybersecurity practices of third-party vendors, especially those with access to member/customer data? What is our threshold/criteria for considering a vendor to be ‘critical’ or high risk, and how is that monitored? Are our critical vendors providing SOC 2 examinations to support the operating effectiveness of the controls over our customer/member data?  
• What kind of cybersecurity training and awareness programs do we provide to staff? 
• Are we investing adequately in cybersecurity tools, training and personnel? 
• What governance, audit and control structures are in place for emerging technologies? How are we ensuring resiliency, data protection, clear service level agreements and oversight with providers? 

These questions help shift the conversation from technical jargon to strategic oversight. 

Practical Steps Boards Can Take 

Even without a technical background, board members and executives can take simple steps to strengthen their involvement: 

• Include cybersecurity in strategic planning and risk management discussions. 
• Establish regular cybersecurity briefing from management or external cybersecurity partners.   
• Designate a committee or role to focus on IT and cybersecurity oversight. 
• Review cybersecurity reports and metrics/key performance indicators (e.g., vulnerability remediation timelines, audit findings, incident trends). 
• Request executive-level summaries of technical assessments (e.g., IT audits, penetration tests). 
• Review the institution’s cybersecurity roadmap annually, including planned upgrades and investments. 
• Ensure business continuity and disaster recovery plans are tested under realistic conditions, with external dependencies included. 

Partnering with Experts 

Cybersecurity oversight is not optional — it’s a business risk demanding leadership’s attention. Boards of Directors must take an active role in understanding and managing these risks. By staying informed, asking the right questions and supporting your team with the right resources, leadership can play a powerful role in protecting members/customers, and ensuring long-term institutional resilience.  

Many financial institutions don’t have in-house cybersecurity experts or look to supplement internal expertise. In these cases, partnering with a trusted cybersecurity firm, like Doeren Mayhew, to perform IT general control audits, risk assessments, vulnerability scans and penetration testing is both practical and effective.