 |
| Technology Risk Management in the Banking Sector |
Introduction
By 2025, bank risk management procedures will most likely need to be substantially altered from their current state, with a focus on technology risk management in particular. Even though it can be hard to accept, risk management might evolve more in the next ten years than it did in the preceding ten.
Banks should act now and prepare for these longer-term trends; they run the risk of being overwhelmed by the additional obligations and demands they will face.
Cyberattacks have made technology risk management more difficult. Most institutions have already made defense against these assaults a top priority as a key strategic goal because of their potentially disastrous consequences.
This is due in part to the fact that banks rely so largely on data, software, systems, and information technology (IT), but it’s also because these assaults jeopardize sensitive customer information as well as the banks’ ability to operate.
Given the present geopolitical environment and its predicted future, we believe cybersecurity will only become more important and need an even larger deployment of resources at the individual institution level as well as a greater degree of cross-industry and industry-government collaboration.
Risk functions (technology risk management) will require new methods and skills to manage and track these emerging risks.
IT-data infrastructure in technology risk management
Although there are many configurations for supporting IT infrastructure and data, the most recent developments tend to favor “two-speed architectures” and data lakes. A two-speed architecture separates the bank’s IT architecture into a flexible, agile front-end that serves customers and a slower, more dependable back end (such as the bank’s core IT systems, which are frequently outdated systems).
All sorts of data, both structured and unstructured, internal and external, are collected and stored in a data lake. No specific guidelines must be followed while entering data into the bank (as would be required of data entering an enterprise data warehouse).
Instead, when the data is extracted from the lake, the users themselves set the rules. The data lake offers banks a breakthrough that enables them to exploit their data for numerous purposes, ranging from marketing to risk financing, by combining this flexibility with Google-like search capabilities.
Banks can employ big data tools for complicated data exploration and analysis because of the system’s flexibility and range of capabilities. It is anticipated that large expenses will be needed to achieve the target condition, particularly in terms of systems and infrastructure.
The cost pressures discussed above would make this task a nontrivial issue, even though staying ahead of the competition is likely to make such investments crucial. Because they can’t or won’t make these investments, certain banks will fall behind.
Banks operate in a dynamic environment characterized by increasing consumer demands, a dynamic economic environment, a broader breadth and greater severity of industry regulation, and the leveraging of technological innovation while remaining alert to shifting IT threats.
Additionally, the banking industry must maximize shareholder value while maintaining the financial stability of the global economy through fairer business practices and greater transparency.
Because IT risks support the business tasks provided by banks, supervisors, and regulators have continued to suggest ways to improve international banking practices, such as governance and advice for IT risk
management.
Numerous clients of one of the biggest banks in Pakistan claimed to have lost money as a result of unauthorized bill payments, internet purchases, and bank transfers. The bank staff explained to the upset customers that there were issues with their services and that the bank was working hard to fix them.
The following cyberattacks against Pakistani banks have been documented in reports that have appeared in Pakistani media.
A cyberattack on the National Bank of Pakistan (NBP)
According to a statement released by the National Bank of Pakistan (NBP) on Saturday, the bank’s services have been affected by a cyberattack but are expected to be restored by Monday as reported by the daily Dawn.
The statement read, “A cyberattack on the NBP’s systems was identified in the late hours of the 29th and early hours of the 30th of October 2021, which disrupted certain of its services.” The affected systems were immediately isolated, and it was added. No consumer or financial information has been exposed yet.
The bank stated that remediation activities were in progress and were being supported by industry-leading subject matter experts and, when necessary, worldwide resources.
While the NBP’s customer services are now interrupted, we are working to rectify the breach and are optimistic that critical customer services will be restored by Monday morning, according to a statement from the NBP.
It said, “We appreciate our consumers’ patience throughout this unique scenario… The State Bank of Pakistan (SBP) tweeted that an investigation was ongoing after NBP reported a cybersecurity incident.
