Selecting and implementing a maturity model: Cybersecurity playbook for management #2

Cybersecurity is the responsibility of all employees and managers: it takes a team

When a breach occurs, people tend to focus on what goes wrong at the technical level and often fail to see that cybersecurity begins at the strategic level. 

BerryDunn’s cybersecurity playbook outlines the activities managers need to take to properly oversee cybersecurity. Read the full series:

1. Maturity modeling
2. Selecting and implementing a maturity model
3. Tapping your internal capacity for better results
4. External capacity
5. Discovery
6. The workflow
7. Incident response
8. Incident recovery

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

• Who is taking over what responsibilities? 
• How and what will be communicated to your company and stakeholders? 
• How and what will be communicated to the market? 
• How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

1. People: Create and maintain a vigilant workforce
   Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
    

   According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

   Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.
   
   So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.

2. Plan: Implement a disaster recovery and incident response plan 
   Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.
   
   It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    
   1. How will we communicate internally with our staff about the incident?
   2. How will we communicate with our clients? Our patients? Our community?
   3. When should we call our insurance company? Our attorney?
   4. Is reception prepared to describe what is going on if someone visits our office?
   5. Do we have the technical expertise to diagnose the issue?
   6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
   7. When the press gets wind of the situation, who will communicate with them and what will we share?
   8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

3. Practice: Prepare your team with table top exercises  
   Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.
   
   A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.
   
   Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

With the rise of artificial intelligence, most malware programs are starting to think together. Fortinet recently released a report that highlights some terms we need to start paying attention to:

Bot
A “bot” is an automated program that, in this case, runs against IP addresses to find specific vulnerabilities and exploit them. Once it finds the vulnerability, it has the ability to insert malware such as ransomware or Trojans (a type of malware disguised as legitimate software) into the vulnerable device. These programs adapt to what they find in order to infect a system and then make themselves invisible.

Swarmbot
Now, think about thousands of different bots, attacking one target at the same time. That’s a swarm, or in the latest lingo, a swarmbot. Imagine a swarmbot attacking any available access into your network. This is a bot on steroids.

Hivenet
A “hivenet” is a self-learning cluster of compromised devices that share information and customize attacks. Hivenets direct swarmbots based on what they learn during an attack. They represent a significant advance in malware development, and are now considered by some to be a kind of artificial intelligence. The danger lies is in a hivenet’s ability to think during an attack.

Where do they run? Everywhere.
Bots and hives can run on any compromised internet-connected devices. This includes webcams, baby cams, DVRs, home routers, refrigerators, drones, “smart” TVs, and, very, very soon, (if not already) mobile phones and tablets. Anything that has an IP address and is not secured is vulnerable.

With some 2.9 billion botnet communications per quarter that we know of, attacks aren’t just theory anymore — they’re inevitable.

Organizations have heating and cooling systems, physical security systems, security cameras and multiple types of devices now accessible from the internet. Even community water, electric and telecommunications systems are vulnerable to attack — if they are accessible.

What can you do? Take care of your business—at home and at work.
At home, how many devices do you own with an IP address? In the era of smart homes, it can add up quickly. Vendors are fast to jump on the “connect from anywhere” bandwagon, but not so fast to secure their devices. How many offered updates to the device’s software in the last year? How would you know? Do any of the products address communications security? If the answer is “none,” you are at risk.

When assessing security at work, all organizations need to consider smart devices and industrial control systems that are Internet accessible, including phone systems, web conferencing devices, heating and cooling systems, fire systems, even elevators. What has an IP address? Vulnerable areas have expanded exponentially in the name of convenience and cost saving. Those devices may turn out to be far more expensive than their original price tag — remember the Target data breach? A firewall will not be sufficient protection if a compromised vendor has access.

Evaluate the Risks of Internet Accessibility
It may be great if you can see who is ringing your doorbell at home from your office, but only if you are sure you are the only one who can do that. Right now, my home is very “stupid,” and I like it that way. I worry about my wireless garage door opener, but at least someone has to be at my house to compromise it. My home firewall is commercial grade because most small office/home office routers are abysmally insecure, and are easily hacked. Good security costs money.

