Home / Insights / Cybersecurity Is Not an IT Report. It Is a Board Operating Discipline
Insights

Cybersecurity Is Not an IT Report. It Is a Board Operating Discipline

May 22, 2026 7 min read Dr. Jeff Armstrong

Most cyber discussions in board meetings sound calm right up until they don't. The dashboard is green. Patching is on track. Phishing simulations look decent. Someone says the b...

Most cyber discussions in board meetings sound calm right up until they don't.

The dashboard is green. Patching is on track. Phishing simulations look decent. Someone says the bank is in a good place.

Then a vendor goes down. Member access disappears for days. Wire operations slow down. Call volume spikes. Regulators start asking harder questions than, "Did you apply the updates?"

That is the problem.

Too many boards still treat cybersecurity like a technical status update instead of what it actually is: an operating discipline tied to business continuity, vendor concentration, liquidity, reputation, and trust.

If you are a board member or senior leader at a community bank or credit union, you do not need to know how to configure a firewall. You do need to know whether your institution can keep serving customers when a cyber event hits you, or one of the companies you depend on.

That is a governance question.

The board's real job is not to review controls

Boards get dragged into the weeds in all the wrong places.

Management teams bring heat maps, maturity scores, and policy updates. Those things matter. But they are not the first questions I would ask.

The first questions are simpler.

  • What business services would fail first if we lost a critical system tomorrow?
  • How long could those services be down before we start hurting customers, earnings, or regulatory standing?
  • Which third parties represent single points of failure?
  • Who makes the call when convenience, speed, and resilience collide?

That is where board oversight earns its keep.

The data backs up the urgency. The 2024 CSBS Annual Survey of Community Banks found that 96 percent of respondents viewed cybersecurity as an extremely important or very important risk. IBM's 2024 Cost of a Data Breach Report put the average cost of a breach in the financial sector at $6.08 million. And the NCUA reported that 73 percent of cyber incident reports submitted by credit unions were related to third-party vendors.

Read those three numbers together and the pattern gets obvious.

This is not just about hackers. It is about concentration risk, operational resilience, and whether the board is asking management for evidence instead of reassurance.

Example one: Patelco showed what outage pain really looks like

Patelco Credit Union's 2024 ransomware attack is worth every board member's attention.

This was not just a security story. It was a service disruption story.

According to public reporting and California regulators, the attack contributed to weeks of member-facing disruption during the summer of 2024. Online and mobile banking access was interrupted. Core member services were affected. Patelco later disclosed that more than 1 million individuals were impacted, and the credit union reported a $39.2 million loss in the third quarter of 2024 tied largely to fallout from the incident.

Boards should pay attention to that last part.

Cyber events do not stay inside the IT budget. They leak into operations, member confidence, reserves, legal costs, and executive bandwidth.

If your board packet treats cybersecurity as a line item under technology, you are already looking in the wrong place.

Example two: CrowdStrike was a reminder that "secure" is not the same as "resilient"

The CrowdStrike outage in July 2024 was not a breach. It was a defective update. Different cause. Same board lesson.

Roughly 8.5 million Windows devices were affected globally, according to Microsoft. Banks, payment systems, airlines, hospitals, and call centers all felt it.

That incident exposed something boards often miss: a strong security stack can still create a dangerous concentration point.

A lot of institutions had done what they were supposed to do. They had invested in security tooling. They had trusted an established provider. They still got hit by an operational failure outside their own walls.

That means board oversight has to extend beyond, "Do we have a good cybersecurity program?"

It also has to ask:

  • Where are we operationally dependent on one vendor?
  • What happens if a critical security or cloud provider fails safely, not maliciously?
  • Have we tested manual workarounds for high-value services?

That is not pessimism. That is adult supervision.

Example three: acceptable downtime is a business decision, not a technical one

Earlier in my career at Bankers Bank, we supported an environment moving $8 billion to $11 billion in transactions daily.

In that kind of setting, the question is not, "Is the system secure?" Of course it needs to be. The bigger question is, "What interruption can the business actually survive?"

That framing matters for community institutions too.

You may not be moving that kind of volume. But your members and customers still expect access, trust, and continuity. If your card platform, online banking provider, wire system, or core processor goes sideways, the board does not get to hide behind technical vocabulary.

Directors are responsible for understanding the business impact of downtime and making sure management has planned for it.

Not guessed. Planned.

Four shifts boards should make now

Here is the practical part.

If I were helping a board tighten its cybersecurity oversight this quarter, I would push for four changes.

1. Stop asking for activity. Start asking for exposure.

Patch counts, blocked emails, and training completion rates are useful operating metrics. They are weak governance metrics on their own.

Ask management to report cyber risk in terms of business exposure:

  • Critical services and recovery targets
  • Top single points of failure
  • Material vendor dependencies
  • Open audit or exam issues tied to resilience
  • Decision points that require board-backed risk appetite

A good board report should help directors understand what could interrupt the institution, for how long, and with what consequence.

2. Put third-party cyber risk on the main agenda, not the appendix

The NCUA's vendor-related incident figure should be a flashing light for every leadership team.

Most community institutions are more dependent on external platforms than they were five years ago. Core providers. Digital banking platforms. Fraud tools. Managed service providers. Cloud environments. Fintech integrations.

That dependency is not inherently bad. But unmanaged dependency is.

Boards should ask for a list of critical vendors mapped to critical business services. Not just a list of contracts. A map of operational reliance.

Very few directors see that clearly enough.

3. Run one board-level cyber scenario that is operational, not technical

Do not waste the board's time with a technical tabletop full of acronyms.

Run a scenario that starts with business effects.

Examples: - Your online banking platform is unavailable for five days - A core vendor suffers a ransomware event during payroll week - A key provider pushes a bad update that breaks customer-facing systems

Then ask the board and executives to work the actual decisions.

Who communicates with customers? Who talks to regulators? What gets restored first? What policy exceptions would you approve? At what point does liquidity, reputation, or legal exposure become the bigger issue?

That is how boards build muscle.

4. Make management prove resilience, not just promise it

The phrase I distrust most in cyber briefings is, "We have a plan."

Good. Show me.

Boards should expect evidence that backup recovery, manual fallback processes, incident escalation, vendor coordination, and customer communications have been tested in a realistic way.

Hope is not a control.

Neither is a 94-page policy nobody has touched since last exam season.

What regulators and stakeholders really want to see

Regulators are not expecting every director to become a technologist.

They are expecting boards to govern.

That means asking whether management understands the institution's cyber exposure, whether important third parties are being challenged appropriately, whether incident response has been tested, and whether business continuity planning reflects how the institution actually operates today.

Customers want something even simpler.

They want their money accessible. Their information protected. And their institution prepared when something breaks.

That is the standard.

Cybersecurity is no longer a side briefing from the CIO near the end of the agenda. It is part of how a board exercises its fiduciary duty.

Not because every board needs to become technical.

Because every board needs to become clear-eyed.

Discussion questions

1. If one of your top three technology vendors failed this afternoon, which customer-facing service would hurt first? 2. Does your board spend more time reviewing cyber activity metrics or business resilience metrics? 3. What is one outage scenario your leadership team has not tested honestly enough?

Sources

  • CSBS, 2024 Annual Survey of Community Banks
  • IBM, Cost of a Data Breach Report 2024, Financial Services sector
  • NCUA, 2024 Cybersecurity and Credit Union System Resilience Report to Congress
  • Microsoft, July 2024 statement on the CrowdStrike-related outage impact
  • California DFPI enforcement materials and public reporting on Patelco Credit Union's 2024 cybersecurity incident
Talk with FinEdge Back to Insights