The SBP stated that “NBP has not seen any data breach or financial loss,” noting that no other bank had made a similar report.
On November 1st, 2021, a different newspaper reported the very same story. On Monday, some false information about cyberattacks on banks was making the rounds, including some statements ascribed to SBP Chief Spokesman
Abid Qamar. On Monday night, the central bank issued a statement on its official Twitter account saying, “According to these fake reports, 9 banks have been affected by the attack, and that money has been withdrawn and data were taken.” SBP rejects these rumors, it added.
On May 8, 2022, the News reported that just before Eid ul-Fitr, an online debit card scam targeted customers from three private banks. The victims complained to the FIA’s (Federal Investigation Agency) cybercrime division.
Hundreds of customers of one of Pakistan’s largest banks reported that they had lost money through unapproved
bank transfers, bill payments, and online purchases. The bank staff informed the irate clients that their services were experiencing problems and that the bank was working hard to resolve the problems.
Customers also stated that their cards were disabled. So far, the affected banks and authorities have been unable to pinpoint the cause of the data breach. It could be a technical glitch or the result of online fraud.
The most likely explanation is debit card fraud by bugging ATMs. When debit cards are entered into a machine, the information on them is replicated. The card’s key pins are obtained using key loggers. The cards are then utilized for internet-based transactions.
Saam news published another story about cybercrime on July 13, 2022. According to an examination by Pakistan’s Computer Emergency Response Team, PakCERT, information from 19,864 cards belonging to clients of 22 Pakistani banks has been offered for sale on the dark web.
Midway through October, some Bank Islami customers received SMS messages warning them of transactions (money withdrawals), which they didn’t complete. On October 27, Bank Islami banned its foreign payment scheme after noticing irregular transactions totaling Rs. 2.6 million. The Bank Islami payment network and the global payment system were both vulnerable due to a well-planned cyberattack.
These transactions were carried out by hackers using bank-issued cards at foreign ATMs. Following this occurrence, the central bank gave orders to all commercial banks to safeguard the integrity of all national payment cards and keep an eye on card usage, particularly for transactions outside of the country.
The data of almost 20,000 debit cards were compromised, according to PakCERT’s investigation into the cyberattack; this may also account for the messages some of you have recently received from your banks informing you that your card has been blocked for international transactions for security reasons.
Boards’ risk-related responsibilities at financial services companies
The performance of a financial institution is based on the reliability and security of its technology. System outages can hinder a business and its clients. The company depends on precise and timely data. Institutions must make strategic decisions about which technologies to accept and which to shun in light of the rapidly evolving technological world.
Unauthorized transactions or processing mistakes may result from technologies with poor controls, especially in the absence of technology risk management. Regulators around the globe continue to focus not only on safety and soundness but also on compliance with country-specific laws and regulations for better technology risk management.
The same rules that apply to other risks apply to boards’ oversight of IT risk as well. The senior executive team, which includes the chief information officer (CIO), chief risk officer (CRO), and chief technology officer (CTO), as well as a large group of responsible managers from across the firm, are ultimately responsible for the efficient management and governance of IT risk.
Leaders in financial organizations must all be aware of IT risk and the tools at their disposal to ensure it is properly addressed. This paper outlines specific IT risks that boards of financial institutions should take into account and offers tactics they may use to effectively monitor them.
Technology risk management framework by the SBP
When technology usage and dependence are not adequately managed, they may aggravate technology risks as
technology becomes an increasingly important component of the operations and business of financial institutions.
To keep up with the aggressive and widespread adoption of technology in the financial services industry and subsequently strengthen the existing regulatory framework for IT risk supervision, SBP developed the framework for “Information Technology Governance & Risk Management in Financial Institutions” with a vision to provide baseline technology governance and technology risk management principles to the financial institutions.