It may be more convenient for third-party vendors to access your internal equipment from their offices, but how secure are their offices? (There is really no way to know, except by sending someone like me in). Is your organization monitoring outgoing traffic from your network through your firewall? That’s how you discover a compromised device. Someone needs to pay attention to that traffic. You may not host valuable information, but if you have 300 unsecured devices, you can easily become part of a swarm.

Be Part of the Solution
Each one of us needs to eliminate or upgrade the devices that can become bots. At home, check your devices and install better security, in the same way you would upgrade locks on doors and windows to deter burglars. Turn off your computers when they are not in use. Ensure your anti-virus software is current on every device that has an operating system. Being small is no longer safe. Every device will matter.

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG: Developing new ones can be difficult — we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4, here.

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2, here.

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
    
2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
   • External factors, such as GDP growth, unemployment rates, and housing prices
   • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
      
3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
    
4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

   Step Two: Adjustments to Historical Loss Rates

   The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

   The approach for these loans is the same as in the previous step. However:

   These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

   Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

   To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

   Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

   Other resources
   For more information on CECL, check out our other blogs:

   CECL: Where to Start
   CECL: Bank and Branch Acquisitions
   CECL: Reasonable and Supportable

   To sign up to receive notification of our next CECL update, click here.

   • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
   • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
   • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
   • In substep (e), you would apply those rates to loans in that geographic area.
   • How to break down the portfolio
   • Which conditions to analyze
   • How to analyze the conditions for correlation with historical loss periods
   • Which resulting loss factors to apply to which loans

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

• Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
• Control over reports and spreadsheets that include data that feed into the overall calculation
• Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
• Controls over loan ratings if they are a factor in your model
• Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.

By now, pretty much everyone in the banking industry has heard plenty of talk about CECL – the forthcoming “Current Expected Credit Loss” model of accounting for an institution’s allowance for loan losses (ALL). While the previous “Incurred Loss” model has been problematic to implement conceptually, and most of us thought CECL would improve ALL accounting and make it more comparable to how banks account for other debt instruments, it’s beginning to feel a bit like the dog who caught the car – now that we have this model, how the heck do we implement it?

The good news: We have a number of years before CECL’s effective date, and thus have some time to better understand the new rules and how to adapt an institution’s ALL model to reflect them. The bad news – the banking regulators recently announced they want banks to get cracking on this, and will expect to see some progress when they visit during upcoming exams – maybe not immediately, but likely at some point during the 2017 exam cycle.

This is the third in a series of articles addressing various aspects of this complex pronouncement. We hope that they provide you with practical advice that can help you get started on the nuts and bolts of CECL implementation.

Our previous article offered pointers on building the CECL team, brainstorming the process, and starting the data gathering conversation. In this article, we look at how to implement CECL when acquiring another bank, one or more branches of another bank, or simply a loan portfolio, such as a group of auto or credit card loans.

First, let’s remember the basics

The basic premise of CECL is that lifetime expected losses are to be booked at origination (or, in the case of an acquisition, at the acquisition date). You’ve likely heard some gnashing of teeth over the fact that this means losses are recorded “on Day One”, which many of us have some degree of conceptual difficulty with: For example, a higher risk loan will likely carry a higher yield at origination, so booking a higher level of expected losses on Day One (through the ALL) and the offsetting higher yield over the loan term (through interest income) feels like a mismatch between income and expense.

The Financial Accounting Standards Board (FASB) was sympathetic to this point, and spent a lot of time pondering it. Its international equivalent, the International Accounting Standards Board (IASB), which establishes – you guessed it – international accounting standards, actually tackled this issue by precluding Day One losses, unless they were expected to materialize within one year of origination (Day 365 losses?).

This approach, however, has led to a fairly convoluted – and challenging – model, which is already drawing a fair amount of criticism in the international community. In the end, although they had hoped to have a “converged” standard that would result in the same approach for U.S. and international institutions, FASB and the IASB decided to part company and use different models.

