It's easy to think of cybersecurity as the domain of the informa- tion technology department or information security officer. They know the buzz words. They have the technical expertise. But they don't have the ultimate responsibility.

While IT departments and officers have a large role to play, U.S. Treasury Secretary Jack Lew-and a slew of regulators-is making it clear that responsibility for a bank's cybersecurity rests with senior management and the board.

"If you are the leader of a business, you should know how strong your company's defenses are, you should know if there are response plans in place in case a significant security breach occurs, and you should be getting regular reports on cybersecurity threats and what your company is doing to respond to those threats," Lew said in a speech.

Passively managing information security isn't an option for today's com- munity bank executives. The board and management can't just review bullet points in a report or out- source responsibility. Regulators are looking to see greater CEO and board involvement with an eye toward manag- ing risk-including information sharing, incidence response plans and third-party risk. "The Federal Financial Institutions Examina- tion Council is really emphasizing risk assessments," says Cary Whaley, ICBA's vice president, payments and technology policy. "Here is a cyberthreat. What does it mean to the bank and how are you mitigating it? The regulators are emphasizing that this needs to be a corner office/ board issue."

Despite this focus, "there's not a lot of guidance on it," says Gary Owen, principal with Promontory Financial Group LLC, a financial services consulting firm based in Washington, D.C. He instead suggests boards manage cybersecurity risk the same way they'd take on enterprise or operations risk. "The board more and more should be held accountable for it if...