The COBIT framework is the main inspiration for the framework. The complete enterprise risk management
program for financial institutions must be integrated with this framework. SBP anticipates that Financial institutions will be equipped with the knowledge and abilities required to comprehend and successfully manage technology risks. These institutions must use an integrated risk management strategy to recognize, quantify, track, and manage risks.
Responsibilities of the Board of Directors
Approve overall Enterprise IT strategy, approve an IT governance framework, ensure that effective IT risk management and internal controls functions approve all IT Management and Information/cyber Security policies, oversee a safe, sound, controlled and efficient IT operating environment, review, approve and monitor IT projects.
Ensure maintenance of an independent and effective IS audit function, review and approve the IT related policies including Disaster Recovery and Business Continuity Plans, and ensure resources gap (people, process & technology) identified by the management are adequately and timely fulfilled.
Responsibilities of Senior Management
Implement the IT strategy approved by the BOD, establish an efficient and effective IT organization structure, and approve, and ensure implementation of IT risk management and internal control functions to achieve security, reliability, resilience, and recoverability, Implement BOD-approved IT Management and Information Security Policies, ensure that FI’s risk management policy incorporates IT-related risks, monitor implementation of the IT.
Governance programs, ensure that risk management strategies are designed and implemented to achieve resilience, such as the ability to effectively respond to wide-scale disruptions, including cyber-attacks and attacks on multiple
critical infrastructure sectors, periodically inform BOD on the latest developments on the cyber security action plan, its implementation status, and a summary report on major threats and attacks faced by the institution and their impact on its operations on a periodical basis.
Ensure that the documented Standard Operating Procedures are in place and are effectively followed in letter and spirit in all areas of IT Operations, ensuring that FI(s)’s physical infrastructure is adequate to accomplish the strategic plans of the organization, ensure capacity building of the personnel to achieve desired service delivery and operational excellence.
Select IT solutions that can meet strategic requirements with minimum resources, ensure that IT projects support business objectives and adequate resources are available to complete these projects, ensure that risks related to IT projects are appropriately managed, ensure that an effective monitoring mechanism is in place to evaluate the design of IT projects and oversee the related operations and activities.
Monitor implementation of outsourcing process to identify, measure, monitor, and control the risks associated with IT-related outsourcing arrangements, develop, conduct, document and maintain BCP and the testing program, identify resources gap (people, process & technology) and take adequate steps to fill the gaps.
Risk Management Process & Risk Identification
FI(s) shall determine threats and vulnerabilities to its IT environment, which comprises the internal and external networks, hardware, software, applications, databases, systems interfaces, operations, data centers, and human elements.
FIs shall execute quarterly software vulnerability identification operations across the entire institution covering all IT systems and supporting infrastructure assets (Networks, PCs, Laptops, servers, operating systems, software, applications, and databases). On the basis of threats and vulnerabilities, the FI(s) shall formulate a list of all risks that may create severe harm and disruption to the operations of FI(s).
After risk identification, the FI(s) shall perform an analysis and quantification of the potential impact and consequences of identified and unidentified vulnerabilities and associated risks on the overall business and operations. FI(s) shall develop a threat and vulnerability matrix to assess the impact of the threat on its IT environment, which will also assist the FI(s) in prioritizing IT risks.
FI(s) shall develop and implement risk mitigation and control strategies that are consistent with the value of the information system assets and the level of risk tolerance. FI(s) shall give priority to threat and vulnerability pairings with high-risk ranking, which can cause significant harm or impact the FI’s
operations.
FI(s) shall assess its risk tolerance for damages and losses in the event that a given risk related event materializes. When deciding the adoption of alternative controls and security measures, the FI(s) shall also keep in view the costs and effectiveness of the controls with regard to the risks being mitigated. FI(s) shall refrain from implementing and running a system where the threats to the safety and soundness
of the IT system cannot be adequately controlled. As a risk-mitigating measure, the FI(s) may consider taking insurance cover for various insurable risks, including recovery and restoration costs.