The short answer? We have to accept the notion of Day One losses as the price to pay for a less convoluted (but still complex to implement) model. This becomes important to remember as we look at accounting for acquisitions.

Accounting for acquisitions

Whether you’re acquiring a pool of loans, a branch, or an entire institution, the basic accounting under CECL is the same, and it’s the same (with a twist) as the accounting for originated loans: an ALL should be established for the purchase price allocated to the loans, and that ALL should reflect management’s estimate of the lifetime losses in the acquired portfolio.

Before we get into the details of how to do this, let’s take a moment to celebrate. Prior to CECL, it was not permissible to establish an initial ALL for acquired loans. Many bankers – and investors – complained that this made it difficult to compare one bank to another on metrics such as ALL coverage ratios. If one bank had a strategy that included acquisitions, and another didn’t, their ALLs would likely be quite different even if their loan portfolios and estimated incurred losses were similar. Now, with the CECL model, these two banks’ financial statements are much easier to compare.

As noted above, an ALL should be established for these loans under CECL, using the same methodology you would use for originated loans. The twist relates to what to do with the other side of the entry. The solution:

• For loans with a more-than-insignificant amount of credit deterioration since origination, the offset is to add this amount to the amount originally recorded for the purchase price allocated to the loans.

• For the rest of the acquired portfolio, the offset is to loan loss expense. That’s right, your provision is increased by the amount of ALL recorded in the transaction, except as noted in the previous bullet.

Why is this so? FASB is apparently assuming that:

• Buyers adjust the purchase price for the first item above. These loans, which we used to call “purchased – credit impaired (PCI)”, and now will call “purchased – credit deteriorated (PCD)” under CECL, are the loans with hair on them. They probably got some extra scrutiny during due diligence, thus theoretically depressing the purchase price a bit. Therefore, the amount of the purchase price allocated to loans is a lower number, and offsetting the establishment of the ALL by adding that amount to the purchase price assigned to the loans properly “grosses up” the recorded loan balance.

• Buyers don’t adjust the purchase price for other loans. This is probably true, as the lifetime losses on loans that aren’t PCD are just the cost of doing business for financial institutions. Therefore, as it is with originated loans, a big Day One provision is booked at closing.

It should be noted that the extent to which the definition of PCD loans differs from the previous definition of PCI loans depends on your interpretation of the old PCI definition. It appears clear that the new definition of PCD loans refers to loans that have specific indicators of significant credit deterioration since origination.

Let’s look at an example:

A bank buys three branches from another bank, which have total loans with a principal balance of $20 million and a fair value of $20,100,000. The portfolio includes loans with a principal balance of $1 million, and a fair value of $910,000, that are PCD.

The buyer bank determines the ALL under CECL would be $100,000 for the PCD loans and $475,000 for the rest of the acquired portfolio. Thus, the buyer bank records an ALL of $575,000. What’s the offset? As noted above:

• For the PCD loans, the offsetting $100,000 will be added to the $910,000 of purchase price allocated to those loans. As a result, these loans will have a gross amount allocated of $910,000 plus $100,000, or $1,010,000, which will then be reduced by an ALL of $100,000 on the balance sheet, for a net reported amount of $910,000 (their fair value). The difference between the gross amount assigned ($1,010,000) and the principal balance ($1 million), or $10,000, represents an implied adjustment to reflect current market interest rates, and is therefore amortized over the expected loan term through interest income.

• For the rest, the offsetting $475,000 will be an increase to the provision for loan losses, and will thus reduce income.

The last number could be a big one for institutions that do large or frequent acquisitions; thus, their balance sheets may be more comparable to other banks, but their income statements in the year of acquisition won’t be! The good news – like other acquisition costs such as legal fees and conversion expenses, this amount will be separately disclosed, so a reader can adjust for it if they believe it’s appropriate to do so.

Next time, we’ll look at the nuts and bolts of CECL’s concept of “reasonable and supportable” by considering proper documentation and controls over the ALL.