Wipfli logo

The Lac du Flambeau Business Development Corporation


It’s not a short list: Financial institution ISO roles and responsibilities

Sep 28, 2020

Cybersecurity threats are constantly evolving, and financial institutions are a prime target. Protecting customer data and financial transactions is a critical responsibility.

Under Federal Financial Institutions Examination Council (FFIEC) guidance, all financial institutions should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program

The information security officer (ISO) plays an essential role in the organization — ultimately responsible for giving decision makers the information they need for oversight. To fill that role, the ISO should be highly visible, interacting directly with the board of directors, senior leadership, auditors and examiners, and business managers. 

To help financial institutions understand the evolving role of the ISO, we’ve put together six core responsibilities they fill to reduce institutional risk: 

1. Information security risk management

The ISO is responsible for overseeing the institution’s information and data security. This is a program management role that should function in partnership with both IT and business leadership. (Note: In order to maintain independent oversight, this role should not have direct reporting responsibility to IT.) 

Risk management should encompass reasonably foreseeable internal and external threats, all information assets (electronic, paper and people) and all business lines. Essentially the ISO’s core job duties are to ensure the organization is doing what it needs to in order to:

  • Identify threats
  • Assess vulnerability 
  • Determine risk 
  • Implement control strategies (to reduce risk) 
  • Monitor and review

While all functions are essential, monitoring and review is sometimes overlooked. It’s not enough to plan and document controls. The organization needs to know those controls are working. While testing may fall to technology managers and outside vendors, the ISO needs to verify testing is indeed happening and needs to review test results.

2. Board reporting

The ISO must provide a security update to the board at least once a year. This is an up-down-up communication role in which the board communicates its tolerance for risk and the ISO communicates risk status and vulnerabilities. 

Part of the ISO’s role here is helping the board understand their cybersecurity responsibilities and making sure they have the knowledge to execute their duties. ISOs with strong communication skills will help leadership understand the importance of cybersecurity and influence leaders to allocate resources accordingly. 

3. Internal user training

Team training helps internal users understand their role in information security. Training helps users learn to identify phishing and social engineering attacks, helping limit internal human vulnerabilities. We recommend ISOs coordinate user training or communication at least once a quarter. 

4. Incident response planning and testing

Incident response plans outline how the organization will respond to a breach. Plans should define an incident response team, including a call tree with cyber experts from law enforcement and forensics. Plans should also provide guidance on handling evidence, containing incidents and bringing compromised systems back online. 

Too often, organizations put a generic plan in place and hope they never have to use it. Unfortunately, these plans rarely hold up in the heat of the moment. If you have to invoke the incident response plan, time is of the essence. We recommend organizations identify the most likely risks and perform regular tabletop exercises to prepare for these potential threats.  

5. Vendor management — cyber resilience

The ISO oversees vendor cyber resilience. Vendors must be able to demonstrate that they follow regulatory guidance, have business continuity and incident response plans in place and that they test their controls. 

To effectively fill this role, the ISO should be included in all new vendor due diligence while the organization is still in the selection process. This ensures that new vendors can meet information security requirements before contracts or service agreements are signed. 

6. Regulatory requirements and audit/exam preparation

The ISO must understand regulatory expectations set out under the Gramm-Leach-Bliley Act (GLBA) and the FFIEC. While compliance duties can be met with the assistance of outside advisors, the ISO should have sufficient knowledge and familiarity to actively participate in information security oversight. 

Information security is everyone’s responsibility. An ISO is highly dependent on everyone above them and below them (e.g., board of directors, senior management, all team members/employees) to make sure the financial institution successfully protects its information.

When done effectively, the ISO does more than manage regulatory compliance. They help ensure that cybersecurity is truly a central part of organizational culture, keeping stakeholders at all levels informed and vigilant.  

ISO support

While all financial institutions must have a designated ISO, outside advisors can help support this position with task management, independent testing, board presentations, user training and more. 

Wipfli’s financial institution cybersecurity advisors can coach internal ISOs, helping the organization meet regulatory requirements, improving consistency and enhancing overall security. 

Talk to your relationship advisor about Wipfl cybersecurity advisory. And for more insight, check out these posts: 


Mike Morris, CISA
View Profile
Senior Manager
View